A trend that has long been on the rise is finally having its day. A recent industry report revealed that 91% of security professionals believe that ultimate accountability for cybersecurity incidents lies with the board itself, not with CISOs or security managers.
If the security discussion hadn’t fully made its way into C-suite conversations before, it has now.
The Chartered Institute of Information Security (CIISEC)’s new State of the Security Profession survey checks the pulse of the industry where cybersecurity regulation is concerned. It emerges with one clear, overarching sentiment: “the buck stops with the board.”
Out for Blood? Or a Fair Point
Those in the profession understand that security managers are beholden to their CISOs, and CISOs answer to the powers that hold the purse strings.
Countless blogs have been written about “gaining buy-in for your security objectives” and how to persuade those at the table to give in to reasonable security accommodations. For so long, a convincing (but indirect) appeal to the business bottom line has been espoused as a way for executives to see how such improvements would relate to them.
However, today’s calls for legal action would leave no room for ambiguity. According to the survey:
Over half (56%) believe board members should face sanctions, prosecutions, or fines for serious cybersecurity incidents.
69% say that the compliance regulations currently in place – such as NIS2, DORA, and the Cyber Security and Resilience Act – don't go far enough.
What are some of the positive changes professionals wanted to see? Mandatory, responsible disclosure and improved data sharing between organizations, for starters.
Where NIS2 and DORA Stand on Accountability
Given the industry’s decisive stance, it is worth picking apart where cyber incident responsibility currently lies per today’s security mandates. Let’s look at NIS2 and DORA as examples.
NIS2
Under NIS2, the unifying piece of cybersecurity legislation applicable to all 18 critical sectors across the EU, non-technical senior managers could be held accountable for data breaches, with repercussions such as administrative fines or dismissal.
Specifically, Article 20 states:
“Member States shall ensure that the management bodies of essential and important entities approve the cybersecurity risk‑management measures taken by those entities in order to comply with Article 21, oversee its implementation and can be held liable for infringements by the entities of that Article.”
The “can” perhaps leaves some wiggle-room (is the issue debatable in the event of a data breach, then?) and only requires the “managing bodies” to approve the company’s cybersecurity risk-management measures in compliance with the standard. As practitioners understand, compliance does not automatically equal security; what if a data breach occurs outside of the scope of the requirements? Is there still some form of automatic accountability, and under what circumstances or regulation?
DORA
The EU’s Digital Operational Resilience Act (DORA), applicable to the BFSI sector, states in Article 17 that managers must be informed of any cyber incidents—but not necessarily included in the pre-emptory processes. It reads:
“Financial entities shall ensure that at least major ICT‑related incidents … are reported to relevant senior management and inform the management body of at least major ICT‑related incidents, explaining the impact, response and additional controls to be established as a result of such ICT‑related incidents.”
This means that any ties to accountability are tenuous at best. While senior managers may bear some liability for company actions once informed of the breach, DORA does not specify any responsibility of management for ensuring the proper security precautions were in place beforehand. However, it is interesting to note that DORA is “lex specialis” to NIS2, which means that certain NIS2 requirements apply to financial institutions as well.
Will Boards Be the Only Ones Facing Increased Responsibility?
Interestingly, when asked if individual employees who violated company policy should be held accountable, only 34% said yes. It seems the pendulum has swung not only in favor of shared responsibility, but perhaps absolute responsibility on the part of the C-suite.
As stated by CIISEC CEO Amanda Finch, “If the buck stops with senior management – as the survey makes clear – our profession must take a more collaborative approach to security, ensuring the board is aware of the risks and included in major decisions.”
Now it becomes incumbent on security professionals to correctly and completely inform board members of all possible risk vectors and security threats—or perhaps lawsuits for withheld information and a backlash on security stakeholders could ensue.
Great power might demand great responsibility, but putting executives in the hot seat also means they are entitled to all the power that full cybersecurity disclosure can (and must) provide. In other words, if they are to take full responsibility, they need full access to all the relevant information.
Are security professionals ready to deliver that? Given the tools they currently have in their security stacks, are they able to? These questions and more are sure to come out of the Pandora’s Box that any “absolute” board liability might open.
Do Boards Have What They Need to Succeed?
It looks like non-technical board members may be on the public perception chopping block when it comes to cyber incidents and data loss. This sentiment may be enough to push today’s cybersecurity regulations to include such responsibility in future versions. And this might increase the cybersecurity burden all the way around.
Which could only be a good thing.
In theory, anyway. The hard part will be putting all that transparency, risk analysis, information sharing, and cybersecurity disclosure into practice. To make the right decisions, board members will need the right information. To provide the right information, practitioners will need the right tools.
From vulnerability management to DSPM, penetration testing to red team engagements to risk assessments, companies will need to beef up their security stacks with the solutions that can give them a full and comprehensive view of their risk tolerance and the threats they face—and deliver that to the executives who may ultimately stand trial.
Who knows? Maybe one day board members will be breathing down CISOs’ backs to get it done.
Break the Attack Chain with Fortra®
Advanced offensive and defensive security solutions. Complete attack chain coverage. Shared threat intel and analytics. Add Fortra® to your arsenal.
