Cybersecurity Predictions 2026: What Security Leaders Learned in 2025

AI is a nitro. We feel like the more AI mimics a human, the more operational controls you need to have inside the organization. We see a lot of organizations who are saying, you know what, it's the end of the road for this technology. It just is not sustainable. It's too expensive, it's too risky. The thing that scares me to death about these AI tools is the same thing that scared me to death about every SaaS tool that has ever gotten popular. Welcome to the Connectivity Cloud Podcast. The podcast that provides expert insights into the cloud and IT landscape. I'm Marc Dembo and each month we'll explore key topics like scaling secure infrastructure, tackling emerging risks, and staying ahead of the latest trends. Whether you're managing multi vendor environments or navigating cloud modernization, this is the show for you, delivering practical advice for today's decision makers. 2025 was a year of transform and cybersecurity. As AI reshaped how we work, geopolitical tensions intensified, threats and regulatory complexity reached new heights. One thing became security is no longer just about defense. It's about enabling the business to move faster, smarter and more confidently. Today we're revisiting the most impactful conversations from the Connectivity Cloud Podcast to distill the lessons that will define 2026 and beyond. Let's start with a fundamental shift we heard throughout 2025 the transformation of the CISO role from technical gatekeeper to strategic business partner. Olivier Bussolini from Mashreq bank captured this perfectly. It was kind of the cliche that you see in all your LinkedIn and other platforms where you have this drawing where someone in a suit is taking you from the small table to the big table. That's just for me, an illustration to talking about the transformation of our role and our added value. When you join a new type of community in your journey, think about adopting the vocabulary, the way of thinking, the culture of this other community. I'm not saying that you lose the essence of who you are and what you are bringing to the table. Not at all. But you need to understand that you are part of a different culture. I lead the team of security, trust and safety for the whole group and the group CISO for the group as well. I would say, look, I have some business I need to solve, regardless security, regardless marketing, regardless products bringing value like internal processes. So I am a CEO of the small business, bringing additional value to the customers through doing their life more secure. This shift isn't just semantic. It requires speaking the language of business. Yevan Beluto from Rifiz and bank explained how this works in practice. Nothing works better than speaking with your customer on their own language. So if you're speaking in a cfo, bring some figures on the table. If you're speaking with a risk officer, bring some risks and also calculate it with money. If you're speaking with IT peers, definitely you need to bring taxonomy. It understands well, you need to calculate, you need to communicate and then you need to deliver. So being consistent on the way, being so confident on that, and definitely bring the best people on board. AI dominated every conversation in 2025, but our guests cut through the hype to reveal what's actually working and what's still aspirational. Let's hear from Mostafa Hassanin from SMG Swiss Marketing Group and Sam Raya from Cloudflare on how AI has changed the threat landscape. One of the very concrete things of how AI made things much easier is phishing emails, phishing messages. It writes flawless phishing emails and messages. And it became easier as well because also think of it that way from an attacker perspective. You can use warm gbt, you can use. This is also for the audience. This is like a hacker's, let's say, assistant. So if someone is using AI, we need to evolve our measures so that we can or we are able to effectively combat that. AI versus AI. The thing that scares me to death about these AI tools is the same thing that scared me to death about every SaaS tool that has ever gotten popular. And it is the careless mistakes we make with integrations or kinds of add on tools. What terrifies me is somebody in any organization starts using one of these tools and they find some integration or plugin or add on that very deceptively says, hey, you know, I'm an add on into your ide. And the reality is that tool suddenly starts phoning home all the files in your IDE that it's reading because you thought it was this neat little plugin. But it's not all risk. Sam and Ange Ferrari, SVP and CISO at Metro ag, also discussed with us how AI is delivering real defensive data value. The biggest trend I've seen is helping people become context aware rapidly. So in some situations I've seen some of the internal tools that we have will help somebody coming into a support ticket suddenly ingest all sorts of information that's been summarized and analyzed by these tools. Maybe the 45 minutes they used to have to do, just catching up with all the detail and the complexity is now cut down to 6 minutes, 7 minutes because all the important points are highlighted for them. I think that's one of the main challenges we are facing is how you can keep with all these innovations that are popping up everywhere. So in the professional space, for me, I