Will you see the next cyber risk coming?

Authors

  • Tom Schmidt

    EY EMEIA Financial Services Cybersecurity Competency Leader; EY Switzerland Cybersecurity Leader, Financial Services

  • Marc Minar

    Director, Cybersecurity in Financial Services | EY Switzerland

7 minute read 12 Dec 2023
Related topics
Cybersecurity
Financial services
Consulting

We share highlights from the EY Swiss Cybersecurity Leadership Insights Study and explore how Swiss companies compare at a global level.

In brief

  • EY surveyed Swiss cyber leaders to understand their organizations’ cybersecurity maturity and posture in the face of current and future threats.
  • While Swiss players share many concerns – like the number of attack surfaces – with global peers, their approach and responsiveness differ in some respects.
  • Overall, Swiss organizations have significantly fewer annual incidents and respond to those that do occur more quickly than average.

For all the enthusiasm around technological advances, there’s also a flip side. As companies embrace the latest technology to create value, adversaries are weaponizing it to increase the speed and scale of their attacks. And the trend is accelerating: the EY 2023 Global Cybersecurity Leadership Insights Study found that organizations worldwide have seen cyberattacks increase by around 75% over the past five years.

Is your greatest risk the complexity of your strategy?

Find out more on the results of the EY 2023 Global & Swiss Cybersecurity Leadership Insights Study.

Download the full study here
ey atlas client edition audit team searching for content

As the impacts — financial, regulatory and reputational — of cyberattacks mount, we wanted to understand how Swiss companies specifically are faring in the cybersecurity space and how they compare to global peers. We extended the EY 2023 Global Cybersecurity Leadership Insights Study to focus specifically on the Swiss market.

Companies around the world face evolving challenges in managing the cyber threats of today and tomorrow. Nevertheless, well over half (57%) of CISOs in Switzerland consider their organization to be well-positioned to address future threats; globally, 46% of CISOs said the same.

ey cybersecurity risk graphic

The global survey revealed “too many attack surfaces” as the biggest internal challenge to respondents’ cybersecurity approach, alongside the challenge of balancing security and speed. This rings true for Swiss companies as well. In terms of risk, Swiss companies share global concern around cloud at scale, with 39% flagging it as their primary concern. Artificial intelligence and machine learning also stand out as major security risks for Swiss companies, with 36% viewing these topics as a primary concern and 54% as a secondary one. It’s an interesting dilemma: emerging tech is driving the transformation of many organizes, yet it also creates new openings for cyber breaches. It also highlights the importance of aligning business and cybersecurity strategies at every level of the organization.

Satisfaction
of Swiss CISOs are satisfied with their overall cybersecurity approach.

How EY can help

More than three-quarters (76%) of companies worldwide take more than six months on average to detect cyber incidents – and face an average of 44 significant cyber incidents per year. Swiss-based companies have fewer annual incidents – just 14 on average – and also respond to those that do occur more quickly (under five months on average). This comparatively strong performance may explain why Swiss CISOs are significantly more satisfied with their overall cybersecurity approach (71% compared to 42% globally). Despite their comparative responsiveness, half of Swiss study participants raise the alarm about the ability of their cybersecurity defenses to meet evolving cyber threats quickly enough. This perhaps reflects as much on the pace of change in general as it does on Swiss companies’ ability to respond.

 

People and culture

The Swiss survey results highlight the role of people in what is at first glance a tech-driven topic. Security leaders widely acknowledge the potential for human error as a major weakness. This is why companies should invest in a strong security culture through training and awareness campaigns – and it’s also why malevolent forces so often target the human interface.

