Increased workloads, strategic influence and technical focus -- CISO predictions for 2026
The task of the CISO has historically been an underappreciated one. But as businesses wake up to the fact that cybersecurity issues can represent a threat to the entire business it has taken on more significance.
Here’s how a range of industry experts see the future for CISOs and their role as we head into 2026.
Simon King, head of information security at the Infinigate Group, says, “In 2026, the role of Chief Information Security Officer (CISO) will be widely expected to be a strategic one. CISOs are increasingly acting as bridge-builders between technical security, regulatory compliance, and broader corporate strategy. In light of new EU regulations -- such as NIS2, DORA, and the EU AI Act -- CISOs take central responsibility for risk management, security culture, incident response leadership and often business continuity too.”
This is echoed by Raghu Nandakumara, VP of industry strategy at Illumio, “As IT and OT converge, the boundaries between digital and physical security continue to dissolve. Securing information alone is no longer enough; security must also encompass physical environments, operational technology, and the resilience of the workforce and supply chain. The CSO is emerging not just as a successor to the CISO, but as a strategic force, accountable for the full spectrum of organizational security and continuity
Matt Hillary, SVP of security and CISO at Drata says:
In the coming year, the CISO will have officially outgrown the traditional ‘protector’ role and stepped into something larger: the chief trust officer of the enterprise. Their job won’t stop at defending against threats or maintaining compliance -- it will expand to proving trust as a measurable, revenue-driving asset.
In a market where customers demand transparency and regulators demand accountability, the CISO won’t just be a guardian of systems, they’ll be the architect of trust itself and the trust currency exchange, and that trust will become the most valuable currency a company can utilize. If you’re a CISO, start claiming that turf before others do. Trust is the evolution of security and GRC, not the replacement.
Dave Spencer, director of technical product management at Immersive, says, "The workload of the CISO will increase in 2026, as there will simply be more required of them. CISOs will have to manage emerging threats alongside legacy equipment and increasing regulation. Many CISOs will succeed in 2026 through their ability to make key decisions and delegate workload effectively to their teams.”
“As boards face heightened accountability for incident oversight, they will increasingly demand proof, not promises. Tabletop exercises will give CISOs a direct forum to showcase their influence by aligning business leaders, clarifying roles under stress, revealing hidden dependencies, and demonstrating readiness in measurable ways. They also help translate technical risk into business language, strengthening the CISO’s position at the executive table,” says Thom Langford, CTO EMEA at Rapid7. “In 2026, CISOs who run frequent, cross-functional tabletop simulations will be seen as proactive risk leaders. Those who cannot facilitate these exercises or use their outcomes to inform strategy will struggle to justify budgets, influence board decisions, and secure their seat in enterprise leadership
Pattricia Titus, field CISO at Abnormal AI, thinks AI Drift will elevate the CISO’s personal liability:
The rapid and largely unchecked deployment of agentic AI in critical business processes is introducing unprecedented liability for CISOs. Recent high-profile legal cases involving CISOs have already raised questions about indemnification and the adequacy of Directors & Officers (D&O) insurance. Yet one major blind spot remains: AI drift -- when an automated system makes an unexpected, harmful decision.
Regulators will inevitably look at the CISO's governance and rigor around the deployment of that automation. This evolving risk, compounded by AI’s demonstrated ability to act with human-like deception, will make robust AI governance, policy development and human oversight urgent prerequisites to manage enterprise risk and mitigate personal legal exposure.
Quantum computing will be a key area of concern, thinks Ravi Srivatsav, CEO and co-founder of DataKrypto, “In 2026, quantum computing -- both a looming technological breakthrough and cybersecurity threat -- will remain a key concern among enterprise CISOs. The ‘harvest-now, decrypt-later’ tactic, where adversaries stockpile encrypted data to decrypt once quantum hardware matures, will accelerate demand for latency-optimized, quantum-safe encryption. When the day comes, traditional standards like RSA and elliptic-curve cryptography will be rendered obsolete by quantum algorithms, leaving unprotected financial data, health records, and AI models vulnerable.”
Despite the importance of cybersecurity to the wider business James Wickett, CEO of DryRun Security, still believes the technical side is a key focus:
We’ve spent the last few years pretending the CISO could be a business role. That era is over. In 2026, every company will be producing code, AI-assisted, automated, or otherwise. If the CISO doesn’t understand how that code works, what risks it introduces, and how AI systems make decisions, they’re flying blind.
Code volume has already doubled in the last couple of years, and it will probably multiply fivefold again in the next few years. The job of securing the enterprise now is deeply technical: understanding how tools, vendors, and in-house models interact. The board doesn’t just need a translator anymore; they need someone who can say, “Yes, we can ship this safely,” and mean it. The modern CISO has to know the tech, or they’ll be replaced by someone who does.
Sergej Epp, CISO at Sysdig, believes agentic AI-powered applications will push CISOs into security-vs-innovation tradeoffs, “New agentic AI-powered applications, such as browsers, recording tools, and search assistants, will explode across the enterprise. They will become embedded in daily workflows and will be deployed faster than security teams can comprehensively assess them. CISOs will face an impossible balance: block these tools and stall business innovation, or enable them and inherit unpredictable, autonomous risk.”
Are you a CISO, how do you see the role changing? Tell us in the comments.
Image credit: PantherMediaSeller/depositphotos.com
