Cybersecurity is a Leadership Issue

When a cyberattack stops production, disrupts supply chains or puts customer data at risk, it is too late to debate who is responsible. Thomas Schumacher of Accenture explains why cybersecurity is a matter of corporate strategy, not tactics — before an IT incident turns into a business problem.

Cybersecurity has been one of the biggest corporate risks for years. Yet in many organisations, it is still treated primarily as a technical issue: something for IT departments, security teams or the CISO to handle. For Thomas Schumacher, Managing Director and Security Lead Central & Eastern Europe at Accenture, this is one of the core challenges. In his keynote at the Cyber / AI Expo 2026, Schumacher will explain why cybersecurity belongs on the agenda of boards and executive management, how AI is changing both the threat landscape and cyber defence, and what steps companies should take now to become more resilient.

Cyber risks are no longer an abstract threat. Attacks on IT systems, production environments, supply chains or critical infrastructure can bring production to a standstill, expose data, damage customer relationships and destroy trust. It becomes particularly critical when companies realise only during a crisis that they may have implemented individual security measures, but lack a robust resilience strategy.

This is where Schumacher sees a clear need for action. Cybersecurity may be present at leadership level, but it often still lacks strategic anchoring. The Chief Information Security Officer carries the “C” in the title, but in many German companies, the role does not have a seat at the board table. As a result, cybersecurity often remains where it is dealt with operationally — but not where strategic decisions are made.

For Schumacher, this is dangerous. The role of a CEO or board member is to identify risks early, prevent harm to the company and safeguard the organisation’s long-term viability. Anyone who has to explain, in a crisis, why an attack has paralysed the company cannot simply point to the fact that the issue had been delegated to specialists.

The threat landscape is becoming more complex: geopolitical tensions, fragile supply chains, regulatory requirements and the shortage of skilled professionals are all increasing the pressure. Regulations such as NIS2, DORA or the Cyber Resilience Act, Schumacher explains, are often perceived as a burden — but they are also an opportunity. They can help organisations reach a level of security that many would not have achieved on their own. In highly regulated sectors such as financial services, this can already be seen; in many industrial sectors, the process is still at an early stage.

One of the biggest changes, Schumacher says, is being driven by artificial intelligence. He describes AI as “friend and enemy at the same time”. AI can help detect attacks faster, understand patterns more effectively and automate security processes. At the same time, attackers are using AI to become more professional, faster and more targeted.

Phishing emails, social engineering attacks and ransomware campaigns can now be tailored precisely to individuals, roles or companies. Where poorly written mass emails used to be easy to spot, today’s attacks can appear as highly convincing job applications, supplier enquiries or internal messages. The risk is especially high in areas where employees have good reason to respond — such as HR, purchasing or customer service. Schumacher therefore speaks of a widening “AI gap”: attackers often exploit the new possibilities faster than companies can develop their defences.

At the same time, the Accenture manager warns against thinking about security too late when deploying AI in the company. Many organisations invest in new tools without first examining which data is being processed, what access rights are being created and which new points of entry may be opened up. The line between secure use and risky exposure can be thin when employees use AI tools in the wrong context, with the wrong accounts or without clear governance.

So what should companies do now? For Schumacher, it starts with the basics. Companies need to know which systems, data and processes they have to protect. They need to understand their IT landscape, identify critical assets and determine which areas must be up and running immediately in the event of a crisis. Not everything is equally critical. But that is precisely why clarity is needed about what is truly business-critical.

Schumacher also sees the supply chain as highly relevant to security. Companies are now so interconnected that their own security no longer ends at the company boundary. Service providers, suppliers, platforms and external partners can themselves become points of entry. Anyone who takes cybersecurity seriously must therefore include the supply chain as well.

Careful detection is also central, Schumacher emphasises. Companies must be able to recognise whether they are under attack. The longer attackers can move through systems unnoticed, the greater the damage. AI-supported detection systems can be decisive here, especially when companies do not only learn from their own incidents but benefit from a broader picture of the threat landscape. External partners and managed services can help identify attacks earlier and defend against them faster.

But even the best prevention is not enough. Cyber resilience also means being prepared for the worst case: crisis processes must work, responsibilities must be clear, communication must be prepared and operations must be restorable at least in part. Cyber insurance can cushion financial losses, but it cannot restart production, regain customer trust or stabilise a supply chain.

Keynote at the Cyber / AI Expo 2026:
Thomas Schumacher, Managing Director & Security Lead Central & Eastern Europe, Accenture
“Cybersecurity as a Board Priority – Strengthen Resilience before the Crisis”

>> More about the program