We are staring down the barrel of 2026. If you think the last 12 months were chaotic, strap in.
The business-as-usual model for security is dead. We are moving into an era where the CISO is either a financial risk broker or irrelevant, where AI doesn’t just write emails but writes exploits, and where your right to privacy is being legislated out of existence.
Here is my take on the three trends that will define the next year.
1. The federated CISO (stop counting bugs)
Let’s be honest: the CISO 2.0 buzzword from 2020 is stale. In mature organisations, the CISO role has already shifted. We aren’t technical guardians anymore; we are risk brokers.
By 2026, if you are still reporting the number of vulnerabilities you patched to your board, you are failing. The successful CISO is embedded in the profit and loss (P&L) function. They speak the language of the CFO, not the language of the firewall. They don’t ask for budget to ‘fix stuff’; they present investment cases based on earnings at risk.
The Office of the CISO
The days of the CISO trying to manage every security decision are over. The scope is too wide. The smart move for 2026 is decentralisation, a Federated Security Model. You set the guardrails (policy and platform), but you let your security champions in engineering, sales, and other business functions to execute the actual work. You stop being the bottleneck and start being the auditor.
And you better have the emotional intelligence to handle the heat. When a ransomware negotiation goes south or your team is burning out from alerting fatigue, you need to be the calmest person in the room.
2. The agentic AI explosion
We have moved way past large language models (LLMs) that just ‘chat’. We are now dealing with autonomous agents that ‘do’. As 2026 arrives, we aren’t writing prompts; we are governing digital workers capable of reasoning and using tools. In timely news, you should read the new OWASP Top 10 for Agentic Applications 2026.
I view this with a mix of professional alarm and strategic hope.
The bad news:
The bad guys are moving faster. We are seeing polymorphic attack agents that don’t just run scripts; they improvise. They scan for targets, write bespoke exploit code on the fly, and – this is the part that keeps me up at night – then manage the extortion. These agents can negotiate ransom payments using sentiment analysis to squeeze the maximum payout from a victim without a human criminal ever touching a keyboard.
The good news:
We can fight fire with fire. We are entering the era of self-healing infrastructure. Defensive agents that detect an anomaly and fix it – blocking IPs, isolating containers, rewriting rules – before a human analyst even opens their laptop.
For the CISO, this is how we solve the data overload. We don’t need more dashboards. We need virtual analyst agents that audit our environment 24/7 and feed a quantitative risk model.
3. The fight for the right to privacy
While we obsess over AI, a much quieter war is being lost. Governments are dismantling the presumption of privacy.
I am watching this “slow boiling of the frog” with deep concern. It’s not just about encryption anymore; it’s about the right to exist digitally without showing your papers.
The border dragnet
Have you travelled recently? The presumption of privacy at the border is gone. It is becoming normal to surrender years of emails and social media history just to enter a country. We are handing over our digital souls to border agents as the price of entry.
The “16+” trap
Look at what happened in Australia just a few days ago. The new legislation restricts social media to those over 16. It sounds noble, but the logic is flawed. To exclude a minor, you have to verify everyone. You cannot filter out the 15-year-old without carding the 50-year-old.
The naive solution – uploading passport scans to random websites – is a privacy disaster waiting to happen.
The only way out – the device lifeline
There is only one technical way to comply with these laws without building a surveillance state: Privacy-preserving age verification.
We need a model where your device – which already knows who you are – generates a cryptographic token (a zero-knowledge proof) that simply tells the website the user is over 16. The website gets a ‘Yes’, but never your name. The OS vendor sees a token request, but not which site you are visiting.
But let’s be clear about the trade-off. We are effectively asking Apple and Google to become the custodians of our civil liberties, protecting us from state overreach.
It is a strange world where I trust Apple more than I trust the government, but here we are.