CISOs: What are your top priorities for 2026?

One of the major changes across cybersecurity recently is that hybrid has become default – and that means resilience has to work across it. 

Netwrix reports that 77% of organisations already run hybrid environments, and the average share of workloads in the cloud was 49% in 2025; projected to reach 55% in 2026. Trellix lands the same punch from the CISO angle: 89% say they already operate hybrid, and 97% believe hybrid provides better resilience and risk management than cloud-only or on-prem-only.

The catch here is operational complexity. Trellix highlights hybrid pain points that will feel familiar: integrating OT and IT security (41%), sovereignty/compliance (41%), and doing threat analysis across hybrid boundaries (37%). That suggests a 2026 priority shift from ‘more tools’ to ‘fewer blind spots’ across environments – which fits with what we’ve learnt about CFO budgets too. 

AI risk has overtaken ransomware in the threat conversation

According to a new survey from Veeam, AI-generated attacks (66%) are seen as a more significant threat to data than ransomware (50%). Netwrix found the defensive side struggling to keep up – 37% say AI-driven threats forced them to adjust their security approach. And Trellix adds the strategic framing: 89% of CISOs agree AI-driven and autonomous (agentic) attacks represent a major new risk, and 94% say emerging threats are forcing a rethink of strategy.

So the 2026 question, then, is whether your controls assume the AI tools you adopt will be used against you – at scale, with convincing social engineering and faster iteration.

Identity and recovery are where the uncomfortable truths show up

Netwrix reports user/admin account compromise in the cloud at 46% in 2025, up from 16% in 2020. That’s a flashing sign that identity security (human and machine) is now the front door.

Meanwhile, Veeam’s respondents aren’t brimming with confidence about the back door – recovery. Only 29% were ‘very confident’ they could recover critical data if hit by a zero-day tomorrow, and 71% were ‘not/somewhat’ confident about maintaining operations during a multi-day cloud outage.

If your 2026 plan doesn’t include a hard look at recoverability (not just backups), it’s time to rethink that.

Regulation and insurers are writing your roadmap

CISOs are also wrestling with governance drag. Trellix says 82% believe the time and effort needed to keep up with regulatory change isn’t sustainable, and 45% cite the pace of change as a primary compliance challenge. Veeam’s data sovereignty data is consistent: 76% rate sovereignty extremely or moderately important.

And insurance is squeezing CISOs too. Netwrix reports 47% adjusted their security posture to meet insurer requirements. In 2025, insurer requirements included IAM (72%), MFA (54%), and PAM (45%). Whether you like it or not, 2026 control priorities will be influenced by what underwriters demand and what regulators can enforce.

Let’s get practical and make a plan

That was a lot of data in a short space of time – thanks for sticking with us. 

Here’s how you can use this data to guide your 2026 planning: 

• Make hybrid observable. Prioritise visibility and response that works across cloud, on-prem, and (where relevant) OT – because attackers already do.
• Treat AI as an adversary capability. Build controls and exercises around AI-assisted phishing, identity abuse, and automation-driven incident speed.
• Prove recoverability, not backup coverage. Pressure test your ability to restore critical services under zero-day and cloud-outage assumptions.

We think the CISOs who can operate with fewer unknowns, faster recovery, and governance that doesn’t collapse under its own weight will lead the way this year. And as always, we’re here to back you up – put Black Hat MEA 2026 in your diary (1-3 December) to keep building resilience and community.