A wall built by everyone 

Today, even the best IT professionals and advanced cybersecurity systems cannot guarantee protection if the culture of security is not embedded in corporate governance. At Sulzer, we believe that building a strong security culture across the organization following a continuous improvement program is essential. We spoke with Sven Schuetz, Group IT CISO at Sulzer, to learn more about the security standards embedded in Sulzer’s governance framework.

Q: How would you define cybersecurity in Sulzer’s current context?
A: Cybersecurity at Sulzer is a core pillar of operational resilience. We protect our digital and industrial systems, data, and processes to ensure business continuity, stakeholder trust, and responsible innovation. In addition, we strive to embed sustainable practices in our cyber resilience program to ensure long-term resilience and efficiency. For example, by leveraging our already highly consolidated and cloud-based security services, we minimize hardware usage and energy consumption, supporting both operational efficiency and environmental sustainability.

Q: Why is Cybersecurity essential for Sulzer in terms of Governance?
A: From a governance perspective, cybersecurity is three-sided; clients, suppliers, and Sulzer are interlinked. First, we serve clients who demand standards in cybersecurity, and we must meet those expectations. In this context, complying with our clients’ security requirements directly impacts our cyber resilience program.

In addition, those same standards shape how we manage our supplier relationships. The responsibility goes beyond our IT environment, as we also need to evaluate the entire supply chain. This is why maintaining the highest levels of cybersecurity is not just an operational concern, it’s a governance topic that affects the entire Sulzer organization, as cybersecurity goes beyond technology, and supports business growth.

Q. What principles guide our corporate cybersecurity strategy?
A: Our strategy is guided by the National Institute of Standards and Technology (NIST) Cybersecurity  Framework and follows a few core principles. These principles outline each employee’s responsibility for cybersecurity, emphasize the importance of training and awareness programs, and reaffirm the company’s commitment to protecting the confidentiality, integrity, and availability of information used by the organization. These principles are further developed within Sulzer’s Cyber Resilience Program.

Q: What role do Sulzer employees play in protecting corporate information,  and how does Sulzer ensure they are ready to face digital risks?
A: Every employee is part of our defense, and we foster a culture of shared responsibility. We provide mandatory and ongoing training, regular awareness campaigns, phishing simulations, and clear policies, supported by security tools and continuous improvement of our cybersecurity resilience program. These tools enable us to automate a significant portion of our cybersecurity processes and proactively block many of the threats our employees face on a daily basis, with malicious emails being a prime example.

Q: How does Sulzer’s worldwide presence affect us in terms of cybersecurity?
A: Our global operations require a unified framework with local adaptations to address varying regulations and regional threats , ensuring consistent protection and compliance. We work closely with internal teams to ensure the standards across the company. For example, this year, we are running factory assessments around the globe. This puts us in touch with local departments as the assessments are not just for IT.

Q: How are leaders and executives involved in promoting good security practices?
A: Leadership sets the tone from the top, sponsoring investments, embedding cyber risk into governance, and ensuring accountability through regular reporting and oversight. In addition to that, we conduct training sessions to address cybersecurity crises together with our management. Cybersecurity has many facets, and we make sure that, for example, the leaders of the communications or the legal team know how to act within their respective areas during a cybersecurity crisis.

Q: What trends or challenges do you expect to shape the future of cybersecurity?
A: For the future, I expect cybersecurity to face more sophisticated and AI-driven attacks, stricter regulatory requirements, and increased convergence between OT and IT systems. Cloud adoption and identity management will remain critical challenges, while resilience will become a priority over pure prevention.