Cybersecurity Predictions 2026: What Security Leaders Learned in 2025

AI is a nitra. We feel like the more AI mimics a human, the more operational controls you need to have inside organizations. We see a lot of organizations who are saying, you know what, it's the end of the road for this technology. It just [music] is not sustainable. It's too expensive. It's too risky. The thing that scares me to death about these AI tools is the same thing that scared me to death about every SAS tool that has ever gotten popular. Welcome to the Connectivity Cloud Podcast, the podcast that provides expert insights into the cloud and IT landscape. I'm Mark Demo and each month we'll explore key topics like [music] scaling secure infrastructure, tackling emerging risks, and staying ahead of the latest trends. Whether you're managing multi- vendor environments or navigating cloud modernization, this is the show for you. Delivering practical advice for today's decision makers. 2025 was a year of transformation and cyber security. As AI reshaped how we work, geopolitical tensions intensified threats and regulatory complexity reached new heights. One thing became clear. Security is no longer just about defense. It's about enabling the business to move faster, smarter, and more confidently. Today we're revisiting the most impactful conversations from the Connectivity Cloud podcast to distill the lessons that will define 2026 and beyond. Let's start with a fundamental shift we heard throughout 2025. The transformation of the CISO role from technical gatekeeper to strategic business partner. Olivier Busulini from Mushri Bank captured this perfectly. It was kind of the cliche that you see, you know, in all your LinkedIn and and other platforms where you have this drawing where someone in a suit is is is taking you from the the small table to the big table. That's just for me an illustration talking about the transformation of our role and our added value. When you join a new type of community in your journey, think about adopting the vocabulary, the way of thinking, the culture of this other community. I'm not saying that you lose the essence of who you are and what you are bringing to the table. Not at all. But you need to understand that you are part of a different culture. I lead the team of security, trust and safety for the whole group and the group CESO for the group as well. I would say look guy I have uh some business I need to solve regardless security regardless marketing regard regardless products uh bringing value like internal processes. So I am a CEO of the small business bringing additional value to the customers uh through doing their life more secure. This shift isn't just semantic. It requires speaking the language of business. Yeven Belaluto from Rifis and Bank explained how this works in practice. Nothing works better than speaking with your customer on their own language. So if you're speaking with CF4, bring some figures on the table. If you're speaking with risk officer, bring some risks and also calculate it with money. Uh if you're speaking with IT peers, uh definitely you need to bring taxonomy. It understands well you need to calculate, you need to communicate and then you need to deliver. So being consistent on the way, being so confident on that and definitely bring the best people on board. AI dominated every conversation in 2025, but our guests cut through the hype to reveal what's actually working and what's still aspirational. Let's hear from Mustafa Hassan [music] from SMG Swiss Marketing Group and Sam Rea from Cloudflare on how AI has changed the threat landscape. One of the very concrete things of how AI made things much easier is fishing emails, fishing messages. uh it it writes flawless uh fishing emails and messages a lot and it became easier as well because also think of it that way you know I mean like from an attacker perspective you can use warm GBT you can use this is also for the audience this is like a a hacker's uh let's say uh assistant you know if someone is using AI we need to evolve our measures so that we can or we are able to uh effectively uh combat that AI versus AI. and it is the careless mistakes we make with integrations or kinds of add-on tools. What terrifies me is somebody in any organization starts using one of these tools, whether it's the again the enterprise version of OpenAI or something of that nature, and they find some integration or plugin or add-on that very deceptively says, "Hey, you know, I'm a add-on into your IDE, for example, that or in integration with cursor uh uh pretty easy to read, for example. um you name it and somebody just says, "Oh, that sounds neat. I'm going to add that in." And the reality is that tool suddenly starts phoning home all the files in your IDE that it's reading um because you thought it was this neat little plugin on top of your AI IDE setup. But it's not all risk. Sam Ferrari, SVP, and CISO at Metro AG also discussed with us how AI is delivering real defensive value. The biggest trend I've seen is helping people become contextaware rapidly. So in some situations I've seen um some of the internal tools that we have will help somebody coming on into a support ticket suddenly ingest all sorts of information that's been summarized and analyzed by these tools. Maybe the 45 minutes they used to have to do just catching up with all the detail and the complexity is now cut down to six minutes, seven minutes because all the important points are highlighted for them. One of the main challenge we are facing is how keeping up with all of that. So in the professional space for me I I