As the digital landscape continues to evolve, so too do the threats that organizations must contend with. In this year's final Reporter's Notebook conversation, cybersecurity experts Rob Wright from Dark Reading, David Jones from Cybersecurity Dive, and Alissa Irei from Tech Target Search Security share their insights on what the future holds for cybersecurity in 2026. Drawing from AI-summarized industry reports and expert opinions, the conversation highlights key trends, challenges, and opportunities that will shape the way businesses approach security in the coming years. From the rise of AI-driven threats to the growing importance of resilience, the panelists paint a vivid picture of the road ahead.[1]
One of the most pressing concerns is the increasing sophistication of cyber threats, particularly those involving artificial intelligence and autonomous systems. Threat actors are expected to target agentic AI, exploiting its capabilities for malicious purposes. While AI offers tremendous potential for productivity gains, the lack of robust security measures and awareness could lead to devastating consequences such as the rise of AI-driven social engineering and deepfakes, which are poised to erode trust and manipulate human vulnerabilities. As technology advances, organizations must strike a balance between innovation and protection.
Another major shift in cybersecurity priorities is the growing emphasis on resilience and recovery over prevention. The reporters noted that businesses are moving away from the traditional focus on secure systems and instead prioritizing defensible, recoverable systems that can withstand catastrophic incidents. This shift reflects a broader understanding of cybersecurity as a form of risk management rather than an attempt to eliminate breaches entirely. With board-level awareness and executive accountability on the rise, organizations are recognizing the importance of preparing for the inevitable and ensuring they have the systems and processes in place to recover quickly.
In a world where cyber threats are becoming more sophisticated and pervasive, the discussion underscored the need for vigilance, innovation, and collaboration. As organizations brace for the challenges of 2026 and beyond, the focus must remain on building resilient systems, fostering awareness, and staying ahead of emerging risks. The future of cybersecurity is uncertain, but with proactive measures and a commitment to adaptation, businesses can navigate the complexities of the digital age.
Below is an interesting conversation with various cyber experts. Reporter's Notebook: Full Transcript (this transcript has been edited for clarity).
Dark Reading's Rob Wright: Hi, I'm Rob Wright with Dark Reading.
Cybersecurity Dive's David Jones: Hi, I'm Dave Jones with Cybersecurity Dive.
Tech Target Search Security's Alissa Irei: Hi, Alissa Irei, Search Security at Informa Tech Target.
DR's Rob Wright: And the three of us are here today to discuss 2026 predictions. Every year, we get a lot of emails from different companies, sources, and PR folks about their predictions for what's going to happen in 2026 technology predictions, not just random predictions. So, what we did this year is we took all of these emails, their predictions from various companies, sources, and executives, and we fed them into an AI. We're not going to say which AI, but we used it to summarize them, find the most common ones, the most frequently cited predictions, common trends, and threads, and it spit out a list. Here we have our AI-generated list, and we're going to discuss it and figure out what we think is likely to happen and what we are a little more skeptical about. So, let's jump right into it. The first one on our list: Agentic AI and autonomous systems become primary targets for threat actors. What do we think about that?
TTSS's Alissa Irei: I think this could be a really short episode if we just said AI ten times. Those are our ten predictions. It seems plausible to me. Dave, what do you think?
CD's David Jones: I think artificial intelligence (AI) is ready for a reality check. We've already started to see the capabilities that threat actors have in terms of abusing AI, particularly if the proper guardrails are not set up. A lot of companies want to benefit from the potential productivity gains of AI. The question is, have they prepared themselves for the risks they may not anticipate? For some companies, if they haven't thought this through properly or tested it, there’s going to be a reckoning. Some companies will be able to utilize AI properly and see productivity gains, but we’re going to find out who’s taking these risks seriously and who’s moving too fast.
DR's Rob Wright: I think agentic AI in particular is going to be interesting. It’s being used in some compelling case studies, but knowing that threat actors are also targeting it and trying to abuse it is concerning. So, it’s not a surprise that this is one of the most common predictions we received.
TTSS's Alissa Irei: And when you have AI agents that have the permissions of human users, that obviously raises some questions and concerns. The enthusiasm for the business use cases might not always be matched with the security controls, which brings us to our next prediction, I believe.
