Ole Willers: Cybersecurity is no longer only a techinal problem – it is a systemic one

In this ADD exit-article Ole Willers explains why market failures, weak incentives and new EU regulation have turned cybersecurity into a core political, economic and societal challenge – and necessary priority.

From cyber threats to system failure

Cybersecurity failures rarely feel abstract. They shut down hospitals, expose personal data and disrupt critical infrastructure.
Yet despite growing awareness, investments in cybersecurity continue to lag behind the threat:

“If we don’t have strong incentives for people not to go into cybercrime and at the same time still struggle in terms of securing our own systems while also increasing the attack surface, then we have a problem. And that is what we see.”

This is how Ole Willers describes the situation when we met him in Copenhagen back in September for his EXIT-interview on the ADD-project.

According to Ole, this gap between the scale of the threat and society’s ability to respond, is no coincidence. It reflects a deeper, structural problem.
What was once treated as a technical issue for IT departments has become a systemic challenge involving markets, regulation and political responsibility.

“The former director of the CIA once said, on the internet we are all Poland. What he meant to imply was that geography doesn’t really speak to defense. It’s hard to defend an area like Poland, and at the same time it’s also very difficult to defend ourselves online

From niche issue to systemic challenge

Over the past few years, the cybersecurity landscape has changed significantly. Digital dependency has deepened across Europe and beyond. Homes today contain an average of 12 connected devices, often inexpensive products where security has not been a priority. Combined with the rapid growth in apps, online accounts and cloud services, the number of potential entry points for attackers has multiplied.

“The attackers have become much more professional. We see a lot more high-profile attacks, while we continue to add more things to the Internet. At the same time, we’ve had a revolution in AI that is adding to the attack surface,” Willers explains.

But at the same time, awareness of cybersecurity risks has increased, and that matters.

“Most attacks still originate with phishing and social engineering. By being aware that there is a risk, we reduce this likelihood of clicking – some research says up to 30% less likely to fall victim to an attack when you’re aware, so that is a good thing.”

Yet awareness alone cannot solve the problem. One of the core challenges is the international and transnational nature of cybercrime, which creates a persistent structural asymmetry between attackers and defenders.

“The former director of the CIA once said, on the internet we are all Poland. What he meant to imply was that geography doesn’t really speak to defense. It’s hard to defend an area like Poland, and at the same time it’s also very difficult to defend ourselves online”, Ole Willers says.

In cyberspace, attackers need only to succeed once, while defenders must succeed every time. This asymmetry makes cybercrime both hard to prevent and difficult to prosecute.

“According to research from the World Economic Forum, only 0.05 per cent of cybercrime incidents are prosecuted. That is nothing. And that is because it’s transnational crime and oftentimes these criminals are smart people. They are not placed in a country where you can cooperate with the police easily, either because the country doesn’t have the capacity or is not willing to cooperate.

This figure further weakens deterrence and fuels criminal incentives, Ole Willers states.

A fragmented understanding of cybersecurity

When asking what can be done, Willers stresses that cybersecurity is not a single problem with a single solution. Different countries and political systems approach cybersecurity in fundamentally different ways.

“Think about cybersecurity as a technical problem to secure our technical systems. That is kind of the dominance still here. But it can also be understood as something that is more about the content of online information. That is more the perspective of a state like China, where these technical and content-related questions are closely interrelated.”

This lack of a shared understanding complicates international cooperation and makes it harder to develop coherent policy responses. But beyond geopolitical differences, Willers points to a deeper structural issue closer to home.

“We must think about ways through which we could make sure that big tech companies must also ensure the security of their customers.”

Big Tech and missing responsibility

Many of the most significant cyber incidents in recent years have been linked to vulnerabilities in systems supplied by large tech-companies. Yet these companies often face limited consequences.

“A lot of the big cyber incidents we have had over the past years have been based on vulnerabilities in some of these systems supplied by big tech companies like Microsoft. And Microsoft does not face a lot of repercussions for that,” Willers says.

For him, this lack of accountability represents a major blind spot in current debates.

“We must think about ways through which we could make sure that big tech companies must also ensure the security of their customers.”

Discussions about Big Tech responsibility have begun, particularly in the United States, but remain marginal. Still, Ole Willers sees this as an essential next step if cybersecurity is to be addressed structurally rather than episodically.

Structural market failure

Responsibility, however, does not stop with Big Tech. Experience from recent years shows that the market cannot be relied upon to address cybersecurity risks on its own. Across sectors, companies have consistently underinvested in cybersecurity because the costs are immediate and visible, while the risks are uncertain and often externalised.

Ole Willers describes this as a structural market failure:

“It has been difficult for companies to justify investing in cybersecurity when concrete costs are weighed against potential losses that may never occur. This requires leadership with a deep understanding of the problem – and that understanding has often been missing.”

As a result, underinvestment in cybersecurity is not an isolated issue, but rather a systemic pattern embedded in existing market dynamics.

