A new report from the Chartered Institute of Information Security (CIISec) reveals that cybersecurity accountability is firmly shifting to the boardroom.
According to the State of the Security Profession survey, 91% of security professionals believe the board, not CISOs or security managers, should bear ultimate responsibility for cyber risks and compliance. More than half (56%) said senior leaders should face consequences—including fines, sanctions, or even prosecution—when major failures occur. By contrast, just 34% felt that employees who breach policy should be held accountable.
Amanda Finch, CEO of CIISec, stressed that the findings underscore the need for stronger collaboration between boards and cybersecurity teams. “If senior management carries the ultimate responsibility, then boards must be fully engaged in understanding risks and shaping security decisions,” she said. Finch added that this requires professionals to sharpen their knowledge of regulations and communicate risk more effectively to non-technical stakeholders.
The growing weight of regulatory scrutiny is a major driver behind this shift. With the rollout of the EU AI Act, DORA, NIS2, and the UK’s Data (Use and Access) Bill, organizations are under heightened pressure to comply with evolving standards. Finch emphasized that these frameworks are designed not to hinder businesses, but to close past gaps, establish industry-wide baselines, and protect citizens.
Still, compliance challenges remain. Earlier research showed many companies struggle with NIS2 adherence, while four in ten UK financial services firms faced difficulties preparing for DORA. Despite these hurdles, Finch urged the industry to see regulation as progress that strengthens accountability and advances cybersecurity maturity.
Stay ahead of emerging cybersecurity threats. For the latest insights and updates on cloud security, follow SOC News.
News Source: ITPro.com
