Share this post
Dr. Daniel Schatz’s interest in cybersecurity grew from an early curiosity about how IT systems work and how they can be broken. His academic background in cybersecurity and IT law informs a pragmatic approach to security leadership, focused on translating technical risk into business-relevant decisions. Today, he is Chief Information Security Officer at QIAGEN, a global life-sciences company providing technologies for molecular diagnostics and research. After holding senior security roles at Thomson Reuters, serving as CISO at the digital media company behind DAZN, and acting as an advisory member to the European Union Agency for Cybersecurity, Dr. Schatz shares his perspective on today’s most urgent cyber threats and on how organizations can move beyond compliance to build pragmatic, business-aligned security cultures.
There wasn’t a single dramatic defining moment. I grew up around IT and was always deeply curious about how systems work and equally about how they can be made not to work or how intended behavior can be bypassed. Over time, that curiosity naturally drew me into information and IT security. What continues to motivate me today is that cybersecurity combines complex technical problem-solving with very real business and societal impact.
It is difficult to attribute these trends to a single industry, as in the context of security awareness they span across many sectors. From my perspective, the most urgent threats are: First, AI-augmented phishing. We are seeing a massive increase not only in the volume but also in the quality of phishing emails. Language, context, and personalization have improved so much that many messages are now extremely difficult to distinguish from legitimate communication.
Second, automated exploitation and MFA bypass. Historically, getting a user to click was relatively easy, but exploiting that click at scale was harder. AI now automates not just credential theft but also token abuse, making multi-factor authentication bypass more feasible and scalable.
Third, voice and emerging video impersonation. We already see regular incidents involving highly convincing CEO voice cloning via phone or voice messages. Fully AI-generated video avatars for video calls are technically possible today and improving rapidly. At the moment, this is mainly relevant for very high-value targets, but the barrier is dropping quickly.
Some sectors are both highly exposed and relatively mature in their defenses. Financial services, such as banks and insurers, as well as defense contractors, fall into this category. High regulatory pressure and strong customer expectations have forced them to invest early and heavily in cybersecurity. On the other hand, there are sectors where cybersecurity is still underestimated. Healthcare, broadly defined, is a major example. Hospitals and care providers understandably prioritize patient care over security spending, and patients do not choose providers based on cybersecurity. As a result, leadership often underinvests until a serious incident forces a change.
Other margin-driven sectors, including manufacturing or retail, see security rather as cost than an enabler. They also frequently rely on legacy operational technology environments that are difficult and expensive to secure. The general pattern is that where regulation and direct revenue risk force investment, security maturity is higher. Where margins are tight and customers do not explicitly reward security, it tends to lag.
When assessing security maturity in the context of security awareness, I focus on a small set of KPIs that serve as indicators of cyber awareness, while recognizing that none of them are perfect on their own. First, phishing reporting behavior is a key signal: how many users report simulated phishing attempts and how quickly suspicious messages are escalated, with speed often being as important as volume. Second, phishing simulation results, such as click rates or credential submissions, help track awareness over time, ideally segmented by risk group. Third, incident handling metrics provide an indirect awareness indicator, including the time needed to detect and contain human-driven incidents like social engineering or CEO fraud.
Order matters more than any individual measure. First, fundamentals and security hygiene must be in place. Organizations need to understand their vulnerabilities and have structured, repeatable processes to remediate critical issues. Basic controls such as endpoint protection, logging, backups, access control, and patching must not only exist but actually work and be monitored. The goal is to reduce noise so teams are not constantly firefighting. Second, security culture and awareness can be built once these basics are stable. If an organization is dealing with ransomware incidents every other week, awareness messaging will lose credibility. People need a stable environment to absorb and apply training.
Third, advanced capabilities such as threat hunting make sense only once the foundation is solid. Threat hunting without hygiene is like standing in a burning house and looking for the next flame instead of installing smoke detectors and fire doors. Once the base is secure and people understand the risks, proactive hunting becomes meaningful. Technologies like firewalls and MFA belong in the first steps, but how they are introduced must be pragmatic and business-aware.
Cybersecurity awareness must move beyond compliance by using it as an opportunity to build culture, not as a one-off requirement. A CISO should first meet people where they are, recognizing different levels of cyber literacy and using that as a starting point rather than overwhelming teams with technical detail. The initial focus should be on business purpose and a business-aligned security strategy, framing cybersecurity through concrete questions such as how quickly a cyber incident could disrupt core revenue streams, critical research or compromise intellectual property, rather than through purely technical explanations. Over time, this approach allows a security culture to develop gradually, helping teams understand which vulnerabilities exist, how they are being addressed, and why specific measures matter, without losing engagement through excessive technical depth.
Crucially, the approach must fit the corporate culture. In more conservative environments like QIAGEN, a structured and careful communication style is more effective. At DAZN, a digital media company, I found that a more informal and agile approach connected better with teams and led to stronger engagement. Adapting the security culture to the organization’s corporate identity is therefore key to making cybersecurity awareness sustainable and truly embedded in everyday decision-making.
Speaking in a personal capacity, not on behalf of ENISA, the largest gap I see is between the ambition and scope of EU regulation and the actual starting point of many organizations that now fall under it. Taking NIS2 as an example, in Germany alone tens of thousands of companies, many from the “Mittelstand”, are newly in scope. A large share of them have solid IT teams that try to protect the revenue stream but no dedicated security function and are still far away from the maturity level the regulation ultimately expects.
A second major gap lies in how regulation is translated into practice. A common pattern is that IT teams read a requirement such as “use MFA,” select a technical solution, and roll it out very quickly. This can disrupt business operations, trigger leadership pushback, and reinforce the perception that security is purely obstructive. Most regulations do not demand reckless speed, they demand outcomes. The missing piece is often a business-aware implementation that balances security goals with operational reality. Finally, there is a strong human and cultural gap. Regulations can mandate that awareness training exists, but they cannot ensure that it is meaningful or embedded in everyday behavior. There is often a missing translation layer between legal text, technical controls, and how people actually work.
Executives do not share a passion for technical detail. Early in my career, I spent too much time explaining how controls worked instead of focusing on what leadership needed to steer the company. Shifting to a business-risk perspective made conversations far more productive. Additionally, fundamentals always come first. It is tempting to chase advanced capabilities, but weak basic security hygiene will constantly pull you back into firefighting. Getting the basics to a “good enough” level creates the breathing room for strategic work and more mature leadership discussions.
