No longer a marginal issue: cybersecurity in the boardroom
In 2022, 2024, and 2025, Sophos surveyed C-level executives on cybersecurity issues as part of its major management study. The results show a growing awareness among executives (beyond IT professionals) and a shift from initial complacency about strategic relevance to personal concern.
The Sophos management study «Boss, how do you feel about cybersecurity?» shows how perceptions, responsibilities, and personal involvement in the topic have changed among senior management over three survey years (2022, 2024, 2025). Cybersecurity is now established at management level and remains an issue that both concerns and worries bosses alike.
2022: High self-confidence, low uncertainty
In 2022, 32.3 percent of companies in Germany, 37.3 percent in Austria, and 47.1 percent in Switzerland confirmed that the relevance of IT security had continued to increase. Nevertheless, cybersecurity was still predominantly regarded as an operational IT task at that time; only 1.9 percent of companies with more than 200 employees placed responsibility at the management level.
Despite the tense global political situation and the war in Europe—which was already being fought on the cyber level early on—many companies reacted with relative calm. Only around a third of the executives surveyed reported that the geopolitical situation had sharpened their focus on IT security.
The majority, however, considered their companies to be well positioned in terms of cyber protection: 53 percent of smaller companies and just under 70 percent of larger companies saw no reason (yet) to rethink their security awareness or the strategic importance of cybersecurity. Many assumed that their existing measures were sufficient and that no additional action was needed. This suggests that although cybersecurity was considered relevant in 2022, it was not yet perceived as an acute strategic challenge.
2024: Cybersecurity gains strategic importance
In the 2024 survey, cybersecurity was increasingly seen as a business factor. In Germany, 55 percent of executives considered it very important for their business relationships, while 46 percent said the same in Austria and 60 percent in Switzerland. A further 28 percent of German, 34 percent of Austrian, and 32 percent of Swiss executives rated the issue as important. The figures suggest that cybersecurity was more strongly linked to trust, cooperation, and business stability.
2025: Cybersecurity reaches top management
This year's survey shows that cybersecurity is not only strategically established, but has also moved closer to management levels. In Germany, 29.5 percent of C-level executives were personally involved in resolving a cybersecurity incident within the past six months; in Austria, this figure was 26 percent, and in Switzerland, 34 percent. A further 32 percent of German, 34 percent of Austrian, and 20 percent of Swiss executives report having had personal experience with such incidents in the past. At the same time, many confirm that operational incidents continue to be handled predominantly below the top level: this was stated by 36 percent of German, 38 percent of Austrian, and 42 percent of Swiss respondents. This suggests that although strategic responsibility and operational implementation are converging, a division of tasks continues to exist: strategic guidelines are developed at the top, while concrete operational implementation takes place predominantly at lower levels.
State attacks are coming to the fore
What is striking is the increased sensitivity to geopolitical risks. Media reports about state-organized cyberattacks seem to cause greater uncertainty today than they did in 2022. Although cyber protection is now considered an integral part of corporate management, the current threat situation does not leave many executives cold: 27.5 percent of German, 30 percent of Swiss, and 36 percent of Austrian managers report in 2025 that such reports unsettle them. This may indicate that geopolitical dynamics are now having a greater impact on management than they did a few years ago.
Investments are increasing, demands on partners are growing
According to figures from 2025, almost half of companies in Germany (47 percent) and Switzerland (48 percent), and as many as 60 percent in Austria, have also significantly expanded their IT security measures. At the same time, demands along the supply chains are increasing and explicit requirements are being established for partners: Austria is the frontrunner here with 36 percent, followed by Switzerland (22 percent) and Germany (16.5 percent).
DACH comparison: Same trend, different pace
Overall, the three years of study point to an important change: cybersecurity has become an integral part of responsible corporate management. Management teams in the DACH region are responding more sensitively to threats, investing in a more targeted manner, and also taking a more personal interest in the issue. The pace of this development varies across the three countries: Switzerland consistently shows a particularly high level of sensitivity, Germany emphasizes the long-term relevance of the issue in 2025, and Austria shows the strongest reaction to current geopolitical tensions, which is reflected in both greater uncertainty and more pronounced investments.
Source: Sophos
This article originally appeared on m-q.ch - https://www.m-q.ch/de/kein-randthema-mehr-cybersicherheit-in-chefetagen/
