From shadow AI to ransomware – the value of external CISOs for enhancing cyber resilience
In 2026, cybersecurity has become a board-level issue. Tighter regulation in the EU and Switzerland is raising the pressure to actively manage cyber risks, report incidents, and ensure compliance. But, with experienced CISOs a scarce, expensive resource, many organisations lack the necessary security experience.
Emerging risks such as shadow AI, driven by uncontrolled GenAI use, can result in unintended data leaks. At the same time, the number of ransomware and phishing incidents is also rising.
CISO-as-a-Service offers a fast, scalable solution. An external CISO ensures the right strategy and operational execution, supports audit readiness, and is more cost-effective than a full-time role.
Pressure on cyber resilience keeps leaders awake at night
In this article, we look at a range of current challenges, from new regulatory requirements and skills shortages to risks from shadow AI. We then set out a practical pathway to deploying CISO-as-a-Service to help improve resilience and security.
The reality in 2026 is clear – with both the threat landscape and regulatory environment tightening up significantly, cybersecurity needs to be on the strategic agenda for senior leadership.
New regulations demand action – NIS2, DORA, data protection, etc.
Cybersecurity requirements are becoming much stricter in both the EU and Switzerland. Inaction risks not only fines, but also reputational damage. Decision-makers need to work out whether their organisation is affected by the new rules, and, if it is, how, and what measures they need to take in response.
NIS2 and DORA raise expectations in the EU
In the EU, a number of regulations are set to come into force. NIS2, the revised Directive on network and information security, expands the scope of EU cybersecurity legislation to cover 18 critical sectors and imposes stricter obligations. Companies across sectors ranging from energy and health to digitalisation are obliged to report cyber incidents to the authorities within 24 hours. NIS2 also shifts responsibility for cybersecurity to senior leadership. Senior leaders are now required to monitor cyber risks, approve cybersecurity measures, and undergo training. Breaches of the legislation can result in significant penalties, including sanctions of up to €10 million or 2% of global turnover, and in some cases personal liability for leaders.
- DORA (the Digital Operational Resilience Act) is being introduced for financial services providers. This EU regulation, which came into force on January 17, 2025, requires banks, insurers, exchanges, etc. to be far more active in managing IT risks and to keep digital operations up and running in the event of a cyber attack.
- For the first time, DORA standardises cybersecurity practices across the EU financial sector. It also covers ICT service providers even when they are located outside the EU.
- At the same time, the GDPR offers a continuing warning – data protection violations can still cost companies up to 4% of turnover. In short, EU regulations force businesses to be proactive in ensuring cyber and data resilience.
Switzerland: revised data protection law, FINMA requirements, and the NCSC
The legal framework is also being tightened up in Switzerland. The revised Federal Act on Data Protection (revFADP) has been in force since September 1, 2023 and brings Swiss legislation into closer alignment with the GDPR. It mandates appropriate technical and organisational security measures and includes an obligation to report data breaches. Serious data leaks must be reported to the Federal Data Protection and Information Commissioner ‘as quickly as possible’. Notably, in Switzerland, in contrast to the EU, fines are primarily levied on responsible individuals rather than companies.
At the same time, FINMA has also tightened the rules for financial institutions. The Swiss financial regulator expects transparent cyber risk management from banks and insurers. FINMA Circular 2023/1 sets out clear requirements for governance, monitoring, and third-party management. The overall message is that, depending on their size, financial services providers must implement an ISMS aligned with ISO 27001.
Switzerland is also expanding cybersecurity reporting points. Since April 2025, operators of critical infrastructure (including energy, health, transport, and telecoms infrastructure) must report significant cybersecurity incidents to the National Cyber Security Centre (NCSC) within 24 hours. This aligns Switzerland with the European NIS2 standard. The NCSC is also being strengthened, and is likely to gain in influence and be given stronger enforcement powers in future.
Regulatory takeaway: whether in the EU or Switzerland, cyber compliance has become a leadership responsibility. Boards are expected to actively manage cybersecurity, disclose risks, and act immediately in the event of incidents. Ignorance will not protect companies from penalties. The new rules are putting pressure on companies to take action, but for many organisations it is still unclear who exactly is going to implement these requirements.
Skills shortages – a key bottleneck for cybersecurity
Experienced cybersecurity leaders are in short supply. With threats and compliance requirements growing, many organisations find themselves in a dangerous position, in that they do not have the experienced CISO (Chief Information Security Officer) or Head of Information Security needed to balance these requirements. 83% of IT leaders say that a shortage of cybersecurity talent and staff is a major obstacle to effective defence.
