“Map the future technology playgrounds of your company well ahead. Engage in industry discussions or gather information through cybersecurity industry networks such as ISSS or Clusis. From small teams of employees keen to explore some of the future topics, have them write part of the cybersecurity strategy.” 

Marcel Zumbühl is a multifaceted leader in the field of cybersecurity and information technology and a seasoned professional with extensive expertise in cybersecurity and telecommunications. Since 2018, he has served as the Group CISO and a Member of the Group IT Board at Swiss Post Group. Marcel is also a co-president of ISSS and a lecturer at ETH Zurich and HSLU. 

Prior to this, he held key roles at Credit Suisse, including Head of Security Control Steering and CISO for Digital Private Banking. His career includes a notable tenure at Swisscom, where he was the Head of Security and a member of the Operations Board. Marcel is a board director for Hacknowledge SA and TerreActive AG as well as an advisor to Bug Bounty Switzerland AG. 

Marcel’s academic background includes a Master of Science degree from the University of Berne, with a focus on computer science, business administration, and mathematics. He is a prolific author with publications in Pattern Recognition and Mobile Communications and has contributed his expertise as a guest speaker at various universities and international security conferences. 

Read on and discover what Marcel has to say on such topics as cybersecurity due diligence in mergers and acquisitions, and the current shortage of cybersecurity talent. 

How should businesses approach cybersecurity due diligence during mergers and acquisitions

During M&A, include cybersecurity in either of the evaluation streams. Understand how the acquired party is running cybersecurity and IT, how they are exposed (e.g., use Bitsight or Autobahn Security) to run a non-invasive perimeter scan of the enterprise. Understand that you have to make a budget provision to bring cybersecurity up to level after the acquisition, in particular when buying an SME.  

How can enterprises stay agile and responsive to the rapidly changing cybersecurity landscape?  

Map the future technology playgrounds of your company well ahead. Engage in industry discussions or gather information through cybersecurity industry networks such as ISSS or Clusis. From small teams of employees keen to explore some of the future topics, have them write part of the cybersecurity strategy.  

How can organizations foster a culture of security awareness among their employees? 

More than security awareness, strive for security empowerment. By considering your employees the strongest link in cybersecurity you reach out to them and make them an important sensor. For example, in phishing protection nothing beats employees reporting back when they detect an attack. No machine will match this. Make sure you run a no-blame culture fostering constant learning and improvement.  

How do you see the role of business leadership evolving in the context of cybersecurity? 

By understanding cybersecurity as a process rather than a state and endorsing proactive communication your customers will grow to understand why they can trust you. This is the best business boost you can get out of cybersecurity. Understand every cybersecurity incident as a chance to strengthen customer focus.   

What creative solutions do you suggest in order to address the cyber skills and talent shortage in the industry? 

There are people beyond pure technology that are passionate about cybersecurity. In AI safety in particular we will be successful if we can bring employees with a background in psychology, communication and education to the team. Let’s also try to find new images for cybersecurity, like the bridge, the road, etc. Language beyond the stereotype “war, military” phrases will certainly attract a more diverse set of professionals. We must strive for diversity in cybersecurity.  

How should businesses approach the integration of quantum innovations in their cybersecurity strategies?

Quantum opens a field of potentially tamper-free communication when the technology makes its breakthrough. It also renders current encryption algorithms extremely vulnerable, and business should start to map out their encryption techniques that will have to be replaced by quantum-proof counterparts. We expect the new quantum-proof encryption algorithms to be announced in summer 2024, this will be an important date not to miss.