ZEISS’s Chief Transformation Officer on Why Cybersecurity Is a Board-Level Topic

The ZEISS Group, a leading manufacturer of optics technology, has embarked on a journey to strengthen their strategies for managing cyber risks.

BCG spoke with Chief Transformation Officer (CTO) and Member of the Executive Board of the ZEISS Group Susan-Stefanie Breitkopf about the lessons ZEISS has learned while prioritizing security against ever-expanding threats.

The world of technology leaders is undergoing massive change. With data, information technology (IT), and digital innovation playing a growing role in companies’ lasting success, operational technology (OT) is increasingly driving efficiency, quality, and production sustainability. At the same time, artificial intelligence (AI) is beginning to scale beyond individual proofs of concept to drive focused value generation.

Technology itself is evolving at a rapid pace, often moving to hybrid on-premise/in-cloud technology landscapes and products with more and more digital components, all entangled in a web of in-house and third-party services and an ecosystem of connected suppliers, partners, and customers.

This has created an increasingly challenging risk landscape. First, the technical and organizational sophistication of malicious actors (such as for-profit hackers and the increased activity of nation state–backed threat actor groups) is growing, as is their level of professional industrialization: Some now offer, for instance, targeted attacks as a service—with a money-back guarantee if it doesn’t work. Second, concerns are rising around the use of cyberattacks as a tool in geopolitical tensions—for the disruption of networked production and for the theft of IP. Third, the use of machine learning and easily accessible generative AI by attackers increases the speed to damage, leaving less time and making it more difficult to contain an attack. This makes robust detection and response capabilities paramount.

To counter these threats, cyber resilience for business operations and products and services is of utmost importance—which is also reflected in increasing regulatory attention, including the Network and Information Systems Directive 2 (NIS2), Digital Operational Resilience Act (DORA), and Cyber Resilience Act (CRA). All of this requires a regular, systematic review and refresh of the protective technology in use, combined with rethinking and updating underlying operating models. Yet many organizations still rely on tech-centric, prevention-focused defense strategies, trying to build higher and higher fences instead of also preparing to defend their own turf.

How ZEISS Strengthens Its Cyber Resilience

To learn more about what organizations can do to navigate the changing risk landscape and respond to cyber threats, we spoke with Susan-Stefanie Breitkopf, the chief transformation officer (CTO) of the ZEISS Group.

Breitkopf joined ZEISS in 2021 as head of corporate HR and was appointed CTO, as well as a member of the Executive Board, in 2022. In her current role, she orchestrates transformation across ZEISS, enabling growth while securing the right balance between synergies and business needs. Her strategic focus areas include optimizing the ZEISS process landscape, strengthening the reliability and security of its systems, enhancing digital capabilities, and continuously developing employees and leaders within the company. In addition, she serves as the director of labor relations at Carl ZEISS AG.  

With over two decades of leadership experience in global companies such as Covestro, LANXESS, and Currenta, Breitkopf has extensive expertise in corporate development, HR, compliance, and management. In 2024, she was appointed to the Future Council of the Federal Chancellor of Germany. 

Why would cybersecurity fall on the CTO? As Breitkopf explains, “Cyber risk is first and foremost a business problem that requires continued adaption and transformation, like any other evolving risk. You have to look at the full picture and make sure the technology, the organization with its processes, and the skills of the people evolve and transform accordingly. And that is right in the wheelhouse of a chief transformation officer.”

Breitkopf notes that ZEISS sees transformation as an essential part of continued innovation and value delivery to its customers, and digital transformation plays an increasingly bigger role in this. “Therefore,” she says, “IT and cybersecurity are reporting to me too, and our CIO and CISO are part of my team.”

ZEISS sees the threat landscape as a major topic and an integral aspect of the CTO’s agenda. “There are external geopolitical threats, but there are also technological threats,” Breitkopf says about the organization’s risks. “GenAI offers new possibilities to break into systems with brute force, but there are, of course, also insider threats. Therefore, it is essential for us to have the right mindset, the right solutions, and the right tools to best protect the company.”

As she explains, “Security is obviously one component. Another aspect is that, with cybersecurity, we are strengthening our company’s innovation capabilities. We are a MedTech supplier and part of a network of ASML suppliers, and we ourselves of course have suppliers. Therefore, cybersecurity helps us strengthen our own innovation capabilities and increase our top line.”

