The 63rd annual Munich Security Conference convened earlier this month, bringing together more than 40 heads of state alongside government officials, academics and industry leaders to discuss the evolving global security landscape.
The conference operates under its long-standing principle: “Engage and interact with each other. Don’t lecture or ignore one another.” It is a forum built on dialogue, structured debate and consensus building – a format shaped by its Cold War origins, when it was established to prevent large-scale military conflict. Today, the risk landscape it addresses extends far beyond traditional defence domains.
Published ahead of the meeting, the 2026 Munich Security Report, Under Destruction, identifies cyber as one of the defining risks shaping the current geopolitical environment. Of the 11 countries surveyed, three – Germany, Japan and the UK – rank cyber above economic crises and Russia as the single most serious risk facing their country, compared to just one last year.
Even amid large-scale evacuations in southern Europe due to flooding, and wildfires battering southern US states, cyber risk is ranked higher than climate change and extreme weather events by the majority of polled countries. The report also highlights how disinformation campaigns and political influence operations are being used to destabilise institutions and erode social cohesion on a global scale.
Cyber risk is no longer simply another item on the security agenda; it has become a structural enabler of geopolitical instability. State-sponsored operations, cyber-enabled economic coercion and persistent intellectual property theft now sit alongside conventional military capabilities as instruments of national power. In this sense, cyber is not a standalone threat category but a force multiplier across almost every other risk discussed in Munich – from democratic resilience and supply chain security to defence readiness and economic stability. Recognising cyber as embedded within the architecture of strategic competition fundamentally changes the response required: it demands sustained capability building, institutional maturity and collective accountability.
There is now clear and growing recognition among governments and international bodies that cyber threats sit at the core of national security. For the profession, the Munich Security Report codifies what practitioners have long understood: cyber risk threatens individuals, businesses and democratic institutions on a global scale.
But acknowledging risk is not the same as building resilience.
Translating strategic concern into genuine readiness begins when delegates return home and turn policy into practice across government, industry and defence. Resilience will not be built through headline announcements or short-term injections of funding. It requires structural commitment.
Governments – often rightly focused on emerging technologies such as quantum and AI – must elevate cyber security further up the agenda. That means predictable, long-term fiscal commitment so national resilience can keep pace with the threats outlined in the Munich Security Report. Organisations, too, must treat cyber security as a core operational function, not a discretionary overhead.
However, cyber security cannot attract sustained investment unless the profession can demonstrate that it is mature, accountable and capable of delivering measurable outcomes. We must present a watertight case for long-term funding. That requires professionalisation: a coherent identity comparable to engineering or accountancy, where chartered status, structured development and clear standards anchor credibility.
Professionalisation means establishing a common body of knowledge, formal credentialing and mapped career pathways. It means defining competence in ways that boards, governments and international partners can understand and trust. Frameworks that articulate skills and knowledge requirements are an important step forward, including our own Skills and Knowledge Frameworks provide the beginnings of that structure, enabling employers and partners to assess capability and build structured routes to recognised professional status.
Professionalisation also underpins a second strategic imperative: attracting and retaining the best talent. High-performing individuals are drawn to sectors that offer recognised standards, transferable credentials and transparent progression. Without those anchors, cyber security risks losing skilled practitioners to fields that appear more stable or prestigious. Clear entry points, structured development and defined advancement pathways make cyber security a viable long-term profession, not a temporary technical role.
We must also widen the talent pipeline – recruiting individuals with adjacent skills will help to cast the net wider, while early engagement through education and outreach initiatives such as the CyberEPQ helps build awareness and cultivate the next generation of defenders.
By developing a thriving cyber security workforce grounded in clear standards, accredited pathways and demonstrable expertise, nations can begin to address the systemic vulnerabilities highlighted in Munich. Only then can we move from recognising cyber risk to building durable, collective security.
The conversations in Munich reflect a world in which cyber is no longer peripheral to security policy – it is central to it. The responsibility now lies with all of us to ensure that recognition translates into lasting capability.
