When the people who build and defend the internet’s infrastructure call for tougher rules, policymakers and the public should take notice. A new poll from the Chartered Institute of Information Security (CIISec) reveals that a strong majority of information security professionals want more rigorous cybersecurity legislation. That consensus matters: those on the front lines see day-to-day realities that lawmakers and regulators often miss, and their perspective should shape any meaningful reform.
Why security professionals want stronger laws
CIISec surveyed practitioners across government and industry to assess whether current legal frameworks reflect operational needs. The answer was decisive: most respondents favor stricter legal obligations. Their reasons are practical and interlocking. First, consistency and clarity in legal duties help organizations set priorities and allocate scarce resources effectively. Second, clearer rules create accountability—when obligations are defined, enforcement can follow, and negligent behavior can be sanctioned. Third, baseline legal requirements can elevate cyber hygiene across sectors, reducing opportunities for opportunistic attackers.
Current regulatory responses have tended to be reactive and fragmented. High-profile breaches and ransomware outbreaks have prompted piecemeal reforms—data protection regimes such as GDPR, mandatory breach reporting in multiple jurisdictions, and tightened rules for critical infrastructure. But many security practitioners argue these efforts remain disjointed and sometimes detached from operational reality, producing gaps that attackers can exploit.
H2: Cybersecurity legislation — balancing enforceability and flexibility
Crafting effective cybersecurity legislation is a delicate balancing act. Engineers and defenders typically prefer outcome-focused rules that set clear objectives—what must be achieved—while permitting flexibility in how organizations comply. This approach recognizes the diversity of technology stacks, business models, and resource constraints across enterprises. Prescriptive mandates that demand specific technologies or configurations risk becoming obsolete as innovation proceeds, and they can impose disproportionate burdens on small and medium-sized enterprises.
Policymakers, by contrast, must ensure laws are enforceable and defensible in public debate. Legislators weigh national security, economic competitiveness, and civil liberties. Overly onerous compliance costs may provoke industry pushback, disincentivize investment, or encourage regulatory arbitrage. The ideal cybersecurity legislation thread sets measurable minimum standards, defines reporting obligations, and includes proportionate penalties—while providing pathways for smaller organizations to meet requirements without being driven out of the market.
Trade-offs and stakeholder perspectives
Different stakeholders emphasize different trade-offs:
– Technologists: favor measurable standards, realistic timelines, and recognition of resource constraints. They warn against rigid rules that fail to evolve with technology.
– Policymakers: seek clarity and enforceability. They must also secure political legitimacy for any new legal regime.
– Businesses: want reduced legal uncertainty and alignment between board-level incentives and operational risk management. Clear obligations can simplify governance and investment decisions.
– Consumers: expect better protection from identity theft, fraud, and service disruption. But public support often depends on visible benefits, not just compliance checkboxes.
– Adversaries: may be deterred by stronger baseline defenses, but standardization risks creating monocultures that skilled attackers could exploit.
Implementation hurdles that matter
Even well-designed laws face implementation challenges. International coordination is essential: multinational firms require harmonized rules to avoid contradictory obligations across borders. Enforcement capacity is often limited—regulators need technical expertise and resources to investigate incidents, adjudicate disputes, and impose penalties fairly. Workforce shortages and skills gaps compound the problem; more stringent laws without investment in training and hiring won’t produce better security.
There are promising models to consider. Some jurisdictions combine sector-specific obligations for critical infrastructure with cross-cutting requirements—mandatory incident reporting, minimum security controls, and third-party risk management. These rules are reinforced by meaningful penalties for noncompliance. Public-private partnerships and information-sharing arrangements can strengthen these legal frameworks by improving collective defenses and aligning incentives between regulators and industry.
What CIISec’s poll should change in policymaking
CIISec’s survey doesn’t prescribe a single policy blueprint. Its significance lies in the collective judgement of professionals who manage cyber risk day-to-day: they believe current frameworks are insufficient and want change. That judgment should influence legislative debates rather than be dismissed as another stakeholder demand.
If governments respond, success will hinge on crafting rules that are clear yet adaptable, enforceable yet equitable, and matched by investments in regulatory capability and workforce development. Otherwise, new laws risk becoming bureaucratic checklists that fail to improve security—or worse, they could squeeze smaller operators out of compliance without materially reducing adversary success.
Conclusion: moving from whether to how
As cyber threats multiply and the costs of failure rise, the policy question shifts from whether to regulate more to how to regulate wisely—and quickly enough to make a difference. Cybersecurity legislation must reflect operational realities, preserve room for innovation, and include enforceable mechanisms and capacity-building to back it up. When practitioners warn that current frameworks fall short, policymakers should heed that warning before the next major incident forces reactive, less-considered action.




