{"id":15419,"date":"2026-01-07T07:07:19","date_gmt":"2026-01-07T07:07:19","guid":{"rendered":"https:\/\/newestek.com\/?p=15419"},"modified":"2026-01-07T07:07:19","modified_gmt":"2026-01-07T07:07:19","slug":"8-things-cisos-cant-afford-to-get-wrong-in-2026","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15419","title":{"rendered":"8 things CISOs can\u2019t afford to get wrong in 2026"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

Cybersecurity leaders have a lot to consider when trying to keep their organizations safe. But some things stand out more than others \u2014 or might be under the radar.<\/p>\n

As a new year dawns, here are some things CISOs should avoid falling short on in 2026.<\/p>\n

Get complacent about identity controls in the face of rising AI agents<\/h2>\n

The deployment of AI agents is growing rapidly, as enterprises look to take advantage of the automation and efficiency they offer. The global AI agents market size was estimated at $5.40 billion in 2024 and is projected to reach $50.31 billion by 2030, according to Grand View Research.<\/p>\n

The increased use of AI agents presents a cybersecurity challenge<\/a> for enterprises, especially in terms of identity controls<\/a>. Potential threats include identity spoofing and over-permissioned access. Cyber criminals can exploit agents through\u00a0prompt injection\u00a0or\u00a0malicious instructions\u00a0to bypass controls and gain unauthorized access to systems and applications.<\/p>\n

\u201cGet identity \u2014 including AI agents \u2014 right and you control who can do what at machine speed,\u201d says Morgan Adamski<\/a>, deputy leader for cyber, data, and tech risk at consulting firm PwC.<\/p>\n

\u201cAdversaries increasingly log in, not break in, and AI agents are now making real changes to systems and data,\u201d Adamski says. \u201cWhat leaders can\u2019t afford to miss is treating every human, workload, and agent as a managed identity, setting them up with their own accounts, phishing-resistant MFA [multi-factor authentication], minimum access for only as long as needed, passwords\/keys that change automatically, and monitoring for odd permission changes or hijacked sessions.\u201d<\/p>\n

Enterprises need to build AI-agent governance into everyday workflows,<\/p>\n

so that teams can move quickly without losing control, Adamski says. For example, require hardware-backed MFA for administrators, expire elevated privileges by default, and register each new agent as an application with its own policies.<\/p>\n

<\/em><\/p>\n

\u201cIdentity and access controls for AI agents and AI platforms are one of the most important areas of concern for CISOs,\u201d says Jason Stading<\/a>, director at global technology research and advisory firm ISG. \u201cRight now, permissions and access rights for AI are a black box in many areas. We will see a major push over the next couple of years for tools and methods for more transparency and control in this area specifically.\u201d<\/p>\n

Ignore increasingly complex supply chains<\/h2>\n

Supply chains have been a growing area of risk for enterprises, given the rise of digital business and the growing complexity of supply chains in today\u2019s global business market.<\/p>\n

This area is particularly important for companies in the manufacturing, retail, and logistics sectors. \u201cIn 2026, CISOs who overlook cybersecurity in complex supply chains and manufacturing environments risk catastrophic consequences,\u201d says Greg Zelo<\/a>, CTO of AMFT, a provider of metal products and components.<\/p>\n

\u201cModern manufacturing is no longer confined to a single plant; it\u2019s a web of interconnected suppliers, IoT [internet of things]-enabled machinery, and cloud-driven production systems,\u201d Zelo says. \u201cThis complexity creates an expansive attack surface where one weak link can cripple entire operations.\u201d<\/p>\n

Recent incidents underscore the stakes, Zelo says. For example, in September 2025, Jaguar Land Rover suffered a supply chain cyberattack<\/a> that halted production across the UK, Slovakia, India, and Brazil for weeks, costing an estimated $2.5 billion, he says. \u201cThe breach rippled through hundreds of suppliers, triggering layoffs and bankruptcies,\u201d he adds. \u201cThis wasn\u2019t just an IT failure; it was an operational crisis that exposed how deeply interdependent global manufacturing has become.\u201d<\/p>\n

Attackers increasingly target operational technology (OT) systems<\/a> that control robotics, assembly lines, and quality checks because halting production forces companies to pay ransoms quickly, Zelo says.<\/p>\n

\u201cBeyond financial losses, the risks extend to intellectual property theft, regulatory penalties, and national security concerns,\u201d Zelo says. \u201cFor CISOs, the lesson is clear: Traditional perimeter defenses are obsolete. Securing complex supply chains requires zero-trust architectures<\/a> across IT and OT environments, continuous monitoring of third-party risk, including firmware and software updates, rapid patching and segmentation to isolate critical systems, [and] incident response drills involving suppliers and contractors.\u201d<\/p>\n

