No longer a marginal topic: cyber security in executive suites

The Sophos management study «Boss, how do you feel about cybersecurity?» shows how the perception, responsibility and personal proximity of senior management to the topic have changed over three survey years (2022, 2024, 2025). Cybersecurity is now established at management level and remains a topic that concerns and worries bosses in equal measure.

2022: High self-confidence, low insecurity

In 2022, 32.3% of companies in Germany, 37.3% in Austria and 47.1% in Switzerland confirmed that the relevance of IT security had increased further. Nevertheless, cyber security was still predominantly seen as an operational IT task at the time; only 1.9% of companies with more than 200 employees placed responsibility at management level.

Despite the tense global political situation and the war in Europe - which was also fought at cyber level early on - many companies still reacted relatively calmly. Only around a third of the managers surveyed reported that the geopolitical situation had sharpened their focus on IT security.

The majority, on the other hand, felt that their company was well positioned in terms of cyber protection: 53% of smaller companies and almost 70% of larger companies did not (yet) see any reason to rethink their security awareness or the strategic importance of cyber security. Many assumed that their existing measures were sufficient and that there was no need for additional action. This suggests that although cyber security was considered relevant in 2022, it was not yet perceived as an acute strategic challenge.

2024: Cybersecurity gains strategic importance

In the 2024 survey, cyber security was increasingly seen as a business factor. In Germany, 55% of managers considered it to be very important for their business relationships, while 46% in Austria and 60% in Switzerland said the same. A further 28 percent of German, 34 percent of Austrian and 32 percent of Swiss managers rated the topic as important. The figures indicate that cyber security was more strongly linked to trust, cooperation and corporate stability.

2025: Cyber security reaches top management

This year's survey shows that cyber security is not only strategically established, but has also moved closer to management levels. In Germany, 29.5% of C-level managers were personally involved in resolving a cyber security incident within the past six months; in Austria, this figure was 26% and in Switzerland 34%. A further 32 percent of German, 34 percent of Austrian and 20 percent of Swiss managers reported a personal experience from a longer period of time. At the same time, many confirm that operational incidents are still predominantly dealt with below the top level: This was stated by 36 percent of German, 38 percent of Austrian and 42 percent of Swiss respondents. This suggests that although strategic responsibility and operational implementation are converging, there is still a division of tasks: The strategic guidelines are created at the top, while the actual operational implementation takes place predominantly at downstream levels.

State attacks move into the spotlight

What is striking is the increased sensitivity to geopolitical risks. Media reports on state-organized cyberattacks seem to be more unsettling today than they were in 2022. Although cyber protection is now seen as an integral part of corporate management, the current threat situation does not leave many managers cold: 27.5 percent of German, 30 percent of Swiss and 36 percent of Austrian managers report in 2025 that they are unsettled by such reports. This may indicate that geopolitical dynamics are now having a greater impact on management than just a few years ago.

Investments increase, demands on partners grow

Almost half of companies in Germany (47%) and Switzerland (48%) and as many as 60% in Austria have also significantly expanded their IT security measures according to the figures from 2025. At the same time, demands along the supply chain are increasing and explicit requirements are being established for partners: Austria is the frontrunner here with 36%, followed by Switzerland (22%) and Germany (16.5%).

DACH comparison: same trend, different pace

Overall, the three years of study indicate an important change: cyber security has become an integral part of responsible corporate management. Management teams in the DACH region are reacting more sensitively to threat situations, making more targeted investments and also taking a more personal approach to the topic. The pace of this development differs between the three countries: Switzerland shows a particularly high level of sensitivity across the board, Germany emphasizes the long-term relevance of the topic above all in 2025, and Austria shows the strongest reaction to current geopolitical tensions, which is reflected in both higher levels of uncertainty and more pronounced investments.

Source: Sophos