Sleepless nights in cybersecurity
When I attended the Global Cyber Conference 2025 in Zurich last week, I expected world-class keynotes and sharp panel debates. What I didn’t expect were so many conversations about sleep. Or rather, the absence of it. The exhaustion was palpable — red eyes, half-empty coffee cups and the quiet admission from one CISO: “I haven’t slept through the night in six months.”
In a keynote titled “The 2025 threat landscape – What keeps CISOs awake at night,” Tim Brown, CISO at SolarWinds, distilled the collective anxiety of an entire profession into five painfully accurate points. His slides weren’t just data — they were a mirror held up to a room full of leaders who live in a state of permanent vigilance.
It was one of those rare sessions where the room fell silent — not from boredom, but recognition. The CISOs around me weren’t snapping LinkedIn photos; they were nodding, half-smiling, half-grimacing. Because every slide mirrored what we all feel: constant acceleration, persistent uncertainty and diminishing control. One European bank CISO whispered, “That’s my risk register — on a bad day.”
A safe space in the Alps
Over two days at Zurich’s stunning Dolder Grand — hosted by the Swiss Cyber Institute — I witnessed something I’ve seldom seen at cybersecurity events: real vulnerability. In a closed, attribution-free environment, leaders shared not just strategies, but doubts. And that made this event stand out — not as another conference, but as a safe space for CISOs to drop their armor. The Dolder Grand’s panoramic views over Lake Zurich and the Alps provided a serene contrast to the high-stakes discussions inside, amplifying the sense of a neutral, reflective sanctuary.
Zurich, with its alpine precision and global neutrality, was the perfect backdrop. The theme Future Resilience echoed everywhere, but the magic happened in the margins: pre-conference coffee chats, late-night Swiss CISO Awards talks, quiet lounge exchanges. The SCI has built something extraordinary — a community where CISOs exchange phone numbers, not just slides. Multiple leaders told me they now call peers directly during live anomalies. That’s trust you can’t buy. One manufacturing CISO shared how a Zurich contact helped him contain a supply-chain incident in under four hours — something that previously took days through formal channels.
5 threats that hit home
Here are Brown’s five threats — straight from the slides, raw insights from the room and my takeaways as a consultant advising energy, manufacturing and finance giants.
1. The shrinking window between discovery and exploitation
Brown’s first slide hit like a gut punch: “Time between discovery and exploitation continues to decrease while CVE publishing increases.”
That line summarizes 2025’s cyber reality. MITRE tracked over 39,000 CVEs in 2025 alone so far, with Mandiant’s M-Trends 2025 showing exploits weaponized in days — or hours.
One CISO described a zero-day that went from disclosure to active ransomware in 19 hours. “We patched 40,000 endpoints overnight,” he said. “Next time? We might not have 19 hours.”
In my practice, I see quarterly scans failing. My fix for clients: Automated, risk-based patching — integrate exposure tools with CMDBs to prioritize crown jewels. Post-Zurich, I’m piloting this for an energy client: zero-downtime OT patching via virtual patching. Speed isn’t optional; it’s survival. Tools like Tenable or Qualys, when linked to asset inventories, can cut prioritization time from days to minutes.
2. Motivated threat actors – and the end of deterrence
“Motivated threat actors facing little consequences — the starfish and the spider. The spider model is not working.”
Brown nailed it, channeling The Starfish and the Spider. But his real analogy was Napster vs. iTunes:
“We shut down one file-sharing network, three more popped up. The music industry didn’t win by closing platforms — they won by making legal downloads cheaper and easier. We’re still trying to shut down the networks instead of changing the economics.”
Verizon’s DBIR 2025 confirms: Ransomware in 44% of breaches (up 37% YoY), with groups recycling TTPs days post-takedown.
My client takeaway: Ditch perimeters for behavioral detection (UEBA in SIEMs). Join ISACs or SCI networks — isolation loses. One manufacturing client now shares IOCs in real-time; containment time dropped 40%. Platforms like Splunk or Microsoft Sentinel with UEBA modules make this shift practical and measurable.
3. The third-party paradox
“Third-party risk — we need to expect more from vendors and consumers of technology.”
Laughter rippled — bitter, knowing. Post-SolarWinds/MOVEit, 62% of breaches involve third parties per recent studies.
One CISO: “We audited their SOC 2 — but not their firmware update process.”
Post-Zurich framework update (bullets for you):
Live API feeds for vuln/compliance
Joint tabletops quarterly
Contracts: 72-hour notify + shared remediation
SCI’s cross-industry working groups made this actionable. For a finance client, this slashed vendor risk score by 35%. Integrating tools like BitSight or SecurityScorecard into vendor portals automates much of this oversight.
4. AI – the fastest arms race in history
“AI — we’re in a race. Can we use it faster and better than the adversary?”
AI powers both sides. Workshop demo: LLMs craft phishing bypassing gateways 94%. Deepfakes in <10 mins.
One CISO: “We’re using AI to simulate attacks in a sandbox, training our SOC on synthetic TTPs.” I’m piloting this with a manufacturing client — GenAI generates polymorphic malware for rule-testing.
OWASP Top 10 for LLMs now mandatory: Prompt injection #1.
Classify models as critical assets — threat model them. Treating LLMs like any other high-value system, with access controls and logging, is now non-negotiable in mature programs.
5. Stress and burnout – the human threat surface
“Deputy CISOs reluctant to become CISOs, CISOs leaving the industry, burnout for our teams.”
The room broke. 69% report rising burnout; deputies flee the role.
Stories: Missed birthdays, divorces, no vacations in years. One CISO admitted, “My daughter asked if I still work here.”
Closing Apéro: Impromptu support. “CISO hotlines” for 3am Swap: Sabbaticals, peer circles.
One leader: “Resilience is now part of my risk register.” Framable. Tweetable. True.
My new audit: People = risk vector. Morale checks alongside firewalls. Simple pulse surveys and rotation policies can yield measurable improvements in team retention and alertness.
Why Zurich set a new benchmark
The Global Cyber Conference 2025 wasn’t just another industry gathering — it was a living network. The Swiss Cyber Institute has created a space where trust isn’t a buzzword; it’s the default setting. The vendor-free format ensures candid exchanges, free from sales pitches, fostering genuine collaboration.
Multiple CISOs told me they now call peers directly when anomalies appear in shared supply chains — not through formal channels, but through relationships built in Zurich. That level of collaboration doesn’t happen by accident. It’s the result of a carefully curated, vendor-free environment where leaders can speak freely.
In a field drowning in alerts and noise, this event cuts through. CISOs don’t just attend — they belong. The sense of community extends beyond the conference, with SCI maintaining active working groups and a secure messaging platform for year-round peer support.
If you advise security leaders, govern risk or build resilience programs, put the Global Cyber Conference on your radar for next year. The Swiss Cyber Institute typically announces dates in early spring. In the meantime, the connections made in Zurich this year are already saving response time — and sleep — for hundreds of leaders across Europe and the US. The return on investment isn’t measured in swag or slides, but in faster incident response, shared playbooks and the rare gift of knowing you’re not alone at 3am.
This article is published as part of the Foundry Expert Contributor Network.
Want to join?
No Responses