March 27, 2026
8 shifts changing how organisations manage risk
Martin Tyley
Global Lead Partner

Cybersecurity is not changing because of a new tool or framework. It is changing because the way organisations use technology has changed. Automation is deeper. Regulation is more complex. Accountability is clearer when things go wrong.

KPMG’s Cybersecurity Considerations 2026 report is written for cybersecurity leaders and decision makers navigating that reality. For many, this change shows up in simple ways. They are asked tougher questions. They are expected to explain decisions, not just controls. And they are finding that some familiar approaches do not hold up when pressure is applied.

The report highlights eight shifts that stand out in 2026. They are not theoretical. They are already showing up in incidents, audits, and board discussions today.

1) Autonomous security and the future workforce

Security tools are no longer just supporting people. In some cases, they are acting for them. I have seen automated systems block access or isolate devices quickly. The response was technically correct. The challenge came later when the business asked who had approved the impact.

As automation increases, organisations need clarity. Who sets the rules? Who oversees them? And how do they know the automation is behaving as expected? Speed without visibility creates risk of a different kind.

2) Geopolitics, compliance and resilience

Cyber risk is now tied closely to geography. Data location, access rights, and regulatory expectations differ by region. These are no longer background details.

I have seen cloud strategies need to shift lately because a regulator took a different view on data residency. I have also seen suppliers create exposure in one country while operating acceptably in another. Compliance is not static. Organisations need to make deliberate choices and be able to explain them.

3) Securing AI systems

AI is now consistently improving everyday processes across multiple industry sectors. The security questions are changing as a result – teams need to be able to understand and have confidence around things like the way decisions are made and what data is used.  When to have a person in the middle vs when decisions can be made autonomously by agents are quickly becoming the conversations that matter.  

In several cases, AI deployments have paused not because of technical weakness, but because governance was unclear. Today, AI security is about assurance as much as protection. Organisations need to show control across the full lifecycle, not just at deployment.

4) Managing non human identities

Most environments now contain more machine identities than human ones. These include service accounts, automation, and system credentials. They often persist for years.

The risk is rarely obvious. Access grows gradually. Ownership becomes unclear. I have seen incidents traced back to an old service account that no one actively managed. Identity governance needs to cover machines more effectively, including lifecycle, access, and monitoring.

5) IT and operational technology connectivity

Operational systems are no longer isolated. Sensors, remote access, and connected platforms are common. This brings efficiency, but it also brings risk.

I have seen incidents where IT systems recovered quickly, but business operations did not. Production took longer to restart. Safety checks had to be repeated. When IT and operational systems are connected, accountability for response and recovery must be clear.

6) Preparing for post quantum cryptography

Quantum risk is not an immediate operational issue. It is a long term strategic one. Decisions made today will still matter years from now.

Many organisations struggle to identify where cryptography is embedded across systems and suppliers. Treating this as a future upgrade increases cost and disruption. It is better handled as a managed resilience programme with clear priorities.

7) Supply chain detection and response

Third party questionnaires are still used, but they are no longer enough. Supplier risk changes quickly. New dependencies appear. Operating conditions shift.

I have seen suppliers pass assessments and still become the source of disruption because of how they were integrated into core processes. Effective supply chain risk management focuses on change. It defines thresholds, escalation points, and ownership when risk shifts.

8) The expanding role of the CISO

The CISO role continues to grow. It now includes strategy, resilience, regulation, and investment decisions. However, capacity does not always grow with it.

This creates pressure. The organisations that cope best provide structure, they define ownership, set clear thresholds and enable consistent decision making. Without this, leadership becomes reactive and unsustainable.

What this means in practice

Across all eight shifts, the message is consistent. Cyber risk management needs to move beyond checking controls. It needs to support decisions.

This does not mean discarding existing frameworks. It means grounding them in evidence, clear assumptions, and clear ownership. In a world shaped by automation, regulation, and interdependence, better risk decisions are not optional. They are a condition for operating responsibly.

You can read about these insights and more in the Cyber Considerations 2026 report here.

Read the next blog in the series

No items found.
Martin Tyley
Global Lead Partner
Martin Tyley is the Global Lead Partner of CRI. He has almost 30 years of experience working with clients on security transformation projects, defining and implementing security strategies, building solutions and providing assurance and certification services. Based in Manchester, Martin works across multiple industries and is passionate about changing the way we talk about Cyber Security.
Blog
Mega trends
8 shifts changing how organisations manage risk
By submitting this form I agree that Cyber Risk Insights may collect, process and retain my data pursuant to its Privacy Policy.
Thank you! Use the button below to access the content.
Oops! Something went wrong while submitting the form.

Summary

Cybersecurity is not changing because of a new tool or framework. It is changing because the way organisations use technology has changed. Automation is deeper. Regulation is more complex. Accountability is clearer when things go wrong.

KPMG’s Cybersecurity Considerations 2026 report is written for cybersecurity leaders and decision makers navigating that reality. For many, this change shows up in simple ways. They are asked tougher questions. They are expected to explain decisions, not just controls. And they are finding that some familiar approaches do not hold up when pressure is applied.

The report highlights eight shifts that stand out in 2026. They are not theoretical. They are already showing up in incidents, audits, and board discussions today.

1) Autonomous security and the future workforce

Security tools are no longer just supporting people. In some cases, they are acting for them. I have seen automated systems block access or isolate devices quickly. The response was technically correct. The challenge came later when the business asked who had approved the impact.

As automation increases, organisations need clarity. Who sets the rules? Who oversees them? And how do they know the automation is behaving as expected? Speed without visibility creates risk of a different kind.

2) Geopolitics, compliance and resilience

Cyber risk is now tied closely to geography. Data location, access rights, and regulatory expectations differ by region. These are no longer background details.

