The Sophos management study “Boss, how do you feel about cybersecurity?” shows over three years of the survey (2022, 2024, 2025) how the perception, responsibility and personal proximity of management to the topic have changed. Cybersecurity is now established at management level and remains a topic that both concerns and worries bosses.
2022: High self-confidence, low uncertainty
In 2022, 32.3 percent of companies in Germany, 37.3 percent in Austria and 47.1 percent in Switzerland confirmed that the relevance of IT security had continued to increase. Nevertheless, at the time, cybersecurity was predominantly seen as an operational IT task; Only 1.9 percent of companies with more than 200 employees placed responsibility at management level.
Despite the tense global political situation and the war in Europe – which was also fought on the cyber level early on – many companies still reacted comparatively calmly. Only around a third of the managers surveyed reported that the geopolitical situation had sharpened their focus on IT security.
The majority, on the other hand, felt that their company was well positioned when it came to cyber protection: 53 percent of smaller and almost 70 percent of larger companies saw no reason (yet) to rethink their security awareness or the strategic importance of cybersecurity. Many assumed that their existing measures were sufficient and that there was no need for additional action. This suggests that cybersecurity was seen as relevant in 2022, but was not yet perceived as an acute strategic challenge.
2024: Cybersecurity is gaining strategic importance
In the 2024 survey, cybersecurity was increasingly viewed as a business enabler. In Germany, 55 percent of managers considered it very important for their business relationships, in Austria 46 percent said this and in Switzerland 60 percent. A further 28 percent of German, 34 percent of Austrian and 32 percent of Swiss managers rated the topic as important. The numbers suggest that cybersecurity has become more closely linked to trust, collaboration and business stability.
2025: Cybersecurity reaches top management
This year’s survey shows that cybersecurity is not only strategically established, but has also moved closer to management levels. In Germany, 29.5 percent of C-level managers were personally involved in resolving a cybersecurity incident within the past six months; In Austria this proportion was 26 percent and in Switzerland it was 34 percent. A further 32 percent of German, 34 percent of Austrian and 20 percent of Swiss managers report a personal experience from a long time ago. At the same time, many confirm that operational incidents are still predominantly processed below the top level: this was stated by 36 percent of German, 38 percent of Austrian and 42 percent of Swiss respondents. This suggests that strategic responsibility and operational implementation are converging, but a division of tasks continues: the strategic guidelines arise at the top, the concrete operational implementation predominantly takes place at downstream levels.
State attacks are becoming more aware
What is striking is the increased sensitivity to geopolitical risks. Media reports about state-organized cyber attacks seem to be more unsettling today than they were in 2022. Although cyber protection is now seen as an integral part of corporate management, the current threat situation does not leave many managers indifferent: 27.5 percent of German, 30 percent of Swiss and 36 percent of Austrian managers reported in 2025 that corresponding reports unsettled them. This may indicate that geopolitical dynamics are now more prevalent in management than they were just a few years ago.
Investments are increasing, demands on partners are growing
According to the figures from 2025, almost half of the companies in Germany (47 percent) and Switzerland (48 percent) and even 60 percent in Austria have noticeably expanded their IT security measures. At the same time, demands along the supply chains are increasing and explicit requirements for partners are being established: Austria is the leader here with 36 percent, followed by Switzerland (22 percent) and Germany (16.5 percent).
DACH comparison: Same trend, different pace
Overall, the three years of study indicate an important change: cybersecurity has developed into an integral part of responsible corporate management. Management teams in the DACH region react more sensitively to threat situations, invest more specifically and also get closer to the topic personally. The pace of this development differs in the three countries: Switzerland consistently shows a particularly high level of sensitivity, Germany in 2025 primarily emphasizes the long-term relevance of the issue, and Austria shows the strongest reaction to current geopolitical tensions, which is reflected in both higher uncertainty and more pronounced investments.
Stability in focus
“The study results show how strongly cybersecurity is now anchored in corporate management,” says Michael Veit, security expert at Sophos. “Many management teams today act much more forward-looking: They make targeted investments, question their supply chains and no longer view cyber protection as just a technical measure, but as a central prerequisite for stability, business continuity and trust. A solidly established level of security gives companies noticeably more freedom of action when dealing with new threats.”
About the studyThe Sophos management study “Boss, how do you feel about cybersecurity?” has so far been collected in 2022, 2024 and 2025 and carried out by the market research institute Ipsos on behalf of Sophos. A total of 300 C-level managers from various industries were surveyed: 200 in Germany and 50 each in Austria and Switzerland. IT managers were explicitly not interviewed.
