Every year, industry leaders at Forvis Mazars come together to collate insights on the global state of cyber security and offer advice to organisations navigating its complexity. This year’s report explores three key themes: AI integration, data governance and the importance of risk-based approaches in a compliance-focused world.
To move forward, organisations must embed cyber security into their innovation and implementation strategies whilst staying agile to adapt to evolving threats. Those that do will protect their assets and gain a competitive edge in the digital economy.
“The future of cyber security is not about choosing between security and innovation; it is about achieving both simultaneously. This means thoughtful planning, strategic investment and collaborative approaches that recognise cyber security as a shared responsibility.”
Jan Matto Partner
Heading into 2026, cybersecurity has become a core pillar of digital transformation. The accelerated adoption of AI represents the most profound shift since the move to cloud, introducing disruption not only through changing business strategies but also through a fast-evolving regulatory environment.
_______________
In the European Union, regulations like DORA (Digital Operational Resilience Act) are moving into their enforcement phases, whilst NIS2 regulations are being translated into national frameworks across member states, with implementation deadlines extending into summer 2026. This patchwork implementation and rapid evolution creates both opportunities and challenges for multinational organisations.
Contrastingly, in the United States, the federal approach has focused more on follow-through than new regulation creation. The Cybersecurity Maturity Model Certification (CMMC) requirements for Department of Defense contractors have been enacted, whilst initiatives like the Critical Infrastructure Resilience (CIR) framework continue to evolve. At the state level, the landscape remains fragmented, with 220 different cyber and privacy measures across 38 states and 47 separate AI-related bills across 23 states.
This regulatory complexity has created what many industry professionals describe as both a burden and an opportunity. Whilst many new regulations do aim to help improve resilience and business continuity, the burden compliance creates can also be a huge weight for already constrained teams.
"Compliance is meant to create a better world, but businesses care about money and business continuity."
– Paolo Zuliani, IT Risk & Advisory Director, Forvis Mazars in Italy
As the web of compliance requirements grows, organisations who take a tick-box approach will struggle to juggle disparate requirements and complex areas of overlap. In order to remain cost effective in their compliance efforts, businesses should prioritise risk-based assessments. Last year’s report details how to approach risk-based cyber security and it remains a vital strategy for cyber security teams to prioritise and address risks in a way that facilitates compliance, rather than trying to make compliance facilitate security.
_______________
With the tech surface and supply chain of each organisation growing more complex, organisations with strong cyber postures are increasingly benefiting from reputational advantages and supply chain preferences. This trend is particularly pronounced in B2B markets, where request for proposals (RFPs) and tenders now routinely include substantial cyber security requirements, eliminating potential vendors from consideration whose cyber measures do not meet the prescribed standard.
The complexity of modern supply chains means that organisations often do not fully understand where their data resides or how it is being processed. This lack of visibility consequently creates significant vulnerabilities, particularly as emerging technologies like AI introduce new forms of data sharing and processing. Additionally, the increasing digitalisation of legacy systems has expanded attack surfaces whilst simultaneously creating new dependencies.
Ultimately, each organisation is now accountable for cyber security across its entire ecosystem, as reflected in DORA and NIS2.
This shift towards shared responsibility is driving the adoption of more sophisticated Third-party risk management (TPRM) frameworks. The rise of third-party monitoring tools that score organisations on cyber security metrics has created a new form of market pressure. Companies are discovering that their cyber maturity directly impacts their ability to win contracts, secure partnerships and maintain customer trust.
_______________
Artificial intelligence represents both significant opportunity and unprecedented risk in the current cyber security landscape. Most organisations are rapidly adopting AI tools for efficiency gains, but many are doing so without adequate governance frameworks or understanding of the associated risks.
On the defensive side, AI is transforming cyber security capabilities in several key areas:
AI-powered systems are becoming increasingly sophisticated at identifying unusual patterns in network traffic and user behaviour. These systems can process vast amounts of data in real time, identifying potential threats that would be impossible for human analysts to detect manually.
AI tools are streamlining incident response processes by automating initial triage, providing natural language interfaces for security research and generating response scenarios. This automation allows security teams to focus on higher-level strategic thinking whilst AI handles routine analysis.
AI systems are increasingly capable of scanning code for security vulnerabilities, providing real-time feedback to developers and reducing the likelihood of security issues making it to production.
However, the more offensive applications of AI present significant challenges, even for AI-enabled cyber teams.
