Cybersecurity leaders are entering 2026 with a clear message: prevention alone is no longer enough.
CISOs say their top priorities now center on reducing blast radius, securing AI-driven workflows, and addressing human risk across the organization.
We reached out to a small group of CISOs, CIOs, and technology leaders across a range of industries and sectors to ask about their security priorities for the coming year.
Improving Security Culture To Address Social Engineering
Phishing and social engineering continue to be a top concern for security teams. AI has led to a new generation of more convincing phishing scams that are faster, cheaper and easier than ever before.
A persistent challenge is driving awareness and accountability across business teams when it comes to dealing with social engineering.
“Driving accountability and ownership across the company is seen as a HR issue and the bat is constantly passed around,” one board-level digital & technology leader confidentially told Expert Insights.
“This is still being seen as a tech issue rather than an individual accountability and individual executive accountability issue across organizations I am speaking to.”
Improving Security Outcomes
A long-term challenge in the cybersecurity space is the issue of containment. Security teams often focus on preventing threats from entering their network. But if there is a vulnerability, it’s important to have controls in place to prevent attackers from being able to move laterally.
“We are relentlessly focused on reducing blast radius. If an attacker gets in, they should learn nothing, move nowhere, and burn time until we evict them,” Richard Bird, CSO, Singulr AI, told Expert Insights.
“Our priority is to focus on security outcomes, performance, and recovery, not on security as an activity.”
CISO and founder Santosh Kamane agrees, telling Expert Insights: “For us the priority is to build a cyber-resilient organization in today’s AI-driven, and identity-centric environment. We want to go beyond compliance checklists and integrate security into every critical business process.
“We want to ensure that our security controls actually hold up during a real incident, not just during audits. While we can demonstrate compliance, we also want to be breach ready.”
Key priorities should be implementing zero trust, securing AI use, and moving from static controls to continuous validation of trust and access, Kamane suggests.
Jason Ingalls, Chief Cybersecurity Officer at C3 Integrated Solutions, makes a similar point, arguing that strengthening operational decision-making across the cyber lifecycle is key to improving resilience.
“What separates resilient organizations today is the ability to make fast, confident decisions under pressure, contain impact, and restore operations with minimal business disruption. That requires not just tooling, but practiced playbooks, empowered decision rights, and tight alignment between internal teams and external partners.”
Securing Agentic Workflows
Most cybersecurity leaders expect that AI will continue to dominate the cybersecurity conversation in 2026. But one acute area of concern is the rise of agentic software coding and the vulnerabilities this could introduce.
Conor Sherman, CISO of Sysdig, told Expert Insights this is one of their key strategic priorities in 2026. “A defining priority for 2026 is securing the rise of agentic coding systems. We have watched AI tools move from simple code completion to autonomous development, fundamentally altering the software supply chain.”
“The game is no longer just finding bugs––it is operationalizing AI to fix them before that highly efficient adversary can exploit them.”
Broader AI security also remains a top priority for CISOs. “AI Safety, monitoring and AI Ops needs to be the norm in 2026. Functions, tooling, reporting and servicing all created around internal AI usage,” said Leo Cunningham, CISO at OWKIN.
“Non-technical teams will need to modernise quickly or risk being left behind with AI and automation.”
For CISOs, the message heading into 2026 is clear: security success will be defined not by what is prevented, but by how well organizations withstand, contain, and recover from the attacks that inevitably get through.
