Leading with security

Nowadays, cybersecurity fails less often due to a lack of technology than due to a lack of integration into management. Although SMEs recognise the risks, implementation often lags behind. This is precisely why security-conscious leadership is needed: a combination of digital competence, entrepreneurial thinking and human-centred security.

Text: Katja Dörlemann, published on 09. December 2025

Businesswoman giving instructions to her colleagues in office
To promote cybersecurity, we need to focus on managers as human beings. Photo: Adobe Stock | Jacob Lund

The national study SME Cybersecurity 2025 reveals a paradox: while the companies surveyed recognise the urgent need for action, there is a gap between this awareness and implementation. Only 40% of companies plan to strengthen their cybersecurity measures in the next one to three years; this figure was 48% in 2024. More than half (52%) of the SMEs surveyed feel secure or very secure, but only 42% consider themselves well-prepared for an attack. Everyone recognises cybercrime to be a serious problem (88%), just not their own.

In recent years, security experts have regularly confronted executives with figures and statistics on rising cybercrime, risk analyses and the threat of financial loss. Clearly, this has not been convincing. Why? We assumed that our audience had sufficient digital skills and that the prospect of «greater security» would be enough to motivate them to invest.

Skills gap in digitalisation

As security experts, we rarely focus on digitalisation as a major driver of innovation, nor do we highlight why security is worthwhile in this context. Many people without an IT background, including most managers, lack the digital skills to consistently incorporate cybersecurity into their business strategy and daily work. This makes it even more difficult to view security not only as a cost factor, but also as a potential driver of innovation, efficiency and competitiveness.

Security as a market advantage: SMEs in the supply chain

In networked value chains, cybersecurity has long been a factor in securing new business. Large companies are paying increasing attention to the reliability of their partners and are demanding traceable standards or concrete evidence. SMEs that visibly invest in security therefore have a better chance of winning contracts, passing audits smoothly and positioning themselves as trustworthy partners. Security thus becomes a selling point and directly increases competitiveness.

Taking cybersecurity more seriously...

Cybersecurity is no longer purely an IT issue; it is now a management task. While managers do not need to become security experts, they do have a responsibility to inform themselves, make informed decisions and lead by example. It is imperative that they get on board. The SME Cybersecurity 2025 confirms this: the IT service providers surveyed recommend that their customers take cybersecurity more seriously (36%). This is followed by staff training (26%) and then technical measures (15%).

Managers face many major challenges. Cybersecurity is just one of them. They need to understand their own role and how they can take concrete action.

...and actively shaping it

The level of cybersecurity in an organisation depends as much on organisational measures as on technical measures. This is why managers must play an active role in shaping cybersecurity. They have the greatest influence on the effectiveness of organisational protective measures, and therefore on the day-to-day running of the company.

It is managers who create the framework conditions that promote, simplify and reward secure behaviour. Secure behaviour is expected of employees, but it is rarely considered as part of performance targets or working hours. Reporting processes can be streamlined, employees can be given more time for training, and cybersecurity can be discussed regularly in team meetings. When designing cybersecurity strategies, managers can incorporate and address the needs of employees.

Conclusion

We need to focus on managers as people in order to promote cybersecurity in a national context and make Swiss SMEs more secure. Decisions to increase cybersecurity must offer more than just abstract statements about reduced risk and greater protection. We must demonstrate the added value clearly to them and provide concrete options for action. We must empower managers to recognise cybersecurity as a strategic component of digitalisation and their competitiveness, and to understand their important role in implementing organisational measures.

Cyber Security
x

Katja Dörlemann

Awareness Specialist

Switch

View all posts

Insights from Our Day-to-Day Work

A large number of people gather in the foyer and engage in lively discussions while having a welcome coffee.
Corporate

Forum Day V: Ignite, Innovate, Inspire

Floating Speech Bubbles. A visually striking collection of white speech bubbles suspended in a soft, neutral background, symbolizing communication and dialogue in a modern digital context.
Procurement

DeepL Pro for greater efficiency in research and teaching

A group photo on stage showing all the winners of the Digital Economy Awards 2025.
Corporate

Where ideas take flight

Portrait photo of Thomas Sutter
Corporate

Thomas Sutter appointed new Managing Director of Switch

Table describing the difference between the terms Indicator of Attack (IoA), Indicator of Compromise (IoC), and Indicator of Fraud (IoF)
Cyber Security

IoC, IoA and IoF: What indictors really mean

A person presents a digital and physical ID card.
Digital Identity

A milestone for digital mobility in the Swiss Education Area