AI is giving attackers the ability to automate and personalise threats at scale. From instantly spotting vulnerabilities to generating convincing phishing campaigns, the risks are especially acute for non-technical teams.
Perhaps the most significant immediate risk comes from "Shadow AI", AI usage that occurs without organisational oversight or governance. The concept of “Shadow IT” is not new to cyber security teams, but the pervasive usage of AI exacerbates the threat of these unauthorised technologies. Employees are making thousands of small decisions daily with AI assistance, often inputting sensitive data into systems without understanding the implications.
This phenomenon creates several critical vulnerabilities:
Agentic AI, systems designed to act without human intervention, is reshaping cyber security. Whilst promising major efficiency gains, these tools introduce risks that many organisations are only beginning to grasp.
"Taking the human out of the loop entirely is a massive concern, make sure your agents have proper input validation and understand what the risky inputs and outputs are."
– Sean Andrews, Manager, IT Risk & Compliance, Forvis Mazars US
The key challenges with agentic AI lie in ensuring proper input validation and maintaining meaningful human oversight.
Although evolving rapidly, AI regulation remains fragmented and nascent. The US promotes innovation with minimal oversight, even mandating AI use in cyber security, whilst the EU’s AI Act contrastingly offers broader, more limiting regulation, though its impact on cyber security is still evolving. This regulatory uncertainty creates challenges for organisations seeking to implement AI responsibly, especially as the market races forward with AI at the centre.
To stay resilient, organisations must not delay innovation but instead must adopt governance frameworks that evolve alongside regulation. Those seeking to harness AI effectively should start with the following approach:
_______________
Whilst quantum computing may not pose an immediate threat to most organisations, the potential impact is so significant that preparation must begin now.
“The advent of practical quantum computing will fundamentally undermine current encryption methodologies, potentially exposing vast amounts of currently secure data.”
– Paul Truitt, Partner, Forvis Mazars US
The quantum threat operates on a different timeline than traditional cyber security risks. Whilst quantum computers capable of breaking current encryption standards may be years away from widespread availability, adversaries are already employing "steal now, decrypt later" tactics.
“Cyber criminals are preparing for quantum computing now, so should organisations. The shift to quantum-safe encryption is a complex process that cannot be completed overnight. Businesses must start now to ensure a smooth shift before the threat becomes acute.”
– Anton Yunussov, Director, Forvis Mazars in the UK
This reality requires organisations to begin transitioning to quantum-safe encryption algorithms now, before the threat becomes acute. The National Institute of Standards and Technology (NIST) has started to release quantum-safe cryptography tools and provide organisations with concrete guidance for this transition.
Whilst it may seem far away, organisations can and should begin quantum preparation now with the following steps:
● Cryptographic inventory: map all systems and data that rely on cryptographic protection to understand potential vulnerabilities.
● Asset prioritisation: identify which data and systems would be most severely impacted by a loss of cryptographic protection.
● Transition planning: develop migration strategies for moving to quantum-safe algorithms as they become available.
● Supply chain assessment: ensure that vendors and partners are also preparing for the quantum transition.
_______________
The “garbage in, garbage out” principle needs addressing more urgently than ever, as AI-driven decisions rely on high-quality data which consequently makes governance central to cyber security. Poor data governance creates cascading risks that extend far beyond traditional data protection concerns. During incidents, organisations often discover previously unknown data stored in unmonitored locations with unclear access controls.
This lack of visibility not only creates unknown attack surfaces, data that is not properly catalogued cannot be adequately protected, but it can also create compliance risk.
“Organisations cannot effectively respond to breaches involving data they do not know they have. Robust data governance is imperative, both for mitigating cyber risk and for implementing data hungry tooling like AI.”
– Gerard Seedorf, Director, Forvis Mazars in the Netherlands
As data sharing grows more complex, third-party risk management (TPRM) has become an essential cyber concern. Multi-layered supply chains often obscure how data is processed and protected, increasing exposure. Effective TPRM requires several key components:
● Service level agreements (SLAs) with security controls: contracts should explicitly define security and compliance requirements, with the right to audit included wherever possible rather than relying on self-reporting.
● Regular assessment and monitoring: TPRM programmes are only effective if they include ongoing monitoring and regular reassessment of vendor risks, the right to audit is only valuable if it is leveraged.
● Tiered vendor management: not all vendors pose the same risk. Organisations should implement tiered approaches that focus intensive oversight on the most critical relationships.