Downplay escalating geopolitical tensions<\/strong><\/h2>\n

It\u2019s easy to imagine CISOs being so laser focused on protecting their organizations from external and internal threats that they take their eyes off geopolitical tensions. Or maybe they dismiss them as being irrelevant to the cybersecurity issues at hand for their organizations. Either way, it\u2019s a big mistake.<\/p>\n

\u201cBuilding systemic scenarios into organizational cyber resiliency plans is very important,\u201d ISG\u2019s Stading says. \u201cThis should include global developments and geopolitical friction that may affect the business.\u201d<\/p>\n

There is also an increasing push for industry-specific threat intelligence to give enterprises tailored indicators of compromise that might affect their business and their assets, Stading says. \u201cSome of this can stem from potential advanced, persistent threats from malicious nation-states.\u201d<\/p>\n

The increasing intersection of cybersecurity and geopolitics is a reality, says AJ Thompson<\/a>, chief commercial officer at IT consultancy Northdoor.<\/p>\n

\u201cCyber attacks via nation-state actors are part of much larger conflicts that target critical infrastructure and global supply chains,\u201d he says. \u201cFailure to incorporate geopolitical intelligence into threat modeling disproportionately exposes organizations to high-impact state-sponsored cyberattacks.\u201d<\/p>\n

In addition, unintended involvement in such events can also have severe regulatory and reputational consequences, Thompson notes.<\/p>\n

Be lax about organizational cloud use<\/h2>\n

As use of cloud services continues to increase, so do the security and privacy risks associated with the cloud<\/a>. If CISOs neglect this area of cybersecurity they risk exposing their organizations to attacks.<\/p>\n

\u201cThis is important for both cloud services and AI tools, which are often cross-pollinated with each other,\u201d Stading says. \u201cAppropriate and modern security awareness and training tied to roles and responsibilities is key, and it needs to factor in usage of AI tools and technologies that are so prevalent in the workplace now.\u201d<\/p>\n

There is often a lack of training and education for cloud administrators and engineers around proper cloud security practices and procedures, Stading says. \u201cTool adoption and usage is also a key area many cloud teams are trying to improve,\u201d he says. \u201cMany organizations have invested in security tooling for clouds that is underutilized.\u201d<\/p>\n

The traditional security perimeter no longer exists, \u201cespecially with multicloud adoption<\/a>,\u201d Thompson says. \u201cOrganizations relying on reactive cloud security often miss sophisticated threats.\u201d<\/p>\n

Proactive cloud security posture management (CSPM)<\/a> and clear user security guidelines are critical steps toward the prevention of costly breaches and operational disruptions, Thompson says. \u201cSafe user practices must be instilled continuously in order to minimize risks from human error in complex cloud environments,\u201d he says.<\/p>\n

Overlook growing compliance burdens<\/h2>\n

Some companies, particular in heavily regulated industries such as financial services and healthcare, have long faced the need to comply with data security and privacy regulations such as the Gramm-Leach-Bliley Act (GLBA)<\/a> and Health Insurance Portability and Accountability Act (HIPAA)<\/a>.<\/p>\n

But these days, just about every type of business has to comply with a growing number of data privacy and protection laws around the world. Overlooking or underestimating these regulations could lead to fines and other repercussions.<\/p>\n

\u201cIt\u2019s true that heavily regulated organizations take on a lot of extra overhead for compliance activities, and compliance fatigue is not unheard of,\u201d Stading says. \u201cBecause the CISO role has evolved over the past few years to take on more accountability and responsibility for compliance, CISOs really cannot afford to overlook or undervalue compliance efforts.\u201d<\/p>\n

CISOs at global enterprises in particular need to be up on the latest developments. \u201cThe regulatory landscape for cybersecurity in the UK and Europe is escalating rapidly,\u201d Northdoor\u2019s Thompson says. \u201cFrameworks such as the GDPR [General Data Protection Regulation] and DORA [Digital Operational Resilience Act<\/a>]\u00a0are setting new benchmarks that require organizations to demonstrate not only documented controls, but also empirically verifiable cybersecurity effectiveness.\u201d<\/p>\n

Regulators will want to see robust evidence that cybersecurity and operational resilience<\/a> are deeply embedded within all layers of business processes, rather than handled as a compliance checkbox, Thompson says.<\/p>\n

\u201cEqually important is the management of third-party risk<\/a>, for which regulators increasingly hold organizations accountable,\u201d Thompson says. \u201cAs supply chains become more complex and distributed, vulnerabilities from external providers represent serious compliance and security liabilities. Failure to integrate these regulatory expectations into security strategies proactively risks not just heavy financial penalties, but also operational disruption and lasting reputational harm.\u201d<\/p>\n