In many Western countries, 80–90% of all critical infrastructure is owned and operated by the private sector. The first line of defence often resides outside of the government and lands squarely on the shoulders of private industry. It is important to protect critical infrastructure (e.g. energy supply chains, transport, public health), since an unconventional attack by perpetrators of hybrid threats against any “soft target” could lead to serious economic or societal disruption. Particularly when securing a nation’s critical infrastructure and developing its resilience, shared responsibility between the public and the private sectors is a necessity, writes Jarno Limnéll, Professor of Cybersecurity at Aalto University.