Originally Posted at VMblog
Industry executives and experts share their predictions for 2026. Read them in this 18th annual VMblog.com series exclusive.
Last year, my predictions for the 2025 cybersecurity industry included a need for organizations to understand their digital environments as clearly as threat actors do. That proved accurate as attack-surface blind spots contributed to high-profile incidents. Another prediction of mine was that email would remain the most vulnerable entry point. This, too, proved true, as AI-driven phishing, business email compromise (BEC), and identity-based attacks targeted enterprises were realized, forcing companies to adopt more advanced and layered email defenses.
Other 2025 predictions included a significant increase in C-suite involvement in cybersecurity initiatives and a rise in automation and AI to alleviate the burden on overwhelmed security teams. And both materialized at scale: regulatory pressure brought cybersecurity directly into the boardroom, and AI-powered security operations transformed how organizations triaged, responded to, and even anticipated threats.
These predictions resonated because they were rooted in a real-world view of organizational maturity, emerging attacker behaviors, and the technological capabilities that were already accelerating beneath the surface.
Given the accuracy of last year´s predictions, I invite you to review my 2026 predictions. Spoiler alert: look for the activation phase of long-dormant malware across operational technology (OT), Internet of Things (IoT), and home-edge environments. Also, you’ll read about my anticipation of a coming reckoning in which buyers will force software vendors into secure-by-default engineering. There will also be a shift to boardroom conversations centered on cyber risk in financial terms. And finally, a new era of investor discipline is coming that will accelerate consolidation across the cybersecurity market.
So, with that, let’s take a closer look at where I predict the cybersecurity industry is headed in 2026:
1. The Malware Time Bomb
2026 will be the activation phase for malware that has been quietly embedded in OT and IoT systems for years. Monitoring for industrial automation, connected buildings, and smart homes will be a top investment priority.
The reason this is a top priority is that nation-state access campaigns (e.g., Volt Typhoon) have taught us that there are chronic blind spots, OT-specific threat reports highlight minimal detection coverage, and Mirai-style botnets are appearing at record scale.
The strategic implications for organizations are that they must prioritize continuous OT/IoT monitoring (passive discovery, network detection), integrate OT telemetry into enterprise Security Operating Center (SOC) pipelines, and expand ISP and home-edge security programs for our remote and hybrid workforces.
2. Patching Madness
The non-stop patching must be converted. 2026 will be the year buyers finally say, “Enough!” Organizations will use their procurement power to demand “secure-by-default” software, reducing defect density at release.
The CISA Secure-by-Design Pledge and the EU Cyber Resilience Act have created new, enforceable baselines. The year 2024 saw a record-breaking common vulnerabilities and exposures (CVE) count, indicating with near certainty that patching is an unsustainable, knee-jerk reaction to an inherent software flaw that could have been prevented. Even now, we see that enterprise buyers are embedding Software Bill of Materials (SBOM) disclosures and vulnerability metrics into new contracts.
In addition, customers will need to include Secure-by-Design and Cyber Resilience Act (CRA) compliance into the request for proposal (RFP) scoring; track vendor “patches per endpoint per quarter” as a new key performance indicator (KPI); and use SBOM transparency to triage inherited risk early in the lifecycle.
3. The ROI of Risk
A shift is coming: technical threats will need to be translated into financial exposure language. Boards will accept more risk, and security spending will still rise-but at a slower, more return on investment (ROI)-driven pace.
SEC disclosure rules are now pushing formal cyber-risk reporting to be delivered to boards. Frameworks like the Factor Analysis of Information Risk (FAIR) will be leveraged more because they offer a more consistent method for risk measurement.
A more substantial effort to quantify cybersecurity risk in financial terms, prioritize investments based on prior losses, optimize for resilience metrics (MTTR, recovery assurance) over blanket prevention, and communicate trade-offs in business risk, not technical jargon, will become more mainstream.
4. The Great Consolidation
Venture capital (VC) and strategic funding will continue to flow into the cybersecurity sector (for AI-driven defense, identity, and cloud posture). However, after 2025’s rebound, investor discipline will cap valuations. The focus will be on capital efficiency.
The 2025 market saw large exits and renewed VC confidence, but as mentioned above, limited liquidity will keep investors focused on capital efficiency. AI hype will sustain funding, but raise scrutiny on ROI and differentiation.
Investors will need to vet startup durability early (ie, escrow, step-in rights, and M&A survivability) there must be platform adjacency, and measurable SOC efficiency. With consolidation on the horizon, there will be a need to align partnerships early.
CONCLUSION
The year ahead will demand sharper prioritization, stronger vendor accountability, and a more mature alignment between operational security, financial exposure, and technology investment.
If you know how to read the cybersecurity tea leaves, you will see that long-dormant malware is about to surface, the market will force software vendors to adopt secure-by-default engineering, boardroom conversations will center on cyber risk in financial terms, and an era of consolidation across the cybersecurity market is upon us.
So, heed the signs, or your enterprise may be left behind as others take precautions now to ensure 2026 will be a safe, productive, exciting, and bountiful year.
##
ABOUT THE AUTHOR
Greg Sullivan is the Founding Partner at CIOSO Global, LLC, specializing in cybersecurity and technology risk management. He advises clients on regulatory compliance and cybersecurity strategies, helping organizations design and implement risk-based cybersecurity capabilities. Previously, Greg served as Senior Vice President & Global Chief Information Officer at Carnival Corporation, leading global IT, innovation, and cybersecurity efforts. He also held leadership roles as CEO and CTO at Global Velocity, focusing on enterprise and cloud security. Greg holds a BS in Systems Science & Mathematics from Washington University in St. Louis and is a Certified Information Systems Security Professional (CISSP).
