7 minute read 12 Dec 2023

Will you see the next cyber risk coming?

Authors
Tom Schmidt

Partner, Financial Services Cybersecurity Competency Leader | EMEIA, Cybersecurity Leader, Financial Services | EY Switzerland

Focusing on all aspects of Information Security, Cybersecurity, and IT risk management. Passionate about traveling the world and engaging in various sports.

Marc Minar

Director, Cybersecurity in Financial Services | EY Switzerland

Member of the Swiss Cybersecurity Leadership Team in EY's EMEIA Financial Services Consulting practice. Licensed pilot and passionate golf player.

7 minute read 12 Dec 2023

We share highlights from the EY Swiss Cybersecurity Leadership Insights Study and explore how Swiss companies compare at a global level.

In brief

  • EY surveyed Swiss cyber leaders to understand their organizations’ cybersecurity maturity and posture in the face of current and future threats.
  • While Swiss players share many concerns – like the number of attack surfaces – with global peers, their approach and responsiveness differ in some respects.
  • Overall, Swiss organizations have significantly fewer annual incidents and respond to those that do occur more quickly than average.

For all the enthusiasm around technological advances, there’s also a flip side. As companies embrace the latest technology to create value, adversaries are weaponizing it to increase the speed and scale of their attacks. And the trend is accelerating: the EY 2023 Global Cybersecurity Leadership Insights Study found that organizations worldwide have seen cyberattacks increase by around 75% over the past five years.

Is your greatest risk the complexity of your strategy?

Find out more on the results of the EY 2023 Global & Swiss Cybersecurity Leadership Insights Study.

Download the full study here

As the impacts — financial, regulatory and reputational — of cyberattacks mount, we wanted to understand how Swiss companies specifically are faring in the cybersecurity space and how they compare to global peers. We extended the EY 2023 Global Cybersecurity Leadership Insights Study to focus specifically on the Swiss market.

  • About the research

    The EY 2023 Global Cybersecurity Leadership Insights Study was developed to better understand how companies are approaching their organization’s cybersecurity to prepare for the cybersecurity threats of today and tomorrow. In February and March 2023, the global EY organization surveyed 500 C-suite and cybersecurity leaders across 19 different sectors and 25 countries. Results refer to the respondents’ reflections on the calendar year 2022.

    The same study was conducted specifically within the Swiss market and draws on insights from 28 Chief Information Security Officers (CISOs) and Chief Information Officers (CIOs) across eight groups of industries in summer 2023.

Companies around the world face evolving challenges in managing the cyber threats of today and tomorrow. Nevertheless, well over half (57%) of CISOs in Switzerland consider their organization to be well-positioned to address future threats; globally, 46% of CISOs said the same.

The global survey revealed “too many attack surfaces” as the biggest internal challenge to respondents’ cybersecurity approach, alongside the challenge of balancing security and speed. This rings true for Swiss companies as well. In terms of risk, Swiss companies share global concern around cloud at scale, with 39% flagging it as their primary concern. Artificial intelligence and machine learning also stand out as major security risks for Swiss companies, with 36% viewing these topics as a primary concern and 54% as a secondary one. It’s an interesting dilemma: emerging tech is driving the transformation of many organizes, yet it also creates new openings for cyber breaches. It also highlights the importance of aligning business and cybersecurity strategies at every level of the organization.

Satisfaction

71%

of Swiss CISOs are satisfied with their overall cybersecurity approach.

More than three-quarters (76%) of companies worldwide take more than six months on average to detect cyber incidents – and face an average of 44 significant cyber incidents per year. Swiss-based companies have fewer annual incidents – just 14 on average – and also respond to those that do occur more quickly (under five months on average). This comparatively strong performance may explain why Swiss CISOs are significantly more satisfied with their overall cybersecurity approach (71% compared to 42% globally). Despite their comparative responsiveness, half of Swiss study participants raise the alarm about the ability of their cybersecurity defenses to meet evolving cyber threats quickly enough. This perhaps reflects as much on the pace of change in general as it does on Swiss companies’ ability to respond.

People and culture

The Swiss survey results highlight the role of people in what is at first glance a tech-driven topic. Security leaders widely acknowledge the potential for human error as a major weakness. This is why companies should invest in a strong security culture through training and awareness campaigns – and it’s also why malevolent forces so often target the human interface.