DR's Rob Wright: Yeah, so this is actually tied for number one. I should have said that. It’s number two in sequential order: Identity, zero trust, and non-human identities (NHIs) are the new security foundation. Basically, identity will replace the network as the primary security boundary and control point. Feels like this has already happened, but what do you think?
CD's David Jones: If machines are constantly communicating with each other and there isn’t a proper level of permissions being offered to all the automated links in your network, one obscure link can wreak havoc throughout an entire network. Unless companies are acutely aware of who they are interacting with, what kind of permissions they have, and how dependent they are on those connections, we’re going to see more of these issues, particularly as companies become more dependent on automation.
TTSS's Alissa Irei: I think this is already happening, but the rise of agentic AI with non-human identities outnumbering human identities by so many factors will put organizations’ zero trust architectures to the test. The question is, how rock solid is your zero trust framework? Is there implicit trust in places or given to entities that you’re not aware of? That could lead to some really big problems in 2026.
DR's Rob Wright: Makes sense. All right, next up: AI-driven social engineering and deep fakes will erode trust. AI will accelerate the scale and sophistication of social engineering, making deep fakes and synthetic media like video and voice cloning the preeminent social engineering vector for high-value access. Do we think it’s going to happen?
CD's David Jones: That’s been one of the big stories of 2025 already. A sophisticated actor can easily fool senior executives, help desks, and IT networks into granting permissions to get into a network and do a lot of damage. Companies haven’t figured out how to train key employees to recognize this. With all the security software in a network, a lot of this is just taking advantage of human behavior. Senior executives, politicians, and high-level officials can be taken advantage of. Someone can maliciously send out a request in their name, pretend to speak on their behalf, or go after family members. It’s probably going to get more interesting next year as the technology becomes more sophisticated and accessible.
TTSS's Alissa Irei: It feels like we may be at a moment in 2026 that will be very scary. The sophistication and accessibility of the tech will be at an all-time high, but the typical user might not be aware that it’s possible yet. To date, most widely viewed deepfake content is a little clunky or has telltale signs, but it seems like there’s an inflection point coming where even sophisticated users can’t tell they’re looking at a deepfake video, and public awareness might not be there yet.
CD's David Jones: You don’t necessarily need a good deepfake. Very good voice cloning alone can capture someone’s voice for authentication and gain a lot of access.
DR's Rob Wright: My kids tried that with me. They kept telling me to say “password” into a recording device. I’m joking. Anyway, that’s a reference to an old movie.
DR's Rob Wright: Next prediction: Supply chain and third-party risk intensifies, demanding visibility and proof. Supply chains will become the number one access point for adversaries as attackers target small embedded vendors to access thousands of downstream environments. What do you think?
CD's David Jones: We’ve seen in manufacturing, processing, and logistics that if you’re highly dependent on a constantly moving supply chain, an attacker can force you to disrupt your production or distribution process. That can create anxiety for days, weeks, or months. If you don’t understand how secure your dependencies are, you might be in for a long haul. We’ve already seen this in 2025 with software and major companies like JLR. Companies will need to think about this very closely next year because we’re going to see these types of attacks again.
TTSS's Alissa Irei: This strikes me as true and also more of the same. I don’t think this is a huge shift from what we’ve seen in 2025, but supply chain and third-party risk are still big problems. You’ve got to have your SBOMs.
DR's Rob Wright: SBOMs have been a big focus. Strengthening the software supply chain and ensuring you’re not relying on compromised open-source libraries or tampered software is critical. It’s a scary world out there.
TTSS's Alissa Irei: I think it would be surprising if we didn’t see major supply chain attacks in 2026.
DR's Rob Wright: I agree. OK, next prediction: Executive accountability, AI governance, and board focus on risk. Boards will recognize cyber risk as a tier-one operational priority and demand measurable security outcomes. Rising legal and regulatory pressure, especially concerning AI, will increase executive and CISO personal liability. I have my doubts, but I’ll let you go first.
CD's David Jones: There’s been concern about personally holding a board member or senior executive accountable for failure to disclose or raise proper red flags. Companies will need to set up proper guardrails, particularly if they’re expanding their use of AI. The consequences will play out over time. Case law will need to develop as states, federal governments, and international regulators address this. Once we see larger-scale deployment, we’ll start to see these cases play out in court and from regulators.
