{"id":15538,"date":"2026-01-23T19:06:00","date_gmt":"2026-01-23T19:06:00","guid":{"rendered":"https:\/\/newestek.com\/?p=15538"},"modified":"2026-01-23T19:06:00","modified_gmt":"2026-01-23T19:06:00","slug":"the-cybercrime-industry-continues-to-challenge-cisos-in-2026","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15538","title":{"rendered":"The cybercrime industry continues to challenge CISOs in 2026"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

Cybercriminals have built structured criminal groups with an organizational model similar to that of a legitimate business. \u201cCybercrime has become industrialized, a return on investment (ROI)-oriented economy, focused on speed and monetization,\u201d according to Martin Zugec, Bitdefender\u2019s director of technical solutions.<\/p>\n

Zugec explains that this modus operandi of cybercriminal groups is characterized by a high degree of specialization, which includes initial access brokers or ransomware-as-a-service <\/a>(RaaS) affiliates. \u201cToday, sophistication is not measured by the complexity of the tools, but by the simplicity and speed of the execution chain,\u201d says Zugec.<\/p>\n

This change requires a shift from a threat detection-based approach to one focused on prevention. \u201cDetection has become a commodity that attackers routinely evade so organizations must go beyond reactive monitoring,\u201d says Zugec. \u201cThe goal should be to break attackers\u2019 playbooks and make internal environments inherently hostile to them through proactive hardening that eliminates the operational space they need to succeed.\u201d<\/p>\n

The business of cybercrime isn\u2019t new<\/strong><\/h2>\n

\u201cCybercrime has been operating as an industry for years, meaning it has become professionalized and attacks have been modularized,\u201d says Guillermo Fern\u00e1ndez, director of sales engineering for southern Europe at WatchGuard Technologies.<\/p>\n

In practice, this means that it is no longer necessary for a single attacker to know how to do everything, but rather that the crime is divided into specialties (some steal and resell credentials, others develop and maintain ransomware, others provide infrastructure and negotiation, etc.) and all of this is packaged into models as a service<\/a>, as we see in the case of ransomware-as-a-service. \u201cThis lowers the barrier to entry and reduces the cost of attacking, which explains why we are seeing more and more campaigns and higher volumes,\u201d says Fern\u00e1ndez.<\/p>\n

In addition, AI helps accelerate the scale and sophistication of some phases or tasks, such as reconnaissance, personalization of deceptions, or automation of parts of the process.<\/p>\n

How big is it? \u201cThe global economic impact of cybercrime is close to $10 trillion. If it were a country\u2019s economy, it would be one of the three world powers, behind only the United States and China. For organizations, this means that it is not enough to react to incidents. Defense must take the same business approach: anticipation, risk management, operational continuity, and resilience by design,\u201d says Juan Francisco Moreda, director of \/fsafe, Fibratel\u2019s cybersecurity unit.<\/p>\n

As a result, cybercrime has become a fully industrialized criminal economy, according to Moreda. \u201cToday we are talking about highly specialized organizations, with as-a-service models (ransomware, phishing, malware), their own supply chains, and a clear focus on profitability and scalability.\u201d<\/p>\n

That is why Mart\u00edn Trull\u00e1s, director of Advanced Solutions at Ingram Micro Spain,<\/strong> believes that cybercrime operates with well-organized structures, different professional profiles in its ranks, short- and long-term objectives, and financing that allows it to improve its model with new technology and new strategies to achieve the success of its operations.<\/p>\n

\u201cCybercriminals are no longer isolated individuals with computer skills and a desire for quick and easy money, but actors who, in some cases, appear to have state support to use them as part of a struggle that transcends the economic and digital spheres and often enters the realm of geopolitics.\u201d<\/p>\n