see that also in the same manner where I think it can bring a lot of good for the company in finding efficiencies, but also in developing new ideas or developing new business models. The question is how you adopt that at scale. And Vladimir Krupnov from Revolut reminded us that while generative AI makes headlines, traditional ML has been protecting us for years. AI is a nitro. It kind of speeds things up. It's data analytics or it allows you to hire junior talent. And I have them do the job of the senior talent. A recent example from one of the banks in the industry which I saw, I think they reduced their SOC entry cost by 70%. Everything related to the data or correlation or data analytics, that's another way of using it. Throughout 2025, a consistent message emerged. The most sophisticated technology stack means nothing if your people aren't empowered and educated. Let's explore this human dimension with Mostafa and Stephanie Cohen from Cloudflare. A huge role. Because even now, like, you know, I'm the C of the organization. Am I aware of every little thing? No. Right. So in my own point of view, is awareness and education or the human factor? Actually, I see it as the first line of defense, not the weakest point. Use AI in the training, make the training more rewarding, provide an incentive in the training. Is it not like a 15, 20 page document that you need to read through? Policies should not be secret. The thing that's most similar is that the people are amazing, right? Like incredibly smart, curious people who are mission driven, who are empathetic, who really want to help. Now, what's different? Of course things are different. The speed and technology is kind of overwhelming. I can give you whiplash, this idea that you can really test and iterate things with customers. It's so fun to watch. And Pedro Gonzalez CISO and managing director at eq warned us about the sophistication of modern social engineering. Even when you think you're being careful. We feel like the more AI mimics a human, the more operational controls you need to have inside the organization. You cannot allow one employee to do a transaction of millions of dollars for ICE principle vendor callbacks. All those classical controls needs to be in place. Yes, for sure. We need to invest on training our people to detecting those kind of scam. But if that fails and it will fail a couple of times because it's only going to be based in heuristics and things like that. It will be a non deterministic control. Then it's the operational controls on your organization that needs to be in place. For me, it's one aspect, one important aspect of my job I feel is do we have created the right governance in the organizations to ensure that every single team understands that they need to have competencies and they need to be self sustainable to a certain extent in regard of security, we are not doing security on behalf of them. They have to take this topic, ensuring that they have the great understanding of that, how you create this proper safeguard. That's the type of challenge we are facing. The shift to cloud wasn't just a technology migration in 2025. It represented a fundamental rethinking of how organizations build resilience and agility. Andy Dean from All Saints and Oliver Bussolini from Mashreq bank shared lessons from the trenches. I think there's two major shifts that we made. Back in 2019 we transitioned into Google Cloud from a managed supply. We needed to be a bit more dynamic, a hell of a lot more efficient. We needed to kind of absorb new techs really quickly without having to redesign the whole platform. The bigger phase was using our selection of partners and more specifically SaaS tools. We weren't big enough to manage a whole software cycle on multiple platforms, so we kind of made a shift as well. But let's choose the right partners. What's our tech stack like? What does it match? What are we looking to do in the future? We tried in my past world in Switzerland to have those conversations. It's very difficult, specifically when you speak about cross country's negotiations. But if we can start now and maybe achieve a result in three years, five years, I don't think we're going to have something before that that would be great because we would be renting, focusing more administrative activities of demonstration of the effectiveness of our control to actual defense. Christian Riley emphasized how this transformation changes security fundamentals fundamentally. Whether it's a bricks and mortar retailer moving into E commerce, whether it's a full E commerce with less bricks and mortar. I think modernization of that core E commerce platform is something we see over and over again. We see a lot of organizations who are saying, you know what, it's the end of the road for this technology. It just is not sustainable. It's too expensive, it's too risky. The mistakes I see people make are doing things piecemeal, are not Seeing something all the way through, kind of stopping part of the way and not having the right metrics and accountability to figure out whether or not you're on track or off track. One of the clearest trends in 2025 was the death of the traditional network perimeter. Pedro Gonzalez and Stephanie Cohen explained why Zero trust isn't just a buzzword, it's a necessity. What happened in these last years was a shift from the classical perimeter. I mean, we call it the onion ring structure, where