TTSS's Alissa Irei: In our reporting on security, we’re seeing growing awareness at the board level of the importance of cybersecurity. Organizations understand that cyber risk is business risk, which is a good thing. In terms of CISO personal liability, I don’t necessarily see that happening. I hope it doesn’t. CISOs worry about this, and it seems unfair. I don’t know what the future of the role is if CISOs are held personally liable for the cybersecurity of massive enterprises. That seems like a return to the battle days when CSOs were little more than scapegoats. Rob, what do you think?
DR’s Rob Wright: I’m skeptical about that part. I do think there’s going to be more consideration and more responsibility on CISOs and board members, but we just saw a pretty big case recently where the charges were dropped against the CISO who was under fire and, according to many, wrongly charged or implicated in that incident. In terms of being accused of not disclosing, covering it up, or benefiting from it, I don’t know that it’s going to move in that direction. If anything, it seems like under the current administration, it’s going to relax a lot, but who knows? We live in interesting times, I guess.
TTSS’s Alissa Irei: OK.
CD’s David Jones: To address that, I believe CISOs have some legitimate concerns. One of the issues that comes up is if a top executive in a company, a CEO, president, or board member, says, "Nobody told me. I’m not an expert on security. I’m not an engineer. I’m not responsible for managing security in our company." That’s why they have someone in charge of that. But if you’re a CISO or an executive with another title in charge of security, you have to make your C-suite and board aware of the risks. When you’re a CEO or board member, you’ve got to understand the risks and outline them to investors. Whether you’re an expert on a particular issue or not, that’s part of your job. The CISO doesn’t make presentations in quarterly conference calls or necessarily present to investors unless it’s a very specialized type of presentation.
DR’s Rob Wright: Yeah.
TTSS’s Alissa Irei: Yeah.
DR’s Rob Wright: Yeah.
CD’s David Jones: An investor isn’t going to drill down to the CISO and expect to hear directly from them about the risks. That’s why you have quarterly updates, regular meetings, audit committees, and governance structures within your company so that a top executive can’t say, "Nobody ever said anything to me."
DR’s Rob Wright: Yeah, good point.
TTSS’s Alissa Irei: OK.
DR’s Rob Wright: All right, let’s get to a few more of these. Tied for number six, OT, IoT, and critical infrastructure become a top cyber risk surface. That seems very likely to me. I don’t know if I have too much to add. Alissa, what do you think?
TTSS’s Alissa Irei: I think it’s scary. It scares me. It seems likely. I hope it’s wrong.
DR’s Rob Wright: Well, I think for non-security experts inside companies that produce things or have long production lines, they may have people who know how to develop the products they sell but don’t necessarily know what OT is. They understand how to run a factory and produce their core products. The goal is to translate a risk that impacts IT to understand what it looks like if it jumps to the production line.
CD’s David Jones: If I’m a maker of electronics or food products and I have a risk where I have to shut down the production line for hours, days, or weeks, what do I do? Can you flip the switch back on in a week and expect everything to go back to normal?
DR’s Rob Wright: Probably not.
TTSS’s Alissa Irei: It’s surprising we haven’t had more attacks on OT and critical infrastructure with far-reaching impacts. There have been incidents like Colonial Pipeline and the water plant in Florida, but it seems like we’ve gotten off relatively easy given the security gaps in some organizations.
DR’s Rob Wright: Maybe we won’t be so lucky in 2026. Scary thought. All right, also tied for number six: visibility, attack surface management (ASM), and data sprawl are critical gaps. Traditional perimeter thinking is obsolete. Data sprawl, let’s focus on that for a second. We’ve seen a lot of data sprawl recently, like with the Salesforce attacks where data, including IT support tickets, credentials, and secrets, ended up in Salesforce instances. Sensitive data is spreading beyond code repositories into other areas. This seems accurate. We’ll probably see more of this data sprawl.
CD’s David Jones: If your most sensitive information is located somewhere you have no control over, what do you do? Who do you blame? If my data is in a third-party site or storage repository, I still care if it’s accessed by the wrong people. Nobody wants to hear, "It wasn’t us. We gave it to another organization, and they had control of it." That’s not going to fly.
DR’s Rob Wright: Good point. Alissa, any thoughts?
TTSS’s Alissa Irei: I cosign. Nothing substantive to add. If it’s a problem, it’ll continue to be a problem in 2026.
CD’s David Jones: It’s like leaving your wallet at your friend’s house and complaining when someone breaks in through their back room.