However, in his opinion, there are still simple gangs of cybercriminals whose goal is money or data, which they then turn into profit by reselling it to third parties. \u201cWhat\u2019s happening is that they now have better access to more powerful technologies with which they can streamline their operations, attacking with greater speed and in a massive and scalable way. This changes the approach to cyber defense: we can no longer be reactive, equipping companies and users with different levels of \u2018shields\u2019 and sitting back to wait for the attack to repel it, but rather we must take action,\u201d Trull\u00e1s adds.<\/p>\n

That is why Trull\u00e1s believes that the best cyber defense strategy must combine passive security with active monitoring of the entire digital ecosystem of the company or user, to reduce the time taken to detect and respond to an incident to limit damage.<\/p>\n

Evolution of the security strategy<\/h2>\n

Alessandro Armenia, global head of cybersecurity at ReeVo, believes that three key aspects are emerging in the current landscape: \u201cFirst, attacks are no longer isolated events, but coordinated, in some cases automated, operations that often originate within the organizations themselves, for example, due to human error or exposed credentials. Second, the time factor plays a decisive role: even today, many companies realize they are under attack when it is already too late. Finally, the attack surface is growing faster than companies\u2019 ability to manage it.\u201d<\/p>\n

As a result, the defense strategy must also evolve. \u201cIt can no longer be based solely on compliance or one-off interventions, but must be continuous, structured, and resilience-oriented,\u201d Armenia explains.<\/p>\n

And that\u2019s despite the fact that companies have the necessary tools to manage their attack surface. \u201cWhere they often fail is in the governance model: cybersecurity continues to be approached as a series of isolated compliance exercises over time, and it is precisely in the gaps between one exercise and another that the attacker manages to infiltrate and carry out the attack.\u201d<\/p>\n

Because the reality is: an IT outage becomes a serious problem when the company does not have a plan. \u201cA prepared organization, with defined and tested procedures, is able to recover in a matter of minutes; those that are not prepared run the risk of losing hours, days, and, in some cases, their reputation,\u201d Armenia concludes.<\/p>\n

As a result, cybercriminals now have organizational models similar to those of companies. \u201cYou can see that there are different types of profiles in these groups, depending on the size of the organization, from the more technical ones, who work in a coordinated team, to the more commercial ones, who are in charge of dealing with victims when negotiation is necessary,\u201d warns David Sancho, senior threat researcher at Trend Micro.<\/p>\n

Furthermore, Sancho explains that they often also have people who are responsible for selling the product created to partners or customers, which in the business world would correspond to the channel or the marketing. This is already a reality.\u201d<\/p>\n

Established groups<\/h2>\n

Abraham V\u00e1zquez, pre-sales engineer at Infinigate Iberia, gives examples such as the DragonForce or Anubis groups, <\/em>which \u201coperate as genuine criminal service providers, offering infrastructure, management panels, technical support, and different extortion models. It is a highly fragmented ecosystem, but at the same time very resilient, capable of adapting and regenerating quickly.\u201d<\/p>\n

This leads him to conclude that the main implication for defense is that it is no longer enough to react to the final attack. \u201cIt is necessary to disrupt the entire criminal chain, reinforcing identity as a central pillar of security, prioritizing proper credential hygiene, greater telemetry capabilities, and rapid containment mechanisms that limit the impact from the early stages of the attack,\u201d V\u00e1zquez adds.<\/p>\n

And the outlook is not promising. \u201cAccording to the World Economic Forum, the cybercrime economy will continue to grow, reaching $23 trillion by 2027<\/a>. Industrialized ransomware, automated fraud networks, and converging crime models will drive this growth,\u201d says Gorka Sainz, director of systems engineering at Fortinet Iberia.<\/p>\n

The role of AI and automation<\/h2>\n

\u201cAI is the new fuel for the criminal economy. It allows them to scale attacks as if they were marketingcampaigns, \u201c<\/em>argues Salvador S\u00e1nchez Taboada of CyberProofUST.<\/strong><\/p>\n

