Self-Protection Instead of Cyber Myths: NCSC Head Florian Schütz in a Video Interview

Florian Schütz, Head of the National Cybersecurity Center (NCSC), talks in an interview about the reality behind “Hollywood hacking”, the reporting obligation for critical infrastructures and why cybersecurity is increasingly becoming an economic policy issue. His key point: the state cannot protect every system, but it can empower people to understand risks and build resilience.

Florian Schütz’s journey into cyber security began early, as he reveals in a video interview with our partner, The INGAGE Institute. As a teenager, he was particularly fascinated by computers “where they do things they shouldn’t”. He studied computer science at ETH Zurich, initially with a focus on augmented reality and embedded systems, and later – aided by the establishment of a security program – increasingly with a focus on cybersecurity. He is also influenced by the environment of safety-critical systems: If software fails, real damage is possible. For Schütz, responsibility is therefore not an abstract concept, but part of the engineering self-image.

“What’s cool is not hacking – what’s cool is robust construction”

Schütz soberly dispels the popular image of the glamorous hacker. Understanding attacks is important and intellectually appealing, but the real mastery lies in designing resilient systems. In practice, security rarely fails due to highly complex attacks, but rather due to a lack of fundamentals: unpatched (not closed) vulnerabilities, poorly configured systems or inadequate processes. Anyone who has worked in the industry for a long time quickly recognizes recurring patterns and knows that prevention is almost always cheaper than remediation.

What the NCSC does – and doesn’t do

The National Cybersecurity Center (NCSC) does not protect “Switzerland” by proxy. Its mission is to enable the population, companies and operators of critical infrastructures to understand cyber risks and take responsibility themselves. The NCSC is embedded in the national cyber strategy, which brings together several players: Cyber Defense (military and intelligence) for conflict and espionage, Cyber Crime for police and law enforcement, and cybersecurity in a preventative sense at the NCSC. The strategy forms the common umbrella, without a central command structure. The cantons are also responsible for ensuring that the objectives are implemented at all levels of government.

Mandatory reporting and trust as a basis

A reporting obligation for critical infrastructures has been in force since April 1, 2025. For Schütz, the underlying logic of trust is crucial: reports will not be passed on without explicit consent. Companies should be encouraged to cooperate with the police without fear of public exposure or automatic forwarding. The focus is on help, learning and prevention and not on apportioning blame.

The Bürgenstock as a cyber stress test

The example of the Bürgenstock Conference, the peace summit on Ukraine, shows how this principle works. DDoS attacks in particular were to be expected, i.e. overload attacks of a mostly symbolic nature, for example against websites of regional tourism organizations. Operationally, such incidents are usually manageable, says Schütz. Public perception is more critical: alarmist assessments by self-proclaimed experts can undermine trust, unsettle participants and damage reputations. In addition to risk assessment and technical preparation, transparent communication and close coordination with the media and those affected were correspondingly important.

When Swiss infrastructure is misused

A recurring problem is the misuse of infrastructure from Switzerland as a starting point for attacks. The NCSC shares information with internet providers in order to block criminal structures or make actors less effective. The reactions vary. While some providers act responsibly, others invoke “freedom of speech”, an argument that Schütz rejects in the case of clearly criminal activities. For him, it is clear that security behavior is essentially shaped by economic incentives and business models.

Cybersecurity as a location and economic issue

This brings an often underestimated aspect into focus. Cyber security is not just technology, but also economic policy. A large proportion of Swiss companies generate low turnover and have correspondingly limited budgets for security. If the costs of cyber protection rise across the board, margins, competitiveness and, in the long term, gross domestic product will fall. Schütz formulates a strategic hypothesis: even if economic weakening is not specifically planned, it can have a geopolitical impact. For him, this means that it is necessary to better measure economic damage and take targeted countermeasures.

Cloud, AI and digital sovereignty

When looking at the cloud and artificial intelligence, Schütz describes the transition from earlier tech optimism to a phase of geopolitical mistrust. When central infrastructures are controlled by a few global providers, questions arise about data access, legal space and political dependencies. Technically, he sees hope in approaches such as confidential computing; politically, he sees a role for Switzerland as a confidence-building actor that can mediate between different interests.

Disinformation and the platform economy

Schütz also places social media in this context. What began as a connection technology has been distorted by attention-driven business models. In Switzerland, disinformation is primarily the responsibility of the intelligence service, but overlaps operationally with cyber issues. Prevention therefore begins not only technically, but also socially with media literacy, education and early awareness-raising.

Looking ahead: cyber as a long-term investment

For the next three years, Schütz hopes that cyber security will not be seen politically as a short-term “attack and defense game”, but rather as a long-term investment in security, prosperity and a way of life. This includes harmonized regulation, stable international trust and exchange mechanisms as well as a strengthened digital capacity to act. For the NCSC itself, the focus is on expanding a national digital platform that can be used to share situation information and organize cooperation efficiently.

The interview does not provide a cyber thriller, but a strategic grounding. The decisive levers lie less in spectacular defensive actions than in solid foundations, functioning incentive systems and the realization that cyber security has long been a central economic and social security issue.

Binci Heeb

See and read also: Compact, radical, risky: Lars Tvede on tech trends of the future