From cybersecurity to national security
10th September 2025 • Courtyard by Marriott Zurich North, Zurich
What must change now that cybersecurity is less about business risk and more about national resilience?
Europe’s CISOs at the frontline of the new cold war
At its meeting on 7th March, Switzerland’s Federal Council introduced a reporting obligation for cyberattacks on critical infrastructure, which came into force on 1st April. Operators of critical infrastructure will be required to report cyberattacks to the National Cyber Security Centre (NCSC) within 24 hours of discovery. These reports will enable the NCSC to assist victims of cyberattacks and alert operators of critical infrastructure.
This is just one piece of evidence that reveals just how seriously Switzerland is taking the hybrid warfare tactics hostile nation states are using against the West, which can range from physical acts of sabotage such as arson to cyberattacks and disinformation campaigns.
European governments in general have come to accept that the cybersecurity of the private sector is integral to national security. Why the private sector? First, because most CNI is in the hands of, or relies on, the private sector. Second, because third-party vulnerability means that even wholly state-owned and run organisations will depend on private third parties and in any case the entire commercial ecosystem relies upon countless third-party dependencies both known and unknown.
So, what does this heightened governmental focus on cybersecurity mean for security professionals?
Most obviously it means more investment and an increase in taking concrete actions to boost security. Yes, senior management is now on message but hiring and budgets statistics are not consistent with taking cybersecurity as seriously as is needed.
This requires senior business leaders to understand that everyone is now equally at risk as everyone is a potential weak link in the ecosystem of societal security ready to be exploited by a nation-state aggressor. This also means that narrow risk to the P&L is not the only measure of risk.
Mapping security spend to the (relatively low) average loss statistics might seem like sensible risk management, but it creates systemic weakness that makes those loss stats a significant underestimate. Investment must rise.
Transparency is also critical. The secrecy around security incidents is both absurd and damaging. Hackers know your defences – they are not a secret. Incident reporting does not paint a target on your back because everyone is already a target. And hiding information means everyone, including law enforcement, is underestimating losses and risks.
Transparency also means more meaningful collaboration – necessary because adversaries are good at sharing the latest ‘best practice’ and so we must be too.
And it means getting the basics right: in Switzerland recent attacks have included DDoS attacks and ransomware attacks on a wide range of state and private-sector targets. We are all now in the crosshairs and, as third parties, we are all each other’s security partners, like it or not.