A glance at the business landscape is enough to see that artificial intelligence has become a real multiplier of scale for the criminal economy, enabling the generation of highly granular and personalized phishing campaigns on demand, as Abraham V\u00e1zquez argues. \u201cThis includes everything from deepfakes of executives to increasingly evasive malware, supported by tools such as WormGPT or FraudGPT. Thanks to these capabilities, attacks are more credible, difficult to detect, and easy to replicate.\u201d<\/p>\n

As an example, CrowdStrike\u2019s Threat Hunting report<\/a> 2025 reveals how cybercriminals are targeting the tools used to build AI agents. \u201cTheir goal is to gain access, steal credentials, and deploy malware, highlighting how autonomous systems and non-human identities are a key part of today\u2019s enterprise attack surface and a growing enabler of large-scale automated attacks,\u201d says \u00c1lvaro del Hoy, technology strategist at CrowdStrike.<\/p>\n

Add to this, that criminal groups are integrating generative AI directly into ransomware, \u201cusing it to automatically create variants and optimize processes such as executing attacks, negotiating with victims, and extortion strategies,\u201d says Abraham V\u00e1zquez<\/p>\n

On the other hand, automation is key to streamlining access, lifecycle, and permission processes, but it also recognizes that attackers seek to exploit identities and privileges at scale, says Albert Barnwell, director of sales for Iberia at CyberArk.<\/p>\n

\u201cThis means that offensive automation allows cybercriminals to move faster and exploit compromised identities without friction. Thus, organizations must respond with defensive automation, especially in the management of identity lifecycle, permissions, and rights,\u201d Barnwell adds.<\/p>\n

We are already reaching a point where the entire attack cycle can be automated through orchestration: agents who investigate a company and its employees (including social media footprints, interests, and potential weaknesses), others who generate highly targeted and convincing phishing, and chains that lead to malware infection, according to Guillermo Fern\u00e1ndez. \u201cFrom there, the malware itself can learn about the environment and find out what tools and defenses are in place within the company in order to adjust its technique and maximize its impact,\u201d he says.<\/p>\n

And this doesn\u2019t stop at initial access, as even extortion can be automated. It is even possible for the ransom negotiation to be carried out by a bot that adapts its discourse and conditions based on the responses to squeeze out the payment.<\/p>\n

Martin Zugec says AI is not a magic bullet for attackers. While it has significantly helped to scale social engineering attacks, removing language barriers and improving the quality of decoys, these tools are not particularly useful for the heavier work of an intrusion.<\/p>\n

\u201cWe see very little evidence that AI is successfully replacing human expertise in vulnerability research or exploit development. The RaaS ecosystem relies on trust and human ingenuity. The main drivers of successful attacks continue to be hackers and affiliates who operate manually and navigate complex networks. The question is not what AI is capable of doing in theory, but whether it makes sense from an economic standpoint. For a professional threat actor, the cost of managing, adjusting, and securing an AI framework often outweighs the efficiency gains over traditional and proven hacking techniques,\u201d Zugec elaborates.<\/p>\n

Main threats and attack vectors in 2026<\/h2>\n

The current geopolitical context does not invite optimism either. Carlos Casta\u00f1eda-Marroquin, head of pre-sales and business development at Serval Networks, believes that \u201cin 2026, we will see an increase in hybrid threats driven by geopolitical tensions, where cyberspace is used as an extension of economic and strategic conflicts between states and related groups. This will translate into espionage, digital sabotage, and disinformation campaigns targeting both critical infrastructure and key industrial sectors.\u201d<\/p>\n

The theft of credentials and tokens, the use of infostealers, or the abuse of valid access, combined with a greater emphasis on malware-free techniques and hands-on-keyboard activity, have been gaining ground in recent months, according to David L\u00f3pez Garc\u00eda, director of operations at Factum. All of this leads, in many cases, to system intrusions that evolve into ransomware and extortion, with increasingly shorter, more automated attack cycles that are clearly aimed at operational and economic impact.<\/p>\n

