More than 60% of infosec professionals said they believe that the impending General Data Protection Regulation (GDPR) will protect EU citizens–and 69% said that similar laws would protect those in the US, according to a Tuesday report from security firm AlienVault.

AlienVault surveyed some 760 infosec professionals at the 2018 RSA Conference in April. Some 75% of respondents said they support additional regulations on social media platforms, in light of the Facebook/Cambridge Analytica scandal.

GDPR has impacted company budgets, the report found: 22% of infosec professionals said that their organization’s security and privacy budget increased “significantly” to meet the needs of GDPR, while 37% said that their budget increased “slightly.” Another 33% said their spending did not increase at all, the report found, while 8% said that it decreased.

SEE: EU General Data Protection Regulation (GDPR) policy (Tech Pro Research)

When it comes to who is responsible for a major privacy incident at a company, respondents said that ideally, culpability should be even split between the board of directors, the CEO, and the CISO. However, the largest group (27%) said that in reality, the CISO would be most likely to be held liable in the event of a major intrusion, followed by the CEO (23%).

The largest discrepancy was seen in the board of directors, the report found: While 24% of those surveyed said they believe the board should carry some of the responsibility for a privacy breach, only 12% said they believe the board would actually be held accountable.

“Cyber security has come a long way from the days of merely being an IT function. It is very much embedded as a fundamental business requirement,” the report stated. “However, the scope and impact of its responsibility haven’t evolved at the same pace – or at least haven’t appeared to do so. Which is why it appears that the CISO will bear the brunt of the blame in the event of an incident.”

For most companies, the C-Suite is aware of the potential negative impact of a cyber breach, the report found. Some 57% of infosec professionals said senior management is “very concerned” about security, while 31% reported that they were “somewhat concerned.” Only 8% said they were “not very concerned,” and just 4% said they were “not concerned at all,” according to the report.

GDPR requires strong threat detection and response. Most professionals surveyed were confident in their detection abilities, with 65% reporting that they would be able to report a privacy breach within 72 hours of becoming aware–a requirement under GDPR.

However, companies face challenges detecting threats when they occur: 28% of infosec workers said their ability to detect a threat was often only after it had manifested into a business issue, and only 24% said they were able to detect and respond to all types of security issues.

Building a slide deck, pitch, or presentation? Here are the big takeaways:

  • 61% of infosec professionals said they believe that GDPR will protect EU citizens. — AlienVault, 2018
  • 22% of infosec professionals said that their organization’s security and privacy budget increased “significantly” to meet the needs of GDPR. — AlienVault, 2018