As in the global survey, six in 10 Swiss cyber leaders polled reported a lack of adherence to cybersecurity best practices among the non-IT workforce as one of the biggest internal challenges (ranking at number 4 out of 8). This mirrors the results of the global survey. Besides, only six in 10 Swiss-based companies are satisfied with the effectiveness of their cybersecurity training programs, only slightly more than the global average (50%). These findings point again to the need for better collaboration between IT and other business functions.

Staying on the people theme, companies are experiencing significant workforce gaps as the supply of qualified staff fails to keep up with demand. Against this backdrop, CISOs are looking beyond their current organizational chart to fill their growing cybersecurity talent needs. Globally, many firms see outsourcing as a key solution to the lack of skills and resources. Switzerland’s CISOs prefer to upskill the current cyber workforce and automate security processes to gain efficiency in security management. They are also investing in the retention and recruitment of cyber security employees. These measures are at the core of their talent strategy, with 71% saying these are significant or top priorities to prepare for future threats. This commitment to sustainable solutions rather than short-term fixes shows that Swiss companies are keen to lay a solid foundation to meet ongoing and evolving cyber needs.

This human-centric approach also goes hand in hand with the idea that technology alone cannot solve cybersecurity issues – a consensus among the Swiss CISOs. Besides, the majority agree that cybersecurity incidents will impact physical assets in the real world more in the next few years (89% agreed). Most (86%) agreed that the war on cybersecurity can’t be won. Instead, companies can only learn to adapt faster than malicious actors.

Cybersecurity the Swiss way

Switzerland is known for a certain degree of caution and a preference for the “middle way” in many situations. We see this to some extent in the Swiss participants’ responses to our study, which once again highlights the role of culture in the cybersecurity space.

Wait and see

43%

of Swiss companies consider themselves early adopters of emerging technology.

Only 43% of Swiss enterprises consider themselves early adopters of emerging technology compared to the global average (65%). Although they’re willing to embrace advanced technology – such as AI or ML, SOAR, DevSecOps, and cloud orchestration and automation – they tend to wait until technology has been tried and tested elsewhere before adopting it themselves. They also tend to focus on technology that supports automation, simplification and streamlining of processes.

By embedding cybersecurity throughout the organization and embracing simplification, Swiss CISOs support positive behaviors that both protect and create value for their organization. Beyond the pure tech aspect, many also adopt specific strategies for managing complex attack surfaces across cloud, on-premise and third parties.

From defenders to creators of value

We believe that cybersecurity plays an important role in value creation, be that through greater trust from customers and suppliers or confidence to harness the benefits of ecosystems and partnerships without incurring risks. It means CISOs are creators, not just defenders, of value. Their approach to cybersecurity positively impacts their organizations’ ability to transform at pace, respond to market opportunities and focus on creating value.

Key action points emerging from the global and Swiss surveys include:

  • Simplify and streamline

    Simplify the cyber technology stack to reduce risk and improve visibility. Automation and orchestration can reduce clutter in the technology environment, allowing you to detect signals faster and respond more effectively. 

  • Standardize and automate

    Standardization and automation within supply chains can improve cyber vigilance and continuously monitor performance without adding undue bureaucracy. Security teams should be involved early in vendor selection. 

  • Communicate clearly

    The most effective CISOs translate their narrative into a storyline that resonates with the business in terms of risk buydown, business impact and value creation. 

  • Enable people

    Human error continues to be a leading cause of cyber breaches. Mature organizations combine incremental and well-designed training with automation and preventing tools to make the workforce cyber-secure
    by design. 

  • Cultivate a cyber-secure culture

    Cybersecurity should be woven into the fabric of the organization, not viewed as an inhibitor. It drives value, instils the confidence necessary to innovate and opens new revenue and market opportunities.

Summary

Cybersecurity leaders around the world are grappling with present and anticipated cybersecurity threats. While Swiss companies appear to perform above average across various criteria, they still face ongoing challenges. To balance security and speed, Swiss CISOs should focus on simplicity, holistic thinking and organization-wide integration of cybersecurity considerations.

Acknowledgment

Many thanks to Marc Wettering for his valuable contribution to this article.

About this article

Authors
Tom Schmidt

Partner, Financial Services Cybersecurity Competency Leader | EMEIA, Cybersecurity Leader, Financial Services | EY Switzerland

Focusing on all aspects of Information Security, Cybersecurity, and IT risk management. Passionate about traveling the world and engaging in various sports.

Marc Minar

Director, Cybersecurity in Financial Services | EY Switzerland

Member of the Swiss Cybersecurity Leadership Team in EY's EMEIA Financial Services Consulting practice. Licensed pilot and passionate golf player.