you have the internal network, internal production network, and then you have the office network, and you create those rings to protect and fence off attackers. That was actually proven across the years that once the attacker was inside one of those perimeters, it became much more easier for him to, you know, lateral shift and move to other internal networks. And then there was actually this change to the identity, right? So we went from having a very strong perimeter to have basically a couple of things, services and endpoints. The castle and moat situation, which is how people used to defend themselves, does not work anymore. And so zero trust is not a product. It's a philosophy. This idea that we really have to understand what the features are of the person trying to access the system. And does the person trying to log into Mark Dembo's computer behave in the way that we expect Mark Dembo to behave At Cloudflare, we use our own Zero Trust product, and the experience is really seamless once you adopt this idea that your own corporate network is basically the Internet, and the Internet is your corporate network, and we really need to have a good sense of for who you are and what systems you Mark Dembo can access. If there was one universal pain point across industries and geographies in 2025, it was regulatory complexity. Olivier's Bosolini's frustration represented what many CISOs are feeling. My simplest view is every regulator should have in mind roughly the same objective. Protection of the country, protection of their own citizen, protection of their market. But let's start by cyber. You would say, okay, when you have an apt, they are most probably, yes, they have some geopolitical motivation sometimes. But for the others who are just motivated by the money, they don't care if they are attacking country A, country B, or country C. Why don't they harmonize their control requirement, their approach? Because today, in every country, I have 12 countries at Mashreq. In every country, there is a slightly different or sometimes vastly different requirement that I have to abide to. Changing regulatory environment is definitely a trend that's coming up more and more often. The European Union is coming up with their own regulations. One example is the DORA in the uk. We're seeing the same in the us, the same in apac. And these digital boundaries are going to be more and more frequent. The first thing that you should do is have a regulatory watch model that allows you to tell you on the regulated entities where you operate, which actually regulations applies to you. It's extremely important that you carve out and scope exactly what it means to you. The second thing of course I will do is to try to create a matrix that would touch all these regulations. Your master framework that is able to accommodate the 3, 4, 5 regulations that you need to be compliant with. Spend 80% of the time on the gap and scoping assessment and then 20% on execution. As we look toward 2025, the threat landscape continues to evolve in concerning ways our guests share, what's genuinely keeping them vigilant. And it's not always what makes headlines. I can name a few things which create my agenda for the past several months. So obviously it's biometric security. So KYC bypasses anything related to the deep fake identities. We see a very prominent threat groups, international organized crime, which is actually hiring talent and trying to build some scalable solutions to target the banking industry. Also we can see some attempts from these fake North Korean workers. We're getting to kye, which is know your employee. You have an employee who started at work, won't turn on their webcam. What does that say about that individual? Is that the individual you hired and checked their identity of or has that individual changed? We've seen cases where people are passing, you know, background checks successfully, but they're using a fraudulent identity. The whole thing around loyalty programs and loyalty activity. A few years ago there was a famous attack where an airline had had its loyalty scheme compromised because there was no sort of real time detection. Loyalty fraud cost companies about $4 billion globally. A compromised loyalty account sells for between 10 and $50 on the dark web, whereas a stolen credit card information only sells for five. Those loyalty accounts were not only compromised using the password, spraying or credential stuffing, they were via poor API security and poor API management. But Blake Darsh from Cloudflare brought us back to fundamentals with the reality check that resonated throughout the year. People need to really understand their threat level and they don't. And I think that we as an industry are failing in this area. I had an example this year where the exact same thing happened. Like someone doesn't have two FA and they're worried about, you know, AI. And I'm like, you don't have an AI problem, you have a two FA problem. Focusing on like a, an extreme example of a threat or building as an example, like a purple team or a red team to internally red team your infrastructure when you have no two factor authentication is a waste of time. And a lot of it's fueled by, I call it fear monger marketing, right? Which is people are like, oh, like, look at this threat. But like the likelihood of your business getting targeted by that threat, it's probably relatively low. Throughout