CISO Strategy Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. By Steve Durbin | February 26, 2026 (12:30 PM ET) Flipboard Reddit Whatsapp Whatsapp Email The year 2025 redefined the cyber threat landscape, as attacks escalated from data breaches to crippling business-wide disruptions. Last year’s cyberattack on Jaguar Land Rover halted production lines for five weeks, prompting the British government to step in with a $2 billion bailout. This episode captures what changed in 2025: Rather than stolen data making headlines, it was business stoppage that triggered attention. Moving into 2026, the board’s focus should be on ensuring business continuity and building resilience in the face of emerging risks generated by AI usage and attack vectors, quantum computing and geopolitics. Below we look at four risks reshaping organizational resilience—risks that can impact operations, supply chains, revenue and credibility. 1. AI as force multiplier for cybercrime AI risk is not only about attack severity, but also about frequency and more surgical attacks at scale. But what the board forgets is that AI can attack at the very root of an organization’s fabric, and that concerns trust. Data drives executive-level decision-making, that’s a fact. And the more organizations lean on dashboards, automated workflows and AI-assisted decision-making, data integrity itself assumes greater importance. If inputs are manipulated, incomplete, or quietly corrupted in the background, organizations will start to drift operationally, and this will only become apparent when course correction is no longer feasible, and the damage has already been done. 2. Supply chain risk is first-party risk Partners form the backbone of every successful organization, which operates as a dispersed ecosystem with data moving among cloud platforms, suppliers, managed services providers, and vendors. Attackers continuously probe weaknesses across the supply chain, and when an incident begins with a third-party, the organization cannot divest itself of responsibility. Any reputational and commercial impact falls on the organization because it is the better known entity. Public opinion doesn’t care where an attack originated; their focus is on the brand they associate with as a customer. 3. Quantum risk looms large on the horizon With quantum computing, the challenge isn’t that the most “unbreakable” encryption will break tomorrow. The problem lies in making the transition to post-quantum cryptography (PQC). Encryption is deeply embedded across legacy system devices, applications, and partner communication, therefore the shift towards PQC will take considerable time. While quantum computing deployment is relatively years away, an organization’s failure to plan for this new order will be caught on the backfoot. Another quantum risk is the amount of time organizations are storing sensitive data. If there is incentive to protect it over a long term, the risk increases when quantum arrives on the stage. Advertisement. Scroll to continue reading. 4. Geopolitics makes cyber harder to plan and resolve Organizations caught in the crosshairs of a geopolitical tug-of-war between nation-states will encounter a greater degree of unpredictability while addressing cyber risks. They have to manage crime, disruption, and strategic pressure, which are the core objectives of attacks launched by state actors. More importantly, the defense and containment mechanism has to manage cross-border complications, especially for organizations operating across multiple jurisdictions. Geopolitical risk demands a public-private partnership to build resilience, but the board must keep in mind that corporate actions shouldn’t be driven by political ends. This tension can become a large part of the risk environment. A Pragmatic Roadmap for Addressing Risks AI, geopolitics, third-party and quantum are obvious risks, but they are also drivers of an organization’s journey towards resilience in 2026 and beyond. To enable safe AI use and clip its wings when needed, pre-define decision rights and escalation triggers. Assign human ownership (“human-in-the-loop”) to system isolation, slowing or stopping high-risk activity, and pressing the kill switch. Also consider who notifies regulators and approves external communication when things go south. From a geopolitical standpoint, be sure to gain complete visibility into critical suppliers, cross-border data flows, and technology dependencies concentrated in a single region. This will help inform the organization as to which business function is most vulnerable in the event of a sudden shift in geopolitical winds. Whether AI or geopolitics, the focus should be to lead with resilience by setting a threshold for the organization to operate without reliance on critical systems. This helps to define the “minimum viable company”—the processes and datasets that must remain available and trustworthy during any disruption. Third-party risk can be managed by following the data. Draw a map of how information and its access move across the supply chain and partners, and zero in on weaknesses that can be exploited by attackers. Work with vendors and suppliers to plug these gaps. Prepare fallbacks to ensure business continuity. In Summary Build future-readiness into the resilience strategy. Inventory all organization-wide assets that are protected with encryption, prioritizing sensitive data, and commit to a staged multi-year plan to be prepared for a quantum world. Boards will be rewarded for treating AI, third parties, quantum, and geopolitics as a single connected resilience agenda, not as four separate issues. Resilience is not about preventing every attack, but about keeping the business functioning despite attacks that disrupt operations. [ Learn more at the CISO Forum ] Written By Steve Durbin Steve Durbin is Chief Executive of the Information Security Forum , an independent association dedicated to investigating, clarifying, and resolving key issues in information security and risk management by developing best practice methodologies, processes, and solutions that meet the business needs of its members. ISF membership comprises the Fortune 500 and Forbes 2000. More from Steve Durbin Why We Can’t Let AI Take the Wheel of Cyber Defense Cyber Risk Trends for 2026: Building Resilience, Not Just Defenses Cybersecurity Is Now a Core Business Discipline Follow Pragmatic Interventions to Keep Agentic AI in Check Beyond the Black Box: Building Trust and Governance in the Age of AI Latest News Claude Code Flaws Exposed Developer Devices to Silent Hacking Gambit Security Emerges From Stealth With $61 Million in Funding Zyxel Patches Critical Vulnerability in Many Device Models US Sanctions Russian Exploit Broker Operation Zero Trend Micro Patches Critical Apex One Vulnerabilities Cisco Patches Catalyst SD-WAN Zero-Day Exploited by Highly Sophisticated Hackers The Blast Radius Problem: Stolen Credentials Are Weaponizing Agentic AI Google Disrupts Chinese Hackers Targeting Telecoms, Governments Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Identity Under Attack: Why Every Business Must Respond Now February 11, 2026 Attendees will walk away with guidance for how to build robust identity defenses, unify them under a consistent security model, and ensure business operations move quickly without compromise. Register Virtual Event: Ransomware Resilience & Recovery 2026 Summit February 25, 2026 SecurityWeek’s 2026 Ransomware Summit will discuss a roadmap for defending the enterprise, from mitigating root causes to mastering recovery, giving security teams the critical insights needed to navigate and neutralize today’s ransomware extortion threats. Submit People on the Move Menlo Security has named Bill Robbins as Chief Executive Officer. Axonius has named a new CMO and a new AFS leader. Wealth management platform Envestnet announced the appointment of Rich Friedberg as CISO. More People On The Move Expert Insights How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Security in the Dark: Recognizing the Signs of Hidden Information Security failures don’t always start with attackers, sometimes they start with missing truth. (Joshua Goldfarb) Living off the AI: The Next Evolution of Attacker Tradecraft Living off the AI isn’t a hypothetical but a natural continuation of the tradecraft we’ve all been defending against, now mapped onto assistants, agents, and MCP. (Etay Maor) Why We Can’t Let AI Take the Wheel of Cyber Defense The fastest way to squander the promise of AI is to mistake automation for assurance, and novelty for resilience. (Steve Durbin) The Upside Down is Real: What Stranger Things Teaches Us About Modern Cybersecurity To all those who are fighting the good fight in the world of cyber, keep collaborating to ensure our world never succumbs to the chaos of the Upside Down. (Nadir Izrael) Flipboard Reddit Whatsapp Whatsapp Email