Organisations looking to improve their data governance should consider starting with practical exercises rather than abstract policy development. Business continuity exercises can start around a table with leaders, technical and non-technical alike, opening with a simple question like, “what happens if your phone and computer do not work?” This more casual discussion can evolve naturally over time into more sophisticated dialogues about data dependencies and protection requirements.
This conversational approach extends to official policies as well. Cyber teams should ensure that policies are simple enough for non-technical users to understand and implement. Education and partnership can help both enable the workforce to uphold these policies and empower governance teams with the business knowledge they need to design effective measures.
“Security teams should work closely with business units to understand their data needs, develop suitable solutions and explain policies. When people understand the “why,” and when they trust that cyber teams understand what they are trying to achieve as well, they are more likely to comply with security measures.”
– Christopher Hock, Director, Forvis Mazars in Germany
This balance between data security and business enablement is a core governance challenge. Overly strict policies often lead to risky workarounds, fuelling the rise of Shadow IT. The most effective approach to workforce enablement combines technical controls with cultural initiatives. Close partnership with business units can create mutual understanding, and compensating controls like monitoring can keep cyber teams informed of user behaviour.
_______________
The cyber security workforce faces unprecedented challenges as the field evolves rapidly, and the skills gap continues to widen. Organisations need professionals who understand both traditional security principles and emerging technologies, but such expertise is both increasingly rare and costly.
The Chief Information Security Officer role in particular has evolved significantly over recent years. CISOs are increasingly expected to function as business leaders rather than technical specialists, with responsibilities extending to regulatory compliance, board reporting and strategic planning. This evolution reflects cyber security's transition from a technical function to a business enabler.
“CISOs must now be able to quantify the business value of cyber security, communicate effectively with non-technical executives and align security strategy with business objectives. This takes a lot of hard and soft skills, not to mention experience– that many organisations cannot afford until long after they need it.”
– Jan Matto, Partner and Group Head of Cyber security, Forvis Mazars
The compensation for CISO roles has increased accordingly, reflecting both the expanded responsibilities and the critical importance of the role. However, this trend also highlights the challenge of developing a pipeline of qualified candidates who possess both the technical expertise and business acumen required for modern cyber security leadership. Many organisations are turning to virtual CISOs as a solution to close gaps within their existing talent pool and provide a broader context of experience.
One of the most significant workforce challenges lies in finding professionals who can both innovate and manage, especially in medium-sized organisations. The rapid pace of technological change means that cyber security professionals must continuously learn new technologies whilst maintaining expertise in fundamental security principles.
This challenge is particularly acute in areas like AI and quantum computing, where the intersection of cutting-edge technology and security creates complex requirements that few professionals fully understand. Organisations are increasingly turning to trusted advisors and consultants to bridge this expertise gap, helping guide both strategy and implementation alongside internal teams.
The traditional approach of hiring individual cyber security experts is becoming increasingly unsustainable for many organisations. The competition for top talent is driving compensation to levels that many cannot sustain, whilst the rapid pace of change makes it difficult for internal teams to stay current with emerging threats and technologies.
Automation and AI are, of course, enabling cyber teams to scale their operations, but shared service models are increasingly common, particularly in scenarios involving mergers and acquisitions, where parent companies or investment firms provide cyber capabilities and support for portfolio/child companies. External partnerships are also increasingly valuable, providing a best-practise approach to implementations and filling expertise gaps more economically than hiring can.
_______________
Organisations are moving beyond mere technical metrics to assess cyber security effectiveness through business impact, looking at achievements like disruptions avoided and revenue enabled by strong security. This shift is key to securing funding and demonstrating ROI.
The proliferation of threats and the complexity of modern technology environments can make cyber security feel like an ever-expanding cost centre. However, leading organisations are reframing cyber security spending as strategic investment.
In particular, many organisations are realising the competitive advantage of solid cyber practices. Strong cyber security postures are an increasingly valuable differentiator in the market, particularly in B2B sectors where customers evaluate vendor security as part of their own risk management. There is a compliance element to this increased focus, customers need to think about their supply chains for the purposes of their own compliance, but customers also frequently cite high-profile incidents when raising cyber requirements, showing an increased market awareness of the potential impact of a disruption. Cyber teams that can quantify and communicate the value of this advantage will unlock unprecedented levels of buy-in.
