We recently conducted our annual State of the Security Profession survey, polling our Members and the wider security community on the latest industry trends. This year, with a wave of major regulations either recently passed or coming into force – including the EU AI Act, DORA, NIS2 and the UK’s Data (Use and Access) Bill, we focused in on the topic of regulation This blog is the first in a two-part series exploring the key findings from our survey.
It’s important to remember that regulations aren’t imposed to make the security profession more challenging, although sometimes it may feel that way! They have been developed to help address failures from the past, close gaps that have previously been overlooked and establish a minimum standard across the industry. Other professions and business functions show how effective regulations can be, especially when they are established and understood.
For example, financial reporting has become more accurate due to regulations like the Sarbanes-Oxley Act 2002. The General Product Safety Regulations 2005 raised the bar for the quality of manufactured products. The Health and Social Care Act 2008 laid the groundwork to ensure health services reach minimum standards in the UK. More recently, and following the Grenfell Tower tragedy, the Building Safety Act 2022 introduced stronger building regulations, created a dedicated Building Safety Regulator, and ensured tougher accountability for those responsible for high-rise residential buildings. These laws have been introduced to protect citizens, improve their quality of life and ensure that businesses can be held accountable for irresponsible actions. As cyber security matures as a profession, we should view increased regulation not as a burden but as a sign of progress.
Our survey reflects this sentiment, offering a first-hand barometer of the current regulatory landscape, asking about the strength of current laws and accountability for breaches. The results make it very clear that when it comes to regulations and compliance, the buck stops with the board:
- 91% of the profession believe ultimate responsibility for security lies with the board and not security managers or CISOs (just 31%).
- 56% say senior management should face consequences such as sanctions, prosecutions, or fines for serious cyber incidents. Only 34% believe the specific employee who breached policy should be held responsible.
- 69% think current laws are still not strict enough, with the Cyber Security and Resilience Act, DORA, and NIS2 cited as having the most significant impact on the profession.
In an increasingly regulated world – where industry experts are actively calling for even stricter laws – the security profession must rise to meet the challenge.
Respondents pointed to enhanced data sharing between organisations and mandatory, responsible disclosure as immediate actions the profession can take towards regulatory maturity. But in the longer term, professionalisation across the industry also featured highly.
If the buck stops with senior management – as the survey makes clear – our profession must take a more collaborative approach to security, ensuring the board is aware of the risks and included in major decisions. This means more learning for cyber security professionals, improved understanding of regulations and developing better communication of risk to stakeholders outside of the security function.
Increased professionalisation can help security professionals to achieve these goals and chartering is the perfect way to validate this progress. Much in the same way that doctors gain recognition through further training, raising the bar through chartering equips cyber security professionals with the skills and credibility to drive compliance and navigate an evolving regulatory landscape with confidence.
