This is a subtitle for your new post

Cyber Trends Unlocked: Threats, Talent & Tomorrow’s Defences | Discussion with Vivien Bilquez

Key Takeaways

Full Discussion Highlights

How would you describe the current cybersecurity landscape?

Vivien: The threat landscape has shifted dramatically. While ransomware remains a top concern, its prevalence is decreasing. Why? Companies are becoming more resilient, refusing to pay ransoms, and regulations now penalize payments. However, we’re seeing a surge in AI-driven social engineering (deepfake impersonations, voice cloning) and attacks on critical infrastructure like power grids and water systems. These pose not just financial or reputational risks, but it can be devastating for the environment and for the people.

What actionable steps can businesses take to mitigate these evolving threats?

Vivien: Today we have a more effective approach than traditional risk assessments - it's called cyber risk quantification. Instead of just labelling risks as 'high,' 'medium,' or 'low' (which can be vague), we assign actual dollar values to potential threats. This makes risks much easier to understand and justify budget for security measures. For example, if we calculate that a ransomware attack could cost $10 million, spending $10,000 on prevention becomes an obvious business decision. This method helps technical teams communicate with executives by showing cybersecurity in financial terms they understand.

How have attack methods and defences strategies changed recently?

Vivien: Attack patterns have shifted significantly. While hackers previously focused mainly on the financial sector, they're now targeting different industries like food production, utilities, healthcare, and energy. These sectors are becoming prime targets as financial institutions have improved their defenses.

Our security approach has evolved too. In the past, we built defenses like castle walls - just protecting the network perimeter. But today, we need a data-centric, multi-layered strategy:

1. First, secure the endpoints (user devices)
2. Then protect user identities and access privileges
3. Next, safeguard the network
4. Finally, secure cloud systems

The human element remains critical - no matter how strong your systems are, people can still click on phishing links. That's why endpoint protection comes first.

We've also improved through cyber threat intelligence sharing. When one company gets attacked - say in Japan - others worldwide can learn from it almost immediately. This real-time collaboration makes everyone more resilient.

What skills should hiring managers prioritize when looking for cybersecurity professionals?

Vivien: When we hire cybersecurity professionals, soft skills are actually more important than technical skills. Many people think cybersecurity is 90% technical IT work, but in reality, it's about strategy - communicating with stakeholders, helping management understand risks, training employees, and working with regulators. About 80% of the job requires skills like curiosity, strong communication, and cultural awareness.

Language skills are especially valuable in my international team. Some of my team members have even learned Russian, Korean or Chinese to monitor hacker discussions on the dark web, where conversations often use local slang.

While technical knowledge is still needed, I prioritize attitude and experience over certifications. The best candidates are adaptable, passionate about learning new things like AI security, and can communicate complex ideas simply. These human qualities make the real difference in cybersecurity work.

Moreover, we also actively recruit more diverse groups who bring valuable different perspectives.

How would you describe Zurich's work culture?

Vivien: We encourage initiative with our motto: "Don't ask permission, ask forgiveness." We want people to try new things - even if they fail. This freedom creates passionate employees who enjoy their work. We also offer flexibility in work hours and locations. And yes, our cafeteria with international cuisine is legendary - some employees even joined because of the food! It's these little things that keep teams happy and motivated.

Looking ahead, how can companies make cybersecurity a company-wide priority?

Vivien: Cybersecurity shouldn’t be siloed in IT—it must be embedded across the entire organization. The key is communication and alignment with business goals. Too often, security teams are seen as blockers, but we need to position cybersecurity as a business enabler that protects revenue, reputation, and operations.

For employees, it's good to get them involved in cybersecurity strategy by giving some reward. For example, in my previous role, we rewarded staff with points redeemable for gifts or vouchers when they completed security training or reported phishing attempts. This approach transformed cybersecurity from being seen as a burden into an opportunity—employees became proactive participants rather than passive observers, creating a positive shift in mindset across the organization.

What emerging threats should we prepare for over the next two to three years?

Vivien: We're seeing AI-driven attacks becoming more industrialized. Critical infrastructure is their major target. Hong Kong's new 2026 critical infrastructure cybersecurity law shows how seriously this is being taken. 

If you are manufactures, it’s very important to be cyber resilient. Secondly, I would say be careful of the third parties. The security standards we implement internally must extend equally to all third-party vendors - especially since they often handle sensitive customer data. Any security gap in our supply chain creates risk for our entire organization.

Finally, we need to address Post Quantum Cryptography. Quantum computers, which are becoming increasingly powerful, will eventually be able to break most of the encryption methods we rely on today - possibly within just a few years. This means nearly all of our current cryptographic security will become obsolete. That's why organizations need to start preparing now by exploring post-quantum cryptography solutions.