these conversations, Cloudflare's role as an enabler of transformation came through clearly. From protecting content creators to enabling zero trust architectures to disrupting cybercrime. Let's hear directly from our guests about the impact. We've introduced a feature inside of Cloudflare called AI Audit, where it uses our existing reverse proxy and bot management setup. Just go and look for the AI tools that are scraping your content. We want to first just make it transparent to people we've made available to them. After this transparent report is a single easy button where they go and they can click that button and Cloudsler's network will block all AI scrapers immediately. We think it's really important. It's free and available to everybody. We think it's one of the, a valuable tool making sure that the Internet as we know it, an open Internet where people want to publish great content, continues to thrive. We have to make sure that they're on force. So using tools out there that look at our portfolio, our domain portfolio, that check for little bits like SPF records, DMARC records, cloudflare workers. I have a template that I just add a route to as and when we buy a new domain and it just pulls in, locks down all the headers, prevents iframes, all that stuff, I'm doing it all on the cloudflare edge. So we do that. We also can add security headers. So rather than configure them at a server layer again inside our stack, we can do them at the edge. And this is especially pertinent when we don't have a server for a vanity domain. Over the last two, three years, we've worked collaboratively with a lot of different entities outside of even Microsoft with like GitHub, Dropbox, just all sorts of different entities where we saw, hey, like a threat actor staging material like malware, they're trying to use this to infect, you know, this person. And we're seeing a portion of the operation. We reach out and we're able to get cooperation from other partners that are interested in stopping that operation to really stop attacks on people. As we close out this compilation, I asked our guests to share their advice for the year ahead. Their wisdom spans technology, leadership and mindset. Two parts. First part is answering question you didn't ask. Not everybody should be managers, that's the thing. Second thing, forget taxonomy. Nobody cares. To be frank, nobody cares if you want to switch from individual contributor as an engineer to something bigger. When you forget taxonomy, start to think like a customer, start to think like your stakeholder and start to think like your shareholder. If you will treat your feature or product like full scale product, you will succeed. The way to communicate with my peers is to really think about what matter for them from in their day to day job, what they understand of what is important in the company and how I can connect everything we do to that because without that you can't get interest on the topic. The other thing is that I think one of the big weaknesses of cybersecurity teams is that we are super risk averse and we see risk everywhere. That's true, but the life is risky and our colleagues and I, my peers, take risk every day on everything. Having gone through my own transformation and then worked with many other companies on many others, there is no end to transformation. I think what we still have a lot of is resistance to change and a lot of legacy mindset. As we have a shift now where there's an older demographic moving out of the workforce and ever younger demographics coming in, what happens are natural change agents. And I think if organizations can find and strategically deploy those change agents, I think that's where we really see great successes in transformation. Leave the building, right? Get out, talk to people. And don't just talk to people in your own sector, but talk to people in other sectors. Because again, no one knows what the answer is. But the answer is out there. The future shows up unevenly. Find great partners, not just vendors, but find great partners. In a time of so much change, it's unlikely that what you're using a company for today is what you're going to use them for tomorrow. As we step into 2026, the lessons from these conversations are clear. Security leaders are no longer gatekeepers, they're business enablers. AI is both challenge and opportunity, demanding we stay curious and adaptable. The human element remains our greatest vulnerability and our greatest strength. And perhaps most importantly, transformation isn't a destination. It's a continuous journey that requires the right partners, the right mindset and the courage to challenge conventional wisdom. I want to thank all of our incredible guests from 2025 who appeared on the Connectivity Cloud Podcast. Your insights have shaped how thousands of security and technology leaders think about their work. And, of course, thank you to Cloudflare for making this podcast possible and for continuing to push the boundaries of what's possible in security, performance, and reliability on the Internet. Here's to secure, innovative and transformative 2026. Stay ahead of the curve, Stay connected, and stay secure. Thank you for tuning in to the Connectivity Cloud Podcast. If you found today's episode valuable, be sure to subscribe so you won't miss future updates. Stay ahead of the curve, stay connected, and stay secure. As always with Cloudflare,