see that also in the same manner where I think it can bring a lot of good for the company uh in finding efficiencies but also in developing new ideas or developing new business models. The question is how you adapt adopt that at scale. And Vladimir Krupnov from Revolute reminded us that [music] while generative AI makes headlines, traditional ML has been protecting us for years. AI is a nitra, right? Uh it's it kind of speeds things up. It spits data analytics or it allows you to hire junior talent and uh have them do the job of the senior talent. a recent example from one of the one of the banks in the industry uh which has I think they reduced the sock center cost um by 70% everything related to the data or correlation or data analytics that's another way of using it throughout 2025 a consistent message emerged the most sophisticated technology stack means nothing if your people aren't empowered and educated let's explore this human dimension with Mustafa and Stephanie Cohen from Cloudflare huge role um because even now like you know I'm the CEO of the organization am I aware of every little thing? No. Right. In my own point of view is awareness and education or the human factor actually I see it as the first line of defense not the weakest point. Use AI in the training as well. So this you know so use AI in the training uh make the training more um rewarding provide an incentive in the training is it not like a 15 20 page document that you need to read through the thing that's most similar is that the people are amazing right like incredibly smart curious people who are missiondriven who are empathetic who really want to help the speed and technology is kind of overwhelming I can give whiplash. This idea that you can really test and iterate things with customers, it's so fun to watch. And Pedro Gonzalez, CISO and managing director at EQT, warned us about the sophistication of modern social engineering, even when you think you're being careful. We feel like the more uh AI mimics a human, the more operational controls you need to have inside organizations. You cannot allow one employee to do a transaction of millions of dollars for ICE principle vendor callbacks all those classical uh controls to be in place. Yes, for sure we need to invest and and and on training our people to detecting those kind of scams. But if that fails and it will fail a couple of times because it's only going to be based in uristics and things like that will be a nondeterministic control. Then it's the operational controls on your organization that needs to be in place. For me uh it's one aspect one important aspect of our of my job I feel is do we have created the right governance in the organizations to ensure that every single teams understand that they need to have competencies and they needs to be self sustainable to a certain extent in regard of security. We are not doing security on behalf of them. They have to take this topic. So ensuring that they have the great understanding of that how you create this uh this proper safeguard that's the type of challenge we are we are facing. The shift to cloud wasn't just a technology migration in 2025. It represented a fundamental rethinking of how organizations build resilience and agility. Andy Dean from All Saints and Olivier Busulini from Mashri Bank shared lessons from the trenches. I think there's two major shifts that we made. We um back in uh 2019, we transitioned uh into Google Cloud uh from from a managed uh supply. We needed to be a bit more dynamic uh a hell of a lot more efficient. Uh we needed to kind of absorb new tech really quickly without having to redesign the whole platform. The bigger phase was was was using our our selection of of partners and and more specifically SAS tools. we weren't big enough to to manage a whole software uh cycle on multiple platforms. So we kind of made a shift as well but let's let's [snorts] choose the right partners. What's our tech stack like? What does it match? What are we looking to do in the future in Switzerland uh to have those conversations? It's very difficult specifically when you speak about cross countries negotiations. But if we can start now and maybe achieve a result in 3 years, 5 years, I don't think we we're going to have something before that. That would be great because we would be refocusing more administrative activities of demonstration of the effectiveness of our control to actual defense. Christian Riley emphasized [music] how this transformation changes security fundamentals fundamentally whe whether it's a a bricks and mortar retailer moving into e-commerce uh whether it's a full e-commerce you know with less bricks and mortar and we see a lot of organizations who are saying you know what it's the end of the road for this technology you know it it just is not sustainable it's too expensive it's too risky the mistakes I see people make are doing things peace meal are not seeing something all the way through kind of stopping part of the way and not having the right metrics and accountability to figure out whether or not you're on track or off track. One of the clearest trends in 2025 was the death of the traditional network perimeter. Pedro Gonzalez and Stephanie Cohen explained why zero trust isn't just a buzzword, it's a necessity. What happened in these last years was a shift from you know the classical perimeter I mean we call it the onion ring structure where you have the internal network internal production network and then you have the office network and you create those rings to protect and fins off attackers. Uh we we that was actually proven