Industry experts outline the risks that will shape business cybersecurity in 2026, and how organizations are preparing
The era of “prevent everything” is over.
In 2026, cybersecurity experts predict the sector will no longer be a technical problem to be contained, but a business risk to be managed. Breaches are inevitable, supply chains are porous and identity — human and machine — has become the defining attack surface.
We heard from CISOs, security strategists and field leaders to understand what’s coming. Their predictions converge on four priorities: building resilience into crisis planning, hardening software supply chains against precision attacks, unifying security across converging categories and adapting to regulators who now demand evidence — not just intent. Here’s what they see coming.
When breaches become business crises
Simon Hodgkinson, Strategic Advisor, Semperis; former BP CISO
“The focus needs to shift from prevention to resilience. Given the impact cyberattacks have on businesses, organizations need proper crisis and risk management. We’re no longer dealing with ‘cyber crises’, we’re dealing with full-blown business crises.”
Dan Lattimer, Area VP EMEA West, Semperis
“Board members have a much better and more nuanced understanding of cybersecurity and the potential impact of incidents. But because they understand the risk, they are also more willing to accept that you cannot reduce the risk level to zero and as a result, cybersecurity spend will likely only increase marginally.”
Chris Harris, EMEA Technical Director, Cybersecurity Products, Thales
“Quantified risk management frameworks such as FAIR are becoming more mainstream. AI can now help do these calculations, so you don’t necessarily need a full team of risk engineers anymore. Alongside this, resilience may become more regulated, with stricter requirements that would push organizations towards more evidence-backed recovery plans, tested processes and measurable response capabilities.”
The code you didn’t write
Conor Sherman, CISO in Residence, Sysdig
“Supply chain security will be a material budget item in 2026. As agentic coding assistants take on a larger role in software development, risks in third-party packages are amplified: a single exploited dependency can cascade through an automated system with outsized impact. AI-generated code, prone to issues like hallucination and bloat, only makes these weak links even more dangerous.”
Simon King, Head of Information Security, Infinigate Group
“In 2026, software supply-chain attacks will evolve from mass exploitation to precision targeting. Adversaries contribute legitimate code to open-source projects, build trust within developer communities and wait for the right moment to strike. Trust will become an increasingly exploited vulnerability. Organizations must verify not just who accesses their systems but what code they run. Knowing the origin, integrity and build process of every component will become a baseline requirement.”
Who goes there?
Ev Konstevoy, CEO, Teleport
“Identity-related cybersecurity categories are converging. Organizations will stop deploying security strategies for classes of identities and will instead start to tackle identity types in a unified way. The responsibility for securing computing infrastructure requires that engineering join IT in guarding organizational infrastructure.”
Keith McCammon, Cofounder, Red Canary
“In 2026, zero trust principles will shift from ambition to necessity. Companies will start operationalizing zero trust principles in focused, tactical ways. Organizations will stop seeing zero trust as an all-or-nothing overhaul and start treating it as a journey that builds resilience one layer at a time. Even partial adoption can significantly reduce risk, cost and noise when done deliberately.”
Douglas Murray, CEO, Auvik
“The assumption that traditional perimeters and signature-based controls are adequate will continue to break down. Organizations will need to shift from static defenses to posture-aware, behavior-based detection and continuous validation of AI-enabled services.”
Simon King, Infinigate Group
“In 2026, cybersecurity budgets are set to undergo a fundamental change driven by regulatory pressure, technological advances and the evolving threat landscape. Companies will move away from rigid contracts and expensive individual tools toward flexible, AI-supported solutions. Security spending remains stable at 10–15% of overall IT budgets, making intelligent allocation critical.”
Threats from within, pressure from above
David Higgins, Field CTO, CyberArk
“In 2026, the insider threat will shift from disgruntled employees to staff tempted by direct financial incentives offered by cybercriminal groups. The traditional view of the ‘malicious insider’ as a lone, disgruntled actor is being replaced by financially motivated insiders, sometimes acting in concert with organized cybercrime.”
Scott Bridgen, GM Risk & Audit, Diligent
“There’s no doubt that the EU’s Digital Operational Resilience Act (DORA) is a priority for financial entities. Compliance teams are under mounting pressure to move from box-ticking to demonstrating true resilience. The agenda will move from awareness to accountability.”
Seeing through the noise
Mark Coates, Vice President EMEA, Gigamon
“In 2026, network and application metadata will move from a supporting signal to a central source of clarity for security teams. Metadata fills the gap left by traditional sources, giving analysts the context they need to reveal suspicious behavior with far greater precision. Organizations that capture and analyze metadata will operate with a clear advantage.”
Mandy Andress, CISO, Elastic
“The cybersecurity landscape is going to get tougher before it gets better, but we are reaching a turning point. AI-driven systems will increasingly be trusted to take action in real time, isolating a system under attack, proactively protecting the organization, rather than just reacting. Behavioral analytics will play a critical role, helping teams detect anomalies and understand patterns of risk across users, devices and applications.”