“The realization of the European Union over the last four or five years has been that we must address these market failures. We must make sure that good cybersecurity is rewarded in the marketplace, and we also must think more seriously about responsibilities.”

Cybersecurity must be rewarded in the market

The persistent underinvestment reflects a broader imbalance: while society benefits from strong cybersecurity, individual companies often bear the costs without receiving corresponding rewards. For many years, cybersecurity has been treated as an internal concern rather than a source of competitive advantage.

“For a long time, we had this problem that when you invest as a company to keep your system secure, it was mostly for your own good,” Willers explains. “The investments you must do on cybersecurity, you must put up against the potential cost that might not incur. So that is just from a decision-making point of view very difficult.”

This has left cybersecurity investments dependent on whether individual leaders are willing to prioritise long-term risk prevention over short-term costs. If cybersecurity is to become a strategic priority, it must be visibly rewarded in the marketplace, Ole Willers underlines.

Regulation as a turning point

It is precisely this market failure that has prompted stronger regulatory intervention from the European Union, pushing more companies and organizations to invest in stronger cybersecurity practices and management.

As Ole Willers puts it:

“The realization of the European Union over the last four or five years has been that we must address these market failures. We must make sure that good cybersecurity is rewarded in the marketplace, and we also must think more seriously about responsibilities.”

Initiatives such as the NIS2 Directive mark a shift from voluntary or fragmented approaches toward binding obligations. NIS2 makes cybersecurity a management responsibility rather than a purely technical issue. Organisations must implement governance structures, document their security practices and ensure that suppliers meet equivalent standards.

This has downstream effects across supply chains and creates new incentives.

“It is a real good incentive for a lot of companies to be able to document to their buyers, to their customers, that they have some good practices in place,” Willers notes.

From organisations to products

While NIS2 focuses on organisational responsibility, the Cyber Resilience Act extends regulation to digital products themselves.

“The Cyber Resilience Act is not so much looking at the organizational risk management measures but looks at the products that are being sold, the digital products.”

Willers illustrates the problem with a personal example:

“I destroyed my phone and wanted to buy the same model again. It worked perfectly. But I learned that it would stop receiving security updates next year. The phone is still fine, but without updates it becomes insecure.”

Under the new rules, manufacturers will be required to provide long-term security updates for products placed on the European market.

“This is something that sets a bar from the regulator to ensure that the companies that sell these products must take security seriously.”

Together, NIS2 and the Cyber Resilience Act signal a return of the state as an active market-shaper.

AI and the changing threat landscape

Any discussion of cybersecurity today inevitably involves AI. Its impact is profound, but its long-term consequences remain uncertain.

“One thing that is pretty safe to say is that AI is going to change things. The very difficult question is how it is going to change things.”

AI strengthens both sides. It helps defenders detect threats and respond faster, but it also enables attackers to personalise phishing, automate vulnerability scanning and lower barriers to entry.

“It’s a double-edged sword and what the outcome ultimately will be I don’t dare to say,” Willers says. One question is how it affects directly how we do cyber security and how the attackers work and so on. Then there’s also the question about the cyber security of AI systems themselves. These are all questions that are very new and that we don’t really know about. We have to wait and see,” he says.

The risk that attackers could poison training data or manipulate model outputs adds yet another layer of complexity to an already challenging field.

“One thing that is pretty safe to say is that AI is going to change things. The very difficult question is how it is going to change things.”

A core issue in tech policy

Willers concludes by placing cybersecurity within a broader political context.

“Cyberwar used to be the big hot thing. Now it has become part of the larger agenda of tech policy: AI, big tech, digital sovereignty. Cybersecurity lies behind many of the major questions we face now.”

As digital dependency grows, cybersecurity becomes a foundation for how societies function and govern themselves. Yet keeping up remains difficult.

“It’s very, very difficult for policymakers to keep up and to have a proper democratic debate about these things.”

For too long, debates were dominated by narrow technical perspectives and a focus on cyberwarfare.

“That was not very productive in helping us to come to terms with the underlying problems here,” Willers says.

Looking ahead, he finds reason for cautious optimism.

“I think it’s exciting to look at cybersecurity, not as a freestanding issue, but more as something that lies behind some of the other big questions we have now, especially in relation to sovereignty issues.”

Cybersecurity beyond technology

Ultimately, Willers argues that cybersecurity must be understood as more than a technical problem.

“Cyber security is a technical issue, but it is so much more than that. Cyber security is an organizational question.”

It is about processes, people and strategy, from training employees to improving cooperation across supply chains. Treating cybersecurity purely as a cost to be minimised risks missing its strategic value.

“As we think about cyber security, we also must think about the human side of it. How is it that we can help our employees, for example, as a company, to be better at spotting these fishy emails that we get?” he explains.

If we rely on technical solutions, we overlook the human and organizational side. For Willers, the biggest shift companies must make is cultural – cybersecurity should be seen as an investment in resilience.

“Cyber security is a technical issue, but it is so much more than that. Cyber security is an organizational question.”