Cyberattacks have long since become part of everyday life for companies, public authorities and critical infrastructures. According to the Swiss National Cyber Security Centre (NCSC), a total of 49,380 cyber incident reports were received in 2023 – around 30 percent more than in the previous year. Hospitals, municipalities and numerous SMEs were affected.
Why not every company has a CISO
Despite growing risks, many firms still lack a CISO function. The Security Priorities Study 2024 by CSO shows that only 45 percent of North American companies have appointed a CISO. SMEs in particular struggle to allocate sufficient resources for their own security leadership. According to an ENISA study, this also applies to Europe.
Companies with a CISO function demonstrably involve their boards of directors more strongly in security matters – as confirmed by the State of the CISO 2024 report by IANS.
A political question: Where the CISO is placed
The organizational anchoring says a lot about how seriously a company takes cyber risks. If the CISO reports to the CIO, security is often regarded as an IT cost factor. If assigned to the CSO, cybersecurity is treated as part of physical security. The clearest signal is when the CISO reports directly to the CEO or the board – as envisaged by the EU NIS-2 Directive.
Fields of responsibility under real pressure
The CISO’s role extends from prevention and governance to crisis management. Swiss cases highlight the urgency: the municipality of Rolle (VD) was paralysed for weeks in 2021 following a ransomware attack (Le Temps). With the revised Swiss Data Protection Act (revDSG), stricter transparency obligations have applied since September 2023. And the MOVEit hack in summer 2023 exposed the vulnerability of global supply chains.
Competence profile: More than just technology
A CISO must be able to connect technology and strategy. The FINMA requires financial institutions to implement systematic ICT risk management at executive board level. Internationally recognised certifications such as CISSP, CISA or CCSP are also widely established in Switzerland and signal expertise and continuous professional development.
Different requirements by industry
The CISO role varies by sector. In healthcare, hospitals are a prime target for ransomware (ENISA). In finance, banks must disclose cyber risks in their internal control systems (FINMA Annual Report 2023). SMEs, on the other hand, often focus on implementing basic measures such as multi-factor authentication with limited resources.
Flexible models: CISO as a Service and CISO on Demand
Not every company can afford a full-time CISO. That is why many firms rely on CISO as a Service (CISOaaS) or CISO on Demand. According to the Cynomi 2024 study, more than 70 percent of managed security providers report increasing demand for these models. Given that 99 percent of Swiss companies are SMEs, these models provide a pragmatic solution.
Conclusion
The CISO is far more than a technical specialist. He or she is a translator between technology, risk and strategy – and therefore indispensable for any company. Whether firmly embedded in the executive team or as a service model: the question is not whether a company can afford a CISO, but whether it can afford not to have one.
CISO as a Service – your next step
Not every company has the resources to permanently fill a CISO position. This is precisely where our offering CISO as a Service comes in. You gain access to experienced security experts who flexibly support your company as needed – from cyber strategy and governance to operational crisis management.
This way, you benefit from the same expertise as with a permanent CISO – in a model that adapts seamlessly to your size and budget. Contact us for a non-binding conversation.
Key Take-away – Act now, don’t wait
Strengthen your resilience with a clear accountability model: establish the CISO function, regularly involve the board, consistently implement basic measures (MFA/Passkeys, segmentation, backup resilience) – and, if resources are lacking, use CISO as a Service as a scalable solution.
