Rethinking cybersecurity

How resilience, compliance and AI are becoming key factors for the future

Cybersecurity has long since ceased to be just an interesting IT topic. It affects business models, supply chains, innovation cycles and ultimately the future viability of entire organisations. But while the threat level is growing, implementation often remains piecemeal. What is missing is a strategic, holistic, forward-looking and practical view of IT security.

1. Governance, risk and compliance: from mandatory programme to management task

Many companies have established governance, risk and compliance (GRC) on paper, but have not implemented it in everyday practice. Processes are fragmented, responsibilities are unclear and tools are not integrated. Yet GRC is not an end in itself, but a tool for managing risk and strengthening resilience.

What matters now:

• GRC – and therefore cybersecurity – belongs in senior management. Risk and compliance issues can only be effective if they are discussed at C-level.
• Supply chains must be taken into account. If you don't know your partners, you don't know your vulnerabilities.
• GRC requires clear responsibilities and regular reviews. This is the only way to turn paper into reality.

GRC must no longer be seen as a tedious bureaucratic exercise, but must be established as a strategic management task. Only then can it unfold its full potential as a foundation for resilience, security and sustainable business success.

2. Regulation: Don't just work through it, shape it

DORA, NIS2, CRA – the list of new requirements is getting longer and longer. Many companies respond with checklists and project plans. But those who simply work through the list miss the opportunity to optimise processes and use security as a competitive advantage.

Three pragmatic steps:

• 1. Regulatory scoping: Which requirements actually apply – and when?
• 2. Compliance & security by design: Security requirements must be taken into account from the outset of every project.
• 3. Automate recurring review processes: This leaves more time for strategic tasks.

Regulatory requirements should not just be met, but actively shaped. Those who use requirements strategically strengthen processes, increase security and thus create real added value.

3. Zero Trust: From buzzword to architecture

Zero Trust is currently on everyone's lips, but in practice it often remains nothing more than lip service. It is not about a specific tool, but rather a principle: trust is not assumed, but continuously verified. This requires a rethink in technical, organisational and cultural terms.

What this means in concrete terms:

• Identities are the new perimeter. Those who have access must authenticate themselves in a context-dependent manner – not just once, but continuously.
• Networks should be logically segmented – with clear transitions and rules.
• Zero Trust is a journey, not a destination. Start with a pilot area, evaluate, scale – and remain flexible.

Zero Trust is the way to eliminate the gaps between IT silos, which are often still standard in a hybrid multi-cloud world. It is a journey towards a secure IT architecture that safeguards current and future productivity.

4. Resilience: When an emergency becomes a litmus test

Resilience is not evident in normal operations, but in a crisis. Those who are prepared can react quickly. Those who are not prepared lose time, money and trust.

What resilient companies do differently:

• They know their critical processes. Business impact analyses are not a luxury, but a necessity.
• They test regularly. Cyber attacks can be simulated – and that is exactly what should be done.
• They measure progress. Recovery times, awareness rates, response speeds – everything can be recorded and improved.

Reducing complexity and automation in defence (e.g. through playbooks) and the targeted use of AI in response significantly strengthen the resilience of organisations and reduce potential damage in the event of an emergency.

5. Artificial intelligence: between hype and craft

AI is not a panacea, but it is an extremely powerful tool.

When used correctly, it can detect threats faster, analyse patterns and automate responses. But using it correctly is a skill that must be learned.

What matters:

• Identify use cases with added value. Not everything AI can do is useful.
• Create transparency. Decisions must be traceable – especially in regulated industries.
• Establish governance. Who trains the models? What data is used? Who is responsible?

Statistics show a growing number of AI-supported cyber attacks. The obvious response to this is AI-supported defence. Creating the right conditions now is a good investment.

6. People: weak link or protective shield?

Technology can do a lot, but not everything. People remain the decisive factor. And this is often where the biggest gap lies.

What helps:

• Awareness is not a one-off project. Training must be regular, practical and tailored to the target group.
• Managers must lead the way. Security culture starts at the top.
• Gamification works. Those who learn through play stay ahead – and report problems more quickly when something goes wrong.

A large number of cyber attacks are carried out using identities. With the right measures in place, people become an extended protective shield even before a technical attack takes place. Recognising and defending against social engineering or phishing is the best form of prevention and an important piece of the puzzle in overall cyber defence.

Conclusion: Security is not a state – it is an attitude

Cybersecurity is not a temporary project. It is a continuous process that connects technology, organisation and people. Those who invest in governance, resilience and intelligent technologies today not only create protection, but also trust. And in an uncertain world, that is the most valuable asset.

This means that the future belongs to companies that think strategically about cybersecurity, anchor it in regulations, develop it technologically and secure it with people. This is how true digital resilience is created – as a protective shield against risks and a springboard for innovation.