As in the global survey, six in 10 Swiss cyber leaders polled reported a lack of adherence to cybersecurity best practices among the non-IT workforce as one of the biggest internal challenges (ranking at number 4 out of 8). This mirrors the results of the global survey. Besides, only six in 10 Swiss-based companies are satisfied with the effectiveness of their cybersecurity training programs, only slightly more than the global average (50%). These findings point again to the need for better collaboration between IT and other business functions.

ey cybersecurity people

Staying on the people theme, companies are experiencing significant workforce gaps as the supply of qualified staff fails to keep up with demand. Against this backdrop, CISOs are looking beyond their current organizational chart to fill their growing cybersecurity talent needs. Globally, many firms see outsourcing as a key solution to the lack of skills and resources. Switzerland’s CISOs prefer to upskill the current cyber workforce and automate security processes to gain efficiency in security management. They are also investing in the retention and recruitment of cyber security employees. These measures are at the core of their talent strategy, with 71% saying these are significant or top priorities to prepare for future threats. This commitment to sustainable solutions rather than short-term fixes shows that Swiss companies are keen to lay a solid foundation to meet ongoing and evolving cyber needs.

Technology alone cannot solve cybersecurity issues.

Tom Schmidt

EY EMEIA Financial Services Cybersecurity Competency Leader; EY Switzerland Cybersecurity Leader, Financial Services

This human-centric approach also goes hand in hand with the idea that technology alone cannot solve cybersecurity issues – a consensus among the Swiss CISOs. Besides, the majority agree that cybersecurity incidents will impact physical assets in the real world more in the next few years (89% agreed). Most (86%) agreed that the war on cybersecurity can’t be won. Instead, companies can only learn to adapt faster than malicious actors.

Cybersecurity the Swiss way

Switzerland is known for a certain degree of caution and a preference for the “middle way” in many situations. We see this to some extent in the Swiss participants’ responses to our study, which once again highlights the role of culture in the cybersecurity space.

Wait and see
of Swiss companies consider themselves early adopters of emerging technology.

Only 43% of Swiss enterprises consider themselves early adopters of emerging technology compared to the global average (65%). Although they’re willing to embrace advanced technology – such as AI or ML, SOAR, DevSecOps, and cloud orchestration and automation – they tend to wait until technology has been tried and tested elsewhere before adopting it themselves. They also tend to focus on technology that supports automation, simplification and streamlining of processes.

By embedding cybersecurity throughout the organization and embracing simplification, Swiss CISOs support positive behaviors that both protect and create value for their organization. Beyond the pure tech aspect, many also adopt specific strategies for managing complex attack surfaces across cloud, on-premise and third parties.

From defenders to creators of value

We believe that cybersecurity plays an important role in value creation, be that through greater trust from customers and suppliers or confidence to harness the benefits of ecosystems and partnerships without incurring risks. It means CISOs are creators, not just defenders, of value. Their approach to cybersecurity positively impacts their organizations’ ability to transform at pace, respond to market opportunities and focus on creating value.

Key action points emerging from the global and Swiss surveys include:

Summary

Cybersecurity leaders around the world are grappling with present and anticipated cybersecurity threats. While Swiss companies appear to perform above average across various criteria, they still face ongoing challenges. To balance security and speed, Swiss CISOs should focus on simplicity, holistic thinking and organization-wide integration of cybersecurity considerations.

Acknowledgment

Many thanks to Marc Wettering for his valuable contribution to this article.

About this article

Authors

  • Tom Schmidt
    EY EMEIA Financial Services Cybersecurity Competency Leader; EY Switzerland Cybersecurity Leader, Financial Services
  • Marc Minar
    Director, Cybersecurity in Financial Services | EY Switzerland
Related topics
Cybersecurity
Financial services
Consulting

Related articles

Building Resilience: Safeguarding Financial Institutions from Modern Cyber Threats

Proactive cyber risk management is crucial for modern financial institutions to help quickly respond to threats and disruptions.

Marc Minar

If you can’t protect what you can’t see, how do you manage cyber risk?

Many organizations struggle to stay cyber secure because they don’t know what IT assets they have so can’t implement appropriate controls.

Tom Schmidt

    EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Limited, each of which is a separate legal entity. Ernst & Young Limited is a Swiss company with registered seats in Switzerland providing services to clients in Switzerland.