Something is happening in Ticino. For the second time in just a few weeks, the canton hosted a gathering dedicated specifically to CISOs and information security professionals — a concentration of senior security leadership that would not look out of place in Zurich or Milan, appearing instead in a corner of Switzerland that is often overlooked in conversations about the regional security community. The signal is worth noting: the scene here is active, connected, and growing.
The event in question was Supply Chain & Third Party Risk, held on 6 May at the lastminute.com offices in Chiasso — a fitting venue for a discussion about extended enterprise risk, hosted by an organisation that lives the complexity of a distributed digital supply chain every day. The event was small by design: roughly fifty participants, by invitation only, drawing CISOs, Security Managers, SOC Managers, and IT leaders with security responsibilities from both sides of the border — Italian companies and Swiss organisations operating across the same linguistic and cultural region. The intimacy was deliberate and productive.
Two Countries, Two Regulations, One Set of Challenges
The room in Chiasso was genuinely cross-border. Participants came from Italy and Switzerland — two countries that share a language in this corner of the Alps but operate under distinct regulatory regimes for cybersecurity. Italian organisations in scope for NIS2 are now subject to mandatory obligations for supplier due diligence, incident notification within tight timeframes, and board-level accountability for security governance. Swiss organisations sit outside the EU framework and face a different set of requirements under Swiss law — the revised ISG, FINMA circulars for the financial sector, and the incoming cyber products legislation currently in development. Neither framework is identical to the other, and the details matter.
Yet the operational challenges the room was discussing were functionally the same: how do you assess the security posture of a supplier you depend on but cannot audit directly? How do you contractually enforce standards that your counterpart's regulator may not require? How do you respond when a third party in your supply chain becomes the entry point for an incident that is now yours to manage? The regulatory label on the risk changes depending on which side of the border you sit on. The risk itself does not. That convergence — two regulatory realities, a shared threat landscape, and the practical need to secure supply chains that cross the border in both directions — turned out to be one of the most generative tensions in the room. People were not talking past each other; they were comparing notes on how different compliance starting points lead to the same operational headaches.
The Six Mentors
The event's interactive sessions were structured around six Cyber Mentors, each guiding a breakout table through the afternoon's crisis simulation. The mentors brought a cross-section of the kind of security leadership that is rare to find concentrated in a single room: Andrea Fumagalli (Head of Cyber Tech, Digital Club/Cyber), Giampiero Zanvettor (CISO, ACI Global Servizi), Giorgio Penna (Group CISO, Unoenergy), Ivan Grumelli (IT Director, Dussmann Service Italia), Nicola Querciagrossa (CISO, Life Elettronica), and Paolo Vassallo (Director Risk, Information Security and Audit, lastminute.com). Each mentor brought not just a job title but a specific sector perspective — energy, logistics, financial services, technology — which shaped how each table approached the same underlying scenario.
The CISO Game
The centrepiece of the afternoon was the CISO Game: five parallel breakout rooms, each with a table of CISOs and security leaders, one mentor, and a guided crisis scenario designed to unfold across four decision points. The concept is deceptively simple and genuinely demanding.
The scenario presented a supply chain incident — the kind that starts as an ambiguous signal and escalates in ways that depend entirely on the decisions taken in the first hours. At each of the four stages, the group was presented with a set of options and required to reach a consensus before the scenario could advance. The choices were not technical puzzles with objectively correct answers. They were leadership decisions with real organisational, legal, and reputational dimensions. The first decision our table faced: does the board get informed immediately, or do you wait until you have enough information to present a coherent picture? There is no wrong answer. There is no right answer. Each choice opens a different path, and the scenario tracks the consequences accordingly.
With four decision points and branching outcomes at each stage, the simulation contains thirty-two possible paths through the crisis. Each path is a plausible version of how a real incident could unfold depending on the judgment calls made under pressure. The structure means that two tables running the identical opening scenario can end up in entirely different places by the final stage — not because one group made mistakes, but because different reasonable people, applying different mental models and different institutional instincts, make different defensible calls.
Two Hours at the Table
Our group, guided by Ivan Grumelli, did not move quickly. We spent nearly two hours on a scenario that some tables may have completed in less time — not because we were indecisive, but because the quality of the disagreement was too good to shortcut. The table included people from different countries, different industries, different regulatory frameworks, and significantly different career backgrounds. A CISO who has spent fifteen years in financial services has a deeply different instinct about board communication than someone who has come up through operational technology environments. Both instincts are valid. Both are shaped by real experience of what has worked and what has failed.
The decision about board notification — to use the first question as an example — generated a discussion that touched on FINMA notification timelines, NIS2 article 23 obligations, the practical difference between informing the board and alarming the board, the risk of premature disclosure driving unhelpful board interventions during active containment, and the countervailing risk of being seen to have withheld material information if the incident subsequently escalated. These are not abstract governance debates. They are the conversations that happen — or fail to happen — in real organisations during real crises. Practising them in a room where disagreement is safe, where the consequences are fictional, and where a mentor is present to surface the considerations that get lost under pressure, is considerably more valuable than any presentation on incident response best practice.
The moment the scenario concluded and our table compared notes with others was its own reward. Different groups had made different calls at the same junctures and arrived at different places. Hearing the reasoning behind another table's choices — and recognising that their logic was coherent even where it diverged completely from ours — was a useful corrective to the assumption that any single organisation's approach represents a standard.
Why This Format Works
The case for simulation-based learning in security leadership is not new, but it is underused. Tabletop exercises within a single organisation are valuable; cross-organisational simulations that mix senior leaders from different sectors, regulatory contexts, and national backgrounds are rarer and more valuable still. The CISO Game format achieves something that neither a conference panel nor an internal tabletop can easily replicate: it creates the conditions for genuine peer disagreement between people who have no stake in each other's organisational politics, and it forces that disagreement to resolve into a decision that has consequences, even fictional ones.
The value is not in arriving at the right answer. The value is in discovering how differently a room full of experienced, capable security professionals reasons about the same problem — and in building the conversational muscle to navigate that diversity of judgment under time pressure.
◆ Key Takeaway
Two countries, two regulatory frameworks, one set of challenges. The security community in Ticino and the Italian-Swiss border region is more active than its profile suggests, and events like this one — small, curated, genuinely cross-border — are doing something that larger conferences cannot: putting senior security leaders from different national contexts in a room where they must debate, disagree, and decide together. The regulatory gap between NIS2 and Swiss law is real, but the CISO on either side of the border is solving the same supply chain risk problem. The CISO Game format, with its branching scenarios and enforced consensus, is one of the most effective peer learning tools available. If your organisation has not run one internally, it should. If your CISO has not sat at a table with peers from outside their sector — and from outside their regulatory context — and been forced to agree on a crisis decision under pressure, that is a gap worth closing.