L\u00f3pez Garc\u00eda also warns that in 2026, the extended perimeter and relationships with third parties will gain prominence. \u201cFaced with a larger surface area of exposure, cybercriminals find more opportunities to exploit configurations, identities, and external dependencies, with a greater likelihood of finding a breach in the supply chain.\u201d<\/p>\n

Consequently, the challenge for organizations is no longer just to protect their systems but to effectively govern an interconnected digital ecosystem, where trust becomes one of the most critical assets and having solid solutions or allies is an operational necessity.<\/p>\n

In terms of attack vectors, Guillermo Fern\u00e1ndez believes that vulnerabilities and weak configurations in remote access and VPNs will continue to be prominent, in addition to the compromise of SaaS tools (accounts, permissions, integrations). \u201cAnd on the human front, social engineering will become even more effective with advanced phishing and image and voice deepfakes, increasing the risk of fraud. Likewise, we will see more impersonation and initial access. WatchGuard also anticipates that 2026 may be the year of the first agent-based AI-orchestrated end-to-end breach, bringing offensive automation to \u2018machine speed,’\u201d Fern\u00e1ndez says.<\/p>\n

Are companies investing enough in cyber defenses?<\/strong><\/h2>\n

A \u2018cybersecurity poverty line\u2019 that affects not only budgets, but the availability of strategic leadership and capabilities to define roadmaps, understand key metrics, and evolve toward maturity goals, is an existing issue according to Rafe Pilling, director of threat intelligence at Sophos X-Ops. \u201cThe strong performance of the cybersecurity market does not eliminate the fundamental gap between real risk and management perception. Sophos predicts that many of the most serious disruptions in 2026 will not be the result of sophisticated techniques, but of basic security hygiene failures that are entirely preventable,\u201d he explains.<\/p>\n

Pilling argues that the reality is that having a CISO in a company is now a luxury, highlighting the magnitude of the specialized talent deficit. Companies must understand cyber resilience as a strategic priority at the management level and not just as a technological challenge. This gap between available capabilities and real threats explains why most organizations lack the visibility, controls, and expertise necessary to defend themselves effectively against a highly industrialized criminal ecosystem.<\/p>\n

What is clear is that as cyber threats increase, organizations are facing the reality that security attacks are not just a possibility, but a certainty. \u201cAt the same time, it is estimated that there is a global shortage of more than 4.7 million qualified professionals, which means that critical security positions are not being filled when they are most needed,\u201d says Gorka Sainz.<\/p>\n

\u201cThere remains a clear gap in effectiveness,\u201d says Abraham V\u00e1zquez. In his opinion, \u201cmany organizations still lack real visibility into their risk exposure, boards of directors maintain a limited level of confidence in defensive capabilities, and third parties continue to play a significant role, being involved in approximately 30% of security breaches.\u201d<\/p>\n

On the other hand, there is still a gap between the complexity of the environment (hybrid, SaaS, multi-cloud) and the maturity of identity controls. Likewise, many organizations still do not consistently apply intelligent privilege controls, while the need to automate the identity and permission lifecycle indicates that current investment is not always sufficient or well targeted.<\/p>\n

And not only does this gap exist, but there is also a cultural gap, as Salvador S\u00e1nchez Taboada points out. \u201cMany management teams see cybersecurity as an expense, not as a lifesaver,\u201d he acknowledges. In Spain and Latin America, we are working to change that view, relying on integration through AI between existing risk plans and new threats: investing in resilience is like investing in good foundations before building a house. Every change of cycle reminds us that the invisible\u2014like foundations\u2014supports everything we value.\u201d<\/p>\n

Increased spending \u201cis often diverted toward AI hype and supposedly miraculous solutions driven by marketing, rather than addressing real risks,\u201d argues Martin Zugec. That\u2019s why he believes attackers have evolved toward simpler, harder-to-detect techniques, such as LOTL or ClickFix, which weaponize legitimate system tools and user interactions to bypass security layers.<\/p>\n