across the years that you know uh once the attacker was inside inside one of those perimeters uh uh you know it became much more easier for him to you know lateral shift and move to other uh internal networks and then there was actually this change to the identity right so we we went from having uh a very strong perimeter to have basically a couple of things services and endpoints a castle and moat situation which is how people used to defend themselves does not work anymore. And so zero trust is not a product, it's a philosophy. And so it's this idea that we really have to understand what the features are of the person trying to access the system and does the person trying to log into Mark Dembo's computer behave in the way that we expect Mark Demo to behave. At Cloudflare, we use our own zero trust product and the experience is really seamless once you adopt this idea that your own corporate network is basically the internet and the internet is your corporate network and we really need to have a good sense for who you are and what systems you Mark Dembo can access and if you Mark Demo are behaving the way that we expect. If there was one universal pain point across industries and geographies in 2025, it was regulatory complexity. Oliviver's Bolini's frustration represented what many CISOs are feeling. My simplest view is every regulator should have in mind roughly the same objective. Protection of the country, protection of the their own citizen, protection of their market. So as we are talking about cyber security and even maybe privacy but let's let's start by cyber. You would say okay when you have an AP they are most probably yes they have some geo motivation sometimes but for the others who are just motivated by the money um they don't care if they are attacking country A country B or country C don't they harmonize their control requirement their approach because today in every country I have 12 country at Mashrek and when I was at JP it was even or in every country there is a slightly different or sometime vastly different requirement that I have to abide to changing regulatory environment is definitely a trend that's that's coming up more and more this is becoming more complex uh you know the European Union is coming up with their own regulations one example is Adora in the UK we're seeing the same in the US the same in NAPAC and these digital boundaries are I my you know perspective ive are going to be more and more frequent. The first thing that uh you should do is have a regulatory watch model that allows you to tell you on the regulated entities where you operate which actually regulations applies to you. It's extremely important that you carve out in scope exactly what it means to you. The second thing of course I will do is to to try to create a matrix that would touch all these regulations. Master framework that is able to accommodate the three four five regulations uh that you need to be uh compliant with spend 80% of the time on the gap and scoping assessment and then 20% on execution. As we look toward 2025 the thread landscape continues to evolve in concerning ways. Our guests share what's generally keeping them vigilant and it's not always what makes headlines. I can name a few things which can which create my agenda for the past several months. So obviously it's biometric security. So KYC bypasses uh anything related to the deep fake identities. We see a very prominent threat groups international uh let's say organized crime which is which is actually hiring talent and trying to build some scalable solutions to target the banking industry. Also uh we can see some attempts from this fake North Korean workers. Now we're getting to KYE which is know your employee. You have an employee who started at work um won't turn on their like webcam. um you know what does that say about that individual? Is that the individual you hired and you know checked their identity of or has that individual changed? We've seen cases where people are passing you know background checks um successfully but you know they're using a fraudulent identity. Whole thing around loyalty programs and and you know loyalty activity. A few years ago, there was a famous attack where an airline had had its loyalty scheme compromised. And because there was no sort of real-time detection, loyalty fraud cost companies about $4 billion globally. Compromised loyalty account sells for between $10 and $50 on the dark web, whereas a stolen credit card information only sells for five. A accounts were not only, you know, compromised using the password spraying or credential stuffing. um they were actually exposed via poor API security and poor API management. But Blake Dar from Cloudflare brought us back to fundamentals with a reality check that resonated throughout the year focusing on like a an extreme example of a threat or building as an example like a purple team or a red team to internally red team your infrastructure when you have no two-factor authentication is a waste of time. A lot of it's fueled by I call it fear mon fear-monger marketing right which is people are like oh like look at this threat but like the likelihood of your business getting targeted by that threat it's probably relatively low throughout these conversations Cloudflare's role as an enabler of transformation came through clearly from protecting content creators to enabling zero trust architectures to disrupting cyber crime let's hear directly from our guests about the impact we've introduced a feature inside of Cloudflare called AI audit where it uses our existing reverse proxy and bot management setup. Just