Skip to content

The three cyber trends that will define 2026

Trends for cyber in 2026

This article originally appeared in the Computer Weekly: https://www.computerweekly.com/opinion/The-three-cyber-trends-that-will-define-2026

We are staring down the barrel of 2026. If you think the last twelve months were chaotic, strap in.

The "business as usual" model for security is dead. We are moving into an era where the CISO is either a financial risk broker or irrelevant, where AI doesn't just write emails but writes exploits, and where your right to privacy is being legislated out of existence.

Here is my take on the three trends that will define the next year.

1. The Federated CISO (Stop counting bugs)

Let's be honest: the "CISO 2.0" buzzword from 2020 is stale. In mature organisations, the CISO role has already shifted. We aren't technical guardians anymore; we are risk brokers.

By 2026, if you are still reporting "number of vulnerabilities patched" to your Board, you are failing. The successful CISO is embedded in the P&L. They speak the language of the CFO, not the language of the firewall. They don't ask for budget to "fix stuff"; they present investment cases based on Earnings at risk.

The "Office of the CISO"

The days of the CISO trying to manage every security decision are over. The scope is too wide. The smart move for 2026 is decentralisation - a "Federated Security Model". You set the guardrails (policy and platform), but you let the "Security Champions" in Engineering, Sales, and other business functions to execute the actual work. You stop being the bottleneck and start being the auditor.

And you better have the emotional intelligence to handle the heat. When a ransomware negotiation goes south or your team is burning out from alerting fatigue, you need to be the calmest person in the room.

2. The Agentic AI Explosion

We have moved way past LLMs that just "chat". We are now dealing with Autonomous Agents that "do". By 2026, we aren't writing prompts; we are governing digital workers capable of reasoning and using tools. In timely news, you should read the new OWASP Top 10 for Agentic Applications 2026

I view this with a mix of professional alarm and strategic hope.

The Bad News:

The bad guys are moving faster. We are seeing "polymorphic attack agents" that don't just run scripts - they improvise. They scan for targets, write bespoke exploit code on the fly, and - this is the part that keeps me up at night - they manage the extortion. These agents can negotiate ransom payments using sentiment analysis to squeeze the maximum payout from a victim without a human criminal ever touching a keyboard.

The Good News:

We can fight fire with fire. We are entering the era of "Self-Healing Infrastructure". Defensive agents that detect an anomaly and fix it - blocking IPs, isolating containers, rewriting rules - before a human analyst even opens their laptop.

For the CISO, this is how we solve the data overload. We don't need more dashboards. We need "Virtual Analyst" agents that audit our environment 24/7 and feed a quantitative risk model.

3. The Fight for the Right to Privacy

While we obsess over AI, a much quieter war is being lost. Governments - in nations that call themselves democracies - are dismantling the presumption of privacy.

I am watching this "slow boiling of the frog" with deep concern. It's not just about encryption anymore; it's about the right to exist digitally without showing your papers.

The Border Dragnet

Have you travelled recently? The presumption of privacy at the border is gone. It is becoming normal to surrender years of emails and social media history just to enter a country. We are handing over our digital souls to border agents as the price of entry.

The "16+" Trap

Look at what happened in Australia just a few days ago (December 10). The new legislation restricts social media to those over 16. It sounds noble, but the logic is flawed. To exclude a minor, you have to verify everyone. You cannot filter out the 15-year-old without carding the 50-year-old.

The naive solution - uploading passport scans to random websites - is a privacy disaster waiting to happen.

The Only Way Out (The Device Lifeline)

There is only one technical way to comply with these laws without building a surveillance state: Privacy-Preserving Age Verification.

We need a model where your device - which already knows who you are - generates a cryptographic token (a Zero-Knowledge Proof) that simply tells the website "User is 16+". The website gets a "Yes", but never your name. The OS vendor sees a token request, but not which site you are visiting.

But let's be clear about the trade-off. We are effectively asking Apple and Google to become the custodians of our civil liberties, protecting us from state overreach.

It is a strange world where I trust Apple more than I trust the government, but here we are.