\u201cThis disconnect between where defenders invest and how attackers evolve is a dangerous trend, clearly visible when comparing the findings of real forensic investigations with the narratives popularized in professional networks. This disconnect is reckless,\u201d he warns.<\/p>\n

CISO priorities<\/h2>\n

In this context, CISOs are forced to continually rethink their defense strategies. \u201cBeyond having solid internal teams and adequate prevention tools, it is increasingly necessary to complement these capabilities with trusted technology partners and insurers capable of managing cyber risk in a more holistic way,\u201d says Vincent Nguyen, director of cybersecurity at Sto\u00efk.<\/p>\n

As attackers professionalize and scale their operations, Nguyen believes that effective defense requires a proactive and integrated approach that combines advanced cybersecurity solutions, risk transfer through cyber insurance, and operational support when an incident occurs. \u201cStrategic partners with a cross-functional view of risk can accompany organizations before, during, and after an attack, strengthening resilience without replacing internal security leadership,\u201d he adds.<\/p>\n

In any case, Mart\u00edn Trullas acknowledges that there is no single winning strategy for the CISO, but rather a set of different strategies focused on different areas. \u201cOn the one hand, identity security must be strengthened, as it can become a gateway for more serious attacks. And this identity security should no longer be understood only as \u2018human identity\u2019 but must also focus on the identity of connected devices, which can also become vectors for attack,\u201d he explains.<\/p>\n

\u201cAt the same time, it is necessary to implement organizational and mindset changes within the company: proper governance, cybersecurity training for all employees, promotion of best practices to reduce risks, and a culture of proactivity to reduce detection and response time in the event of an attack. The entire company must be involved in these processes, because leaving cybersecurity as the sole responsibility of the CISO or the department on duty is a mistake that can be very costly.\u201d<\/p>\n

Of course, this requires CISOs to have the right resources. \u201cAnd they don\u2019t have it easy, with often unrealistic expectations that cause them to experience signs of burnout,\u201d says Fernando Anaya, general manager of Proofpoint for Spain and Portugal.<\/p>\n

Anaya cites this data: \u201cIn Spain, 51% of security managers say they still lack the necessary means to meet their objectives. Similarly, it is crucial to strengthen incident response capabilities, especially considering that a third of Spanish organizations admit to being unprepared. A much more proactive approach is also needed to foster a culture of cybersecurity that goes beyond simply trusting users and includes concrete and effective actions to reduce data loss. The pressure on CISOs is increasing as these resource constraints are combined with such a rapidly changing threat environment, making it imperative that they work to align themselves strategically with their organizations\u2019 boards of directors, seeking a shared vision that ensures the necessary support and appropriate decision-making.<\/p>\n

At the same time, Abraham V\u00e1zquez believes that it will be essential to advance zero\u2013<\/em>trust models and perimeter hardening, eliminating legacy VPNs and accelerating patching processes in edge<\/em> environments, as well as ensuring proven resilience through immutable backups and isolated recovery environments. \u201cThe automation of detection and response, supported by SOAR <\/a>and AI platforms, will enable the cycle between detection and containment to be closed efficiently, effectively reducing response times. Added to this is the need for more mature third-party and supply chain management, based on continuous assessment of cybersecurity posture and minimal but relevant telemetry.\u201d<\/p>\n

\u201cIt will be key to conduct internal crisis management exercises that consider realistic scenarios, such as ransomware attacks without payment, fraud using deepfakes of management, or outages of critical suppliers.\u201d<\/p>\n<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Cybercriminals have built structured criminal groups with an organizational model similar to that of a legitimate business. \u201cCybercrime has become industrialized, a return on investment (ROI)-oriented economy, focused on speed and monetization,\u201d according to Martin Zugec, Bitdefender\u2019s director of technical solutions. Zugec explains that this modus operandi of cybercriminal groups is characterized by a high degree of specialization, which includes initial access brokers or ransomware-as-a-service… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15538","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15538","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15538"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15538\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15538"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15538"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15538"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}