Get the latest cyber news and updates straight to your inbox.
As we enter 2026, the cybersecurity landscape is shifting faster than many teams can adapt. From AI-powered deception to escalating audit demands, the risks are evolving, but so are the expectations placed on CISOs, CTOs, COOs, and compliance leaders.
We spoke with four senior leaders responsible for cybersecurity to understand what is top of mind and how they’re planning to stay ahead of the evolving threats their organisations face. Here are the seven realities they say you need to be ready for.
See everything this group of CISO's said in the full report. Complete with FoxTech's recommendations to operationalise these priorities.
The next wave of phishing and impersonation attacks will not only be automated, they’ll be personalised, adaptive, and almost indistinguishable from legitimate communication. Generative AI is enabling deepfake voice, video, and text to target individuals and executives with precision.
“The rapid evolution of generative AI will enable more sophisticated phishing, social engineering, and identity spoofing attacks.”
— David Hatch, COO, Pathlines Pensions UK Ltd“We’re seeing deepfakes and LLM-generated phishing that adapts to responses and creates hyper-personalised attack vectors.”
— Lisa Ventura, CEO, AI & Cyber Security Association
What to do: Invest in behavioural analytics, zero trust architecture, and employee education that includes deepfake recognition and response protocols.
Employees are increasingly using unsanctioned AI tools to generate content, write code, and process sensitive data, often with no awareness of the security implications. Even among technology experts, there’s frequently limited visibility into how data is collected, processed, or flows across internal and external systems.
“Employees may use AI tools to process corporate data without realising the potential compliance and security risks.”
—Daniel Sibthorpe, Director, Cyber Security & Counter Fraud, Crowe
What to do: Develop and enforce AI governance policies. Provide clear guidance on approved tools and educate teams on the risks of shadow AI.
The complexity of vendor ecosystems is exposing firms to cascading failures, data leakage, and compliance gaps.
“Third-party risk is becoming a first-party problem as interconnected systems create cascading failure points.”
— Lisa Ventura, CEO, AI & Cyber Security Association“In-depth assessments of the supply chain should be high on the agenda for all board groups.”
— Daniel Sibthorpe, Director, Cyber Security & Counter Fraud, Crowe
What to do: Conduct rigorous and more frequent supplier audits, require proof of resilience, and integrate vendor risk into your incident response planning. Several leaders noted that audit cycles are increasing in frequency and scope, driven by new compliance expectations.
Regulatory frameworks like TPSA, DORA, and the UK’s emerging codes of practice are reshaping how firms must operate. Compliance is now a board-level responsibility.
“Demonstrating compliance with new regulations will become more demanding.”
— Gordon Turnball, Director of Security Engagement, Liberty Global“Many organizations lack visibility into how AI systems interact with sensitive data, creating compliance and risk blind spots.”
— David Hatch, COO, Pathlines Pensions UK Ltd
What to do: Prioritise tools and processes that offer real-time compliance visibility. Map security investments to regulatory outcomes.
Traditional training is failing. In its place, organisations must build cultures where security is inclusive, human-centric, and responsive to diverse ways of working.
“Trauma-informed design, accessibility-first awareness, and micro-learning are outperforming old-school training.”
— Lisa Ventura, CEO, AI & Cyber Security Association
What to do: Shift from punitive to empowering training. Recognise and reward security-positive behaviours. Design for neurodiversity and inclusion.
Security leaders must move beyond technical reporting to narrative-driven, business-aligned communication. Boards need to understand risk in terms they care about: operations, cost, and reputation.
“The best security controls in the world are worthless if you can’t explain why they matter.”
— Lisa Ventura, CEO, AI & Cyber Security Association
What to do: Train security leaders in strategic storytelling. Translate threats into scenarios. Use metrics that track improvement, not just incidents.
The pace of change in technology and threat vectors is overwhelming many in-house teams. Maintaining resilience while adopting new tools and meeting compliance demands requires smarter orchestration.
“Balancing speed of innovation with rigorous third-party checks will strain resources and processes.”
— David Hatch, COO, Pathlines Pensions UK Ltd
What to do: Automate response workflows (SOAR), deploy XDR across your environment, and test incident response plans regularly.
In today’s digital age, organisations are more interconnected than ever, relying heavily on suppliers and third-party vendors to provide essential services and products. While this interconnectedness is great for operational efficiency, it also introduces significant
Your organisation’s greatest security risk isn’t a shadowy hacker in a hoodie – it’s the well-meaning employee who shares passwords to meet a project deadline, uses Dropbox because the approved file-sharing system is too slow,
Recognised in Fintech, But It’s Our People Who Make the Difference We’re pleased to share that FoxTech has been announced the UK’s Best Cybersecurity Service at the 2025 Systems in the City Financial Technology Awards.