Experienced CISOs are highly sought after and very expensive. Large enterprises have the resources needed to make such investments, but many mid-sized companies find themselves unable to compete. In addition, the limited number of top candidates are often already in permanent employment. The global cybersecurity talent gap is estimated at more than three million professionals and this gap is not going to disappear anytime soon. Some organisations are trying to train internal candidates, but building experience takes years.
Smaller companies in particular, and even some large enterprises, do not have a dedicated, full-time, in-house security role. The idea that ‘the IT leadership team will take care of it’ is fraught with risk. Given the threat landscape, this risk is hard to justify. This gap in the leadership team creates uncertainty. Who is responsible for developing the cybersecurity strategy? Who owns policies, training, and incident response? Without a dedicated CISO, these tasks often fall through the cracks, or are dealt with reactively by external consultants. There is no continuous security governance and no cybersecurity strategy.
In short, the CISO-level skills shortage is of critical importance. For most companies, expecting them to suddenly hire an internal CISO is unrealistic. At the same time, regulators implicitly expect effective information security leadership. This creates a dangerous gap between requirements and practice.
New risks – shadow AI, data loss, and data sovereignty
While personnel resources are tight, new risk areas are expanding rapidly. One key issue is shadow AI. Similar to shadow IT, this involves employees using AI tools (such as ChatGPT or generative AI) without the knowledge of and outside the control of the IT department. What starts out as a creative productivity boost can soon turn into a data protection and data security nightmare.
Shadow AI brings significant risks, including unintended data disclosure, biased or incorrect AI output, and potential regulatory violations. Employees could, for example, enter sensitive text or source code into an AI platform without realising that this data may be stored on external servers and potentially reused.
For a real-life example, look no further than Samsung, where developers looking for help with their code copied confidential source code into ChatGPT, resulting in company secrets being fed into AI training data. Incidents like this show how quickly data and control can be lost in the absence of enforceable policies.
Data sovereignty is another hot topic. Many organisations use cloud services and AI APIs from around the world. As a result, business-critical data is often located outside national borders and legal sovereignty. The importance of questions such as, ‘Where is our data physically located?’ ‘Who is able to access it?’ ‘Is it subject to foreign laws (for example, the US CLOUD Act)?’ is often forgotten.
In addition, existing risks have not diminished – ransomware attacks, phishing scams, or a lost laptop containing unencrypted files can all result in unintended data leaks. The mix of old and new threats means that, in the absence of clear policies, employee awareness, and technical safeguards, the likelihood of a serious security incident continues to rise. Who coordinates the response in a real emergency?
Pressure on leadership – responsibility, liability, and expectations
Liability risk is increasing. In Switzerland, violations of data protection legislation can result in personal fines for the individuals responsible. Internationally, there have been a growing number of cases in which CISOs, even in some case CEOs, have been forced to resign or have faced legal consequences in the wake of major incidents. In tenders or partnerships, large customers increasingly demand evidence of cyber resilience and information security.
Reputational pressure also matters. Cyber incidents make headlines. When companies lose customer data or their services are down for days on end, the leadership team comes under intense criticism. The tone in boardrooms is becoming more direct. Cybersecurity is no longer seen as purely a technical issue, but is increasingly viewed as a leadership issue comparable to finance or legal. Leaders therefore need to build their knowledge in this area or bring in expert support.
Companies that establish cybersecurity as a competitive advantage earn greater trust from customers and partners. A resilient organisation that deals confidently with regulatory requirements and manages incidents professionally signals reliability and responsibility. For boards and supervisory bodies, investing in this has a double payoff, in that it reduces risk and strengthens stakeholder trust.
CISO-as-a-Service – a flexible path to greater cyber resilience
How can organisations meet all of these challenges quickly, competently, and cost-effectively? An increasingly popular answer is CISO-as-a-Service (also known as a virtual CISO or vCISO). What is a CISO, and what is an external CISO? This is a service model in which an external Chief Information Security Officer (CISO) takes on a strategic cybersecurity leadership role on an on-demand basis. Instead of investing time and money in searching for a full-time CISO (who may be hard to find or afford), organisations buy in flexible access to the expertise offered by an experienced security professional either through a subscription model or on an ad hoc basis.
This model offers a number of advantages:
Conclusion: act now and flexibly enhance your cyber resilience
The threat landscape is complex and the regulatory environment is becoming more exacting. Organisations are under pressure to boost their cyber resilience but internal resources are limited.
Companies can address these dependencies by using CISO-as-a-Service to bring first-class cybersecurity leadership on board with immediate effect. For CEOs, CIOs, and boards, this represents a practical option that kicks in before the next incident or audit. Instead of waiting for the perfect internal candidate, you can proactively bring in an experienced partner. The result is stronger governance, improved resilience, and demonstrable compliance.
Your first step is a no-obligation enquiry to find out more about CISO-as-a-Service. Our experts will be happy to review your situation and outline a tailored pathway to your solution.