DR’s Rob Wright: Yeah. All right, #8: cyber resilience and recovery replace prevention as the core metric. The focus is shifting from achieving secure systems to prioritizing defensible, resilient, and recoverable systems. I feel like we’ve been in the "assume breach" mode for a while, focusing on incident response plans. Maybe we’re moving more in that direction, prioritizing recovery over prevention.
TTSS’s Alissa Irei: This seems related to the earlier prediction about board-level awareness. Board members and C-level executives with no cybersecurity experience are understanding that breaches will happen. Cybersecurity is really about cyber risk management, not total prevention of incidents. That knowledge seems to be trickling up.
CD’s David Jones: Companies have to assume they’ll face a potentially catastrophic attack. How do you build a system that can withstand such an incident, maintain operations, and ensure everyone knows their responsibilities? Is there a backup plan? How much redundancy is built into the system? Companies prepared for catastrophic impacts will be the ones able to plow through such events. At some point, whether you caused it or not, you’ll have to address that scenario.
TTSS’s Alissa Irei: That ties back to supply chain risk, which is often out of your control.
DR’s Rob Wright: Yeah, it’s out of your hands. All right, #9: quantum computing threats accelerate. The long-anticipated threat of quantum computing is moving from theoretical to tangible, accelerating demand for quantum-safe encryption. I’m a quantum threat skeptic. I think we’re a lot further away from this than people think. There’s a risk of "harvest now, decrypt later," but I don’t think we’re near the tangible threat level.
CD’s David Jones: We might get tomorrow sooner than we think. There’s been a lot of hype about quantum computing and theoretical discussions about protecting critical national security secrets, financial services, and military-level technology. Someone will eventually figure out how to break into systems at that level. It doesn’t take widespread use, just one really bad event.
TTSS’s Alissa Irei: I’ll defer to the experts I’ve spoken to. Everyone seems to think we’re not there or even close to there. I hope that’s true.
DR’s Rob Wright: That’s reassuring. I’d like to live in a world where this stuff isn’t easily cracked. No asteroids, no spaceships in 2026.
TTSS’s Alissa Irei: No asteroids, no spaceships.
DR’s Rob Wright: All right, last but not least, password elimination and passkey adoption accelerate. Password-based authentication will finally become obsolete in forward-thinking organizations. What do we think?
TTSS’s Alissa Irei: To quote Yogi Berra, "It’s déjà vu all over again." I feel like we’ve heard this before.
CD’s David Jones: Are we being aspirational? How long has this been going on?
TTSS’s Alissa Irei: Seems optimistic.
DR's Rob Wright: Yeah. A few years.
CD’s David Jones: Yeah, ideally, we would like to have a situation where, when we're logging on to our most important applications, we don't have a list of about 200 passwords. These passwords are often reiterations of things like our old street name, our best friend's last name, or some other combination of things we can remember.
DR's Rob Wright: Yeah.
CD’s David Jones: But as we know, many people use poorly constructed passwords and keep reusing them. It's hard to remember all of that. People keep saying they’re going to change, evolve, and use new methods.
DR's Rob Wright: Yeah.
CD’s David Jones: We keep going back to the same bad habits.
DR's Rob Wright: I think the question here is, what do you consider a forward-thinking organization? There are a lot of financial services firms and technology firms that have moved away from passwords and embraced passkeys or physical keys. Google, for example, has had phishing-resistant keys for many years. The question is, how many organizations are going to be forward-thinking and adopt these methods? Is it just going to be the top 1%, or will we start to see that level of adoption move down to other organizations? I’m not optimistic. I’m pessimistic by nature, so I don’t think that’s going to happen this year.
CD’s David Jones: I think you need to get some employee to buy-in. It’s important to convince workers at your organization that it’s worth going in that direction.
DR's Rob Wright: 100%. I don’t know. That seems like an uphill battle. Anyway, that’s it for our predictions. Thank you, everyone. I appreciate the input.
TTSS’s Alissa Irei: Thank you. This was fun.
CD’s David Jones: Are we going to save this in a bottle and revisit it?
DR's Rob Wright: I guess we’ll see at the end of 2026, and we’ll do it all again. Thanks, everyone.
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.darkreading.com/threat-intelligence/cybersecurity-predictions-for-2026-navigating-the-future-of-digital-threats
Comments