Security Regulation: Where Does the Buck Stop?

This year, with a wave of major regulations either recently passed or coming into force (including the European Union’s AI Act, DORA, NIS2 and the UK’s own Data (Use and Access) Bill, we focused on the topic of regulation.

It’s important to remember that regulations are not imposed to make the security profession more challenging, although sometimes it may feel that way. Rather, they’ve been developed in order to help address failures from the past, close gaps that have previously been overlooked and, what’s more, establish a minimum standard across the industry.

Other professions and business functions show how effective regulations can be, and notably so when they’re established and understood. For example, financial reporting has become more accurate due to regulations such as the Sarbanes-Oxley Act 2002. The General Product Safety Regulations 2005 raised the bar for the quality of manufactured products. The Health and Social Care Act 2008 laid the groundwork to ensure that healthcare services reach minimum standards in the UK.

More recently, and following the Grenfell Tower tragedy, the Building Safety Act 2022 introduced stronger Building Regulations, created a dedicated Building Safety Regulator and ensured tougher degrees of accountability for those responsible for high-rise residential buildings.

These laws have been introduced to protect citizens, improve their quality of life and ensure that businesses can be held accountable for irresponsible actions. As cyber security matures as a profession, we should view increased regulation not as a burden, but as a sign of progress.

Barometer of the landscape 

Our survey reflects this sentiment, offering a first-hand barometer of the current regulatory landscape, asking about the strength of current laws and accountability for breaches. The results make it very clear that, when it comes to regulations and compliance, the buck stops with the Board.

91% of those professionals surveyed in the information security sector believe that ultimate responsibility for security lies with the Board and not security managers or Chief Information Security Officers. 56% suggest that senior management should face consequences such as sanctions, prosecutions or fines for serious cyber incidents. Only 34% feel that the specific employee who breached policy should be held responsible.

In parallel, 69% believe that current laws are still not strict enough, with the Cyber Security and Resilience Act, DORA and NIS2 being cited as having the most significant impact on the profession.

In an increasingly regulated world – where industry experts are actively calling for even stricter laws – the security profession must rise to meet the challenge.

Enhanced data sharing 

Respondents pointed towards enhanced data sharing between organisations and mandatory responsible disclosure as immediate actions the profession can take towards regulatory maturity. In the longer term, professionalisation across the industry also featured highly among respondents’ replies.

If the buck stops with senior management – as the survey makes clear – then our profession must adopt a more collaborative approach towards security, ensuring the Board is aware of the risks and included in major decisions. This means more learning for cyber security professionals, improved understanding of regulations and developing better communication of risk for stakeholders residents outside of the security function.

Increased professionalisation can help security professionals to achieve these goals. Chartering is the perfect way to validate this progress. Much in the same way that doctors gain recognition through further training, raising the bar through chartering equips cyber security professionals with the skills and credibility to drive compliance and navigate an evolving regulatory landscape with confidence.

Amanda Finch is CEO of the Chartered Institute of Information Security (www.ciisec.org)