Breitkopf breaks cyber security responsibilities at ZEISS into three key aspects:

• Protect ZEISS and its assets—quickly and continuously. Successfully navigating all challenges requires constant improvement and adaptation. “Being subject to cyberattacks is the new normal, and cyberattacks are getting more and more industrialized, sophisticated, and tailored,” the CTO explains, citing AI’s ability to generate faster attacks. Once inside a company’s IT systems, the harm can spread rapidly. “Malicious software used in cyberattacks can do severe damage within minutes or hours,” Breitkopf says. “Compare that to the time it currently takes to detect an attack—which, across industries, averages about 200 days. That is over six months!”
• Accelerate innovation and reduce time to market. Being prepared to detect attacks efficiently requires quite a transformation for most cyber organizations, but building strong cybersecurity capabilities is worth the effort. “High-tech companies like ours are especially attractive targets where sensitive data, intellectual property—both our own and that of our partners—and customer trust as well as supply chain stability are all at stake,” she says. “A lot of data can be stolen or altered over the course of several months. Therefore, it is essential to contain breaches and recover from them quickly to limit damage to the business.” When project teams can rely on good cybersecurity standards, tools, and practices, they enjoy two practical benefits: A) They don’t have to reinvent the security wheel but can focus on their core objective—innovation to create business value; and B) They are less likely to get delayed at quality assurance gates for unmet security requirements.
• Take advantage of cybersecurity’s direct top-line impact. Ecosystem partners, customers, and existing or emerging regulations are increasingly demanding strong cybersecurity capabilities, and customer trust, market share, and the ability to serve certain industries and organizations is built upon it. Take, for example, the requirements of the German automotive industry for their suppliers, codified in the Trusted Information Security Assessment Exchange (TISAX). “Cybersecurity is an essential element of our agenda to continue to transform for growth, achieve even faster innovation, and ensure the responsible protection of data,” Breitkopf says.

Recognizing that people are essential for cyber resilience, ZEISS prioritizes training and awareness to reenforce cybersecurity. “I have seen consistent reports that about 75–80% of all cyber breaches are due to issues resulting from people, process, and the organization, and only about 20–25% are due to failures of technology,” Breitkopf says. “Hence, we focus on tailored training and awareness programs across roles, seniorities, and functions. This helps our employees recognize cyberattacks and helps our IT and cyber staff do the right things quickly if and as needed. Of course, we also invest in technology, including machine learning and AI, to support people wherever possible, especially in attack detection and response.”

Supported by BCG, ZEISS is currently running a cyber program with a dozen initiatives to further evolve its cybersecurity capabilities, foster continuous improvement, and strengthen resilience. The program has been designed to balance risk reduction and the company’s ability to see the program through. And while such a program at times does push the boundaries of what an organization can handle, Breitkopf explains that it is important to stay on course—because the risks also keep evolving.

Breitkopf has six key learnings she shares with executives who are about to assume board-level responsibility for cybersecurity:

1. Cybersecurity is a cross-organizational topic. “Everyone has to contribute in one way or another, Breitkopf says. “Every part of the company is affected.”
2. Set the right tone, from the top down. “If board members leave their iPads unlocked while in a restaurant, we know it’s not going to work,” notes Breitkopf. “There must be commitment from the top, and it must be exemplified from the top.”
3. Set an ambitious goal, while still being realistic during implementation. “The threat landscape is challenging,” Breitkopf says. “However, the North Star—i.e., where do we want to go? What must be our degree of security?—should be very aspirational.”
4. Ensure everyone views this as a business risk. “It is not a technical risk,” Breitkopf notes. “The business can be massively affected, and that’s what we’re trying to prevent.”
5. Remember, not everyone dealing with cybersecurity is a techie. But don’t let that be a deterrent. “If everyone leverages their networks, if we assign roles, and if we utilize existing regulations like NIS2, we know we can get where we need to be to best protect the company,” Breitkopf says.
6. Cybersecurity is a team sport. “Everybody has their role, and we need a cooperative, blame-free culture,” the CTO explains. “We must openly talk about where things did not work and do so eye-to-eye in our teams.”

“Cybersecurity today is totally different compared to 10 years ago,” Breitkopf notes. “Geopolitics, technology, and GenAI make it much more dangerous, and this can break a company. But it is also a transformational topic for us: People have to use the technical solutions to make sure a company is protected and able to flourish. This is why cybersecurity is a transformative, board-level topic for us.”

She adds, “A transformation is always a journey, and it is about bringing technology and people together. What I believe—and my experience confirms this over and over—is people want to do the right thing. Therefore, in a transformation, we ask ourselves, ‘Where do we want to go, and with which solutions and tools do we want to go there?’ This helps us explain every step of the way and lets us take every step together. Moving people and technology in the same direction, that’s a transformation.”