“The age of cyber security as a necessary cost is ending. The age of cyber security as a strategic differentiator has begun.”
– Jeffrey de Bruijn, Director, Forvis Mazars in the Netherlands
Of course, cyber security is important to more than just customers; cyber insurance providers are naturally more concerned than ever with what measures are in place, and financing institutions are increasingly factoring cyber security readiness into their risk assessments. Both insurance and financing offer quantifiable incentive for strong security programmes.
The most successful organisations are moving beyond traditional security metrics to focus on measuring success in ways that directly relate to business outcomes and stakeholder value. This includes:
Organisations that invest in proactive cyber security measures consistently demonstrate better outcomes than those that take reactive approaches. However, with resources limited in even the largest organisations, the following investment focuses can help optimise for ROI and minimise risk:
● Risk-based prioritisation: focus both human resource and capital on protecting the most critical assets rather than attempting to secure everything equally.
● Security by Design: build security requirements into systems and processes from the beginning, rather than trying to add them later.
● Integrated approaches: look for security solutions that address multiple requirements simultaneously, reducing the need for point solutions.
● Automation and efficiency: invest in tools and processes that amplify human capabilities rather than simply adding more personnel, especially regarding continuous monitoring for ongoing visibility.
● Employee education: implement regular training and awareness programmes that reduce the likelihood of human error-related incidents and social engineering vulnerability.
● Incident response preparation: develop and regularly test incident response capabilities in full before they are needed.
● Shared services: consider shared cyber security services where appropriate, particularly for specialised expertise that does not require full-time internal resources.
_______________
Looking ahead to 2026 and beyond, true cyber resilience will go beyond traditional security measures.
For one, Security by Design will transition from a best practice to a business necessity. Organisations will be expected to demonstrate to customers, regulatory bodies and insurers that security considerations have been integral to their system design and business processes from the beginning, rather than added as an afterthought.
This approach will be particularly critical for emerging technologies like AI, where the security implications of design decisions may not become apparent until systems are already in production. Indeed, organisations that fail to implement Security by Design principles will find themselves at significant disadvantages in security effectiveness, market reception and regulatory compliance.
The pace of technological change will also require governance frameworks that can adapt quickly to new challenges whilst maintaining consistent core principles. Resilient organisations will develop governance structures that can work seamlessly across organisational boundaries and technical systems, learn continuously and anticipate emerging threats and opportunities.
“The most resilient organisations focus on governance strategies that allow them to scale rapidly. They need to be able to accommodate new technologies and business models without requiring complete framework overhauls.”
– Paul Truitt, Partner, Forvis Mazars US
As the tech landscape shifts more and more rapidly every day, the most resilient organisations are building technology-agnostic capabilities that can adapt to change rather than being dependent on specific tools or platforms. This means adopting an ongoing risk-based approach to threat assessment, creating tool and vendor agnostic architectures and focusing on skills-based workforce development instead of expertise in specific technologies.
Resilience in 2026 will require businesses to think beyond their own boundaries to consider the security of their entire business ecosystem. This includes not only traditional supply chain partners but also technology vendors, service providers and even competitors in shared infrastructure arrangements.
Key components of ecosystem-wide risk management include:
_______________
The cyber security landscape in 2026 will present both unprecedented challenges and remarkable opportunities. Organisations that approach these challenges strategically, that is to say by embracing emerging technologies whilst maintaining strong governance, investing in people and capabilities whilst leveraging automation and viewing security as a business enabler rather than a constraint, will find themselves with significant competitive advantages.
The path forward requires several key commitments:
The organisations that will thrive in this environment are those that view cyber security not as a constraint on innovation but as a key enabler of it. By building security into their DNA rather than treating it as an add-on, these organisations will be positioned to take advantage of emerging technologies whilst maintaining the trust of their stakeholders.
As we look towards 2026 and beyond, the organisations that will succeed are those that start preparing today by building the capabilities, partnerships and governance structures to navigate an increasingly complex and rapidly evolving threat landscape whilst capitalising on the tremendous opportunities that emerging technologies present.
This website uses cookies.
Some of these cookies are necessary, while others help us analyse our traffic, serve advertising and deliver customised experiences for you.
For more information on the cookies we use, please refer to our Privacy Policy.
This website cannot function properly without these cookies.
Analytical cookies help us enhance our website by collecting information on its usage.
We use marketing cookies to increase the relevancy of our advertising campaigns.