go and look for the AI tools that are scraping your content. So, we want to first just make it transparent to people because some people don't mind, right? I don't really mind. My blog about Lisbon is just for me and for fun. It's not a source of income for me. Um but a lot of people do mind and and they should and and so in that situation what we've made available to them after this transparent report is a single easy button where they go and they can click that button and Cloudflare's uh network will block all AI scrapers immediately and whether they want to do that as a timeout just say look I don't have a good to allow the bots from just that particular provider to hit your content. Um we think it's really important it's free and available to everybody. Um, we think it's one of the a valuable tool to making sure that the internet as we know it, an open internet where people want to publish great content continues to thrive. We have to make sure that they're all they're all forced. So using tools out there that that look at our portfolio um I'll do my own portfolio uh that check the little bits like SPF records, uh demark records, cloud workers. I have a a template that I just add a route to as and when we buy a new domain. Um and it just pulls in locks down all the headers uh prevents high frames all that stuff doing it all on the cloud cloudflare edge. Um so we do that. We also can add security headers. So rather than configure them at a at a server layer again inside our stack we can do them at the edge and this is especially pertinent when we don't have a server for a vanity domain. over the last two three years we've worked collaboratively with a lot a lot of different entities outside of even Microsoft with like um Dropbox just all sorts of different entities where we saw hey like a threat actor staging material like malware they're trying to use this to infect you know this person and we're we're seeing a portion of operation we reach out and we're able to get cooperation from other partners that are interested in stopping that operation to stop you know to really stop tax on people as we close out this compilation I asked our guests to share their advice for the their head. Their wisdom spans technology, leadership and mindset. First part is answering question you didn't ask. Not everybody should be managers. That's the thing. Uh second thing, forget taxonomy. Nobody cares to be frank. Nobody cares. If you want to switch from individual contributor as an engineer, as a part of the team to something bigger, when you forget taxonomy, start to think like a customer. Start to think like your stakeholder and start to think like your shareholder. If you will treat your feature or product like full scale product, you will succeed. Really the way to communicate with my peer is to really think about what matter for them from in their day-to-day job what they understand of what is important in the company and how I can connect everything we do to that because without that you can't get interest of on the topic and you can't code the attentions of people or why it's important to do something or why they shouldn't do something. The other thing is that I think one of the big uh uh weaknesses of uh of cyber security teams is that we are super risk averse and we see risk everywhere. That's true. But the life is risky and our colleagues and I'm my peers take risk every day on everything. Having gone through my own transformation and then work with many other companies on many others. Um there is no end to transformation. I think what what what we still have a lot of is resistance to change and a lot of legacy mindset as we have you know a shift now where there's a an older demographic moving out of the workforce and ever younger demographics coming in. I think if organizations can find and strategically deploy those change agents. I think that's where we really see great successes in transformation. Get out, talk to people, and don't just talk to people in your own sector, but talk to people in other sectors because again, no one knows what the answer is, but the answer is out there, right? And you know, the future shows up unevenly. Find great partners, not just vendors, but find great partners. In a time of so much change, it's unlikely that what you're using a company for today is what you're going to use them for tomorrow. As we step into 2026, the lessons from these conversations are clear. Security leaders are no longer gatekeepers. They're business enablers. AI is both challenge and opportunity, demanding we stay curious and adaptable. The human element remains our greatest vulnerability and our greatest strength. And perhaps most importantly, transformation isn't a destination. It's a continuous journey that requires the right partners, the right mindset, and the courage to challenge conventional wisdom. I want to thank all of our incredible guests from 2025 who appeared on the Connectivity Cloud podcast. Your insights have shaped how thousands of security and technology leaders think about their work. And of course, thank you to Cloudflare for making this podcast possible and for continuing to push the boundaries of what's possible in security, performance, and reliability on the internet. Here's to secure, innovative, and transformative 2026. Stay ahead of the curve, stay connected, and stay secure. Thank you for tuning in to the Connectivity Club podcast. [music] If you found today's episode valuable, be sure to subscribe so you won't miss future updates. Stay ahead of the curve, stay connected, and stay secure as always with Cloudflare.