I have seen cloud strategies need to shift lately because a regulator took a different view on data residency. I have also seen suppliers create exposure in one country while operating acceptably in another. Compliance is not static. Organisations need to make deliberate choices and be able to explain them.

3) Securing AI systems

AI is now consistently improving everyday processes across multiple industry sectors. The security questions are changing as a result – teams need to be able to understand and have confidence around things like the way decisions are made and what data is used.  When to have a person in the middle vs when decisions can be made autonomously by agents are quickly becoming the conversations that matter.  

In several cases, AI deployments have paused not because of technical weakness, but because governance was unclear. Today, AI security is about assurance as much as protection. Organisations need to show control across the full lifecycle, not just at deployment.

4) Managing non human identities

Most environments now contain more machine identities than human ones. These include service accounts, automation, and system credentials. They often persist for years.

The risk is rarely obvious. Access grows gradually. Ownership becomes unclear. I have seen incidents traced back to an old service account that no one actively managed. Identity governance needs to cover machines more effectively, including lifecycle, access, and monitoring.

5) IT and operational technology connectivity

Operational systems are no longer isolated. Sensors, remote access, and connected platforms are common. This brings efficiency, but it also brings risk.

I have seen incidents where IT systems recovered quickly, but business operations did not. Production took longer to restart. Safety checks had to be repeated. When IT and operational systems are connected, accountability for response and recovery must be clear.

6) Preparing for post quantum cryptography

Quantum risk is not an immediate operational issue. It is a long term strategic one. Decisions made today will still matter years from now.

Many organisations struggle to identify where cryptography is embedded across systems and suppliers. Treating this as a future upgrade increases cost and disruption. It is better handled as a managed resilience programme with clear priorities.

7) Supply chain detection and response

Third party questionnaires are still used, but they are no longer enough. Supplier risk changes quickly. New dependencies appear. Operating conditions shift.

I have seen suppliers pass assessments and still become the source of disruption because of how they were integrated into core processes. Effective supply chain risk management focuses on change. It defines thresholds, escalation points, and ownership when risk shifts.

8) The expanding role of the CISO

The CISO role continues to grow. It now includes strategy, resilience, regulation, and investment decisions. However, capacity does not always grow with it.

This creates pressure. The organisations that cope best provide structure, they define ownership, set clear thresholds and enable consistent decision making. Without this, leadership becomes reactive and unsustainable.

What this means in practice

Across all eight shifts, the message is consistent. Cyber risk management needs to move beyond checking controls. It needs to support decisions.

This does not mean discarding existing frameworks. It means grounding them in evidence, clear assumptions, and clear ownership. In a world shaped by automation, regulation, and interdependence, better risk decisions are not optional. They are a condition for operating responsibly.

You can read about these insights and more in the Cyber Considerations 2026 report here.

Key messages

01

02

03

Blog
Mega trends
8 shifts changing how organisations manage risk

Summary

Cybersecurity is not changing because of a new tool or framework. It is changing because the way organisations use technology has changed. Automation is deeper. Regulation is more complex. Accountability is clearer when things go wrong.

KPMG’s Cybersecurity Considerations 2026 report is written for cybersecurity leaders and decision makers navigating that reality. For many, this change shows up in simple ways. They are asked tougher questions. They are expected to explain decisions, not just controls. And they are finding that some familiar approaches do not hold up when pressure is applied.

The report highlights eight shifts that stand out in 2026. They are not theoretical. They are already showing up in incidents, audits, and board discussions today.

1) Autonomous security and the future workforce

Security tools are no longer just supporting people. In some cases, they are acting for them. I have seen automated systems block access or isolate devices quickly. The response was technically correct. The challenge came later when the business asked who had approved the impact.

As automation increases, organisations need clarity. Who sets the rules? Who oversees them? And how do they know the automation is behaving as expected? Speed without visibility creates risk of a different kind.

2) Geopolitics, compliance and resilience

Cyber risk is now tied closely to geography. Data location, access rights, and regulatory expectations differ by region. These are no longer background details.

I have seen cloud strategies need to shift lately because a regulator took a different view on data residency. I have also seen suppliers create exposure in one country while operating acceptably in another. Compliance is not static. Organisations need to make deliberate choices and be able to explain them.

3) Securing AI systems

AI is now consistently improving everyday processes across multiple industry sectors. The security questions are changing as a result – teams need to be able to understand and have confidence around things like the way decisions are made and what data is used.  When to have a person in the middle vs when decisions can be made autonomously by agents are quickly becoming the conversations that matter.  

In several cases, AI deployments have paused not because of technical weakness, but because governance was unclear. Today, AI security is about assurance as much as protection. Organisations need to show control across the full lifecycle, not just at deployment.

4) Managing non human identities

Most environments now contain more machine identities than human ones. These include service accounts, automation, and system credentials. They often persist for years.

The risk is rarely obvious. Access grows gradually. Ownership becomes unclear. I have seen incidents traced back to an old service account that no one actively managed. Identity governance needs to cover machines more effectively, including lifecycle, access, and monitoring.

5) IT and operational technology connectivity

Operational systems are no longer isolated. Sensors, remote access, and connected platforms are common. This brings efficiency, but it also brings risk.

I have seen incidents where IT systems recovered quickly, but business operations did not. Production took longer to restart. Safety checks had to be repeated. When IT and operational systems are connected, accountability for response and recovery must be clear.

6) Preparing for post quantum cryptography

Quantum risk is not an immediate operational issue. It is a long term strategic one. Decisions made today will still matter years from now.

Many organisations struggle to identify where cryptography is embedded across systems and suppliers. Treating this as a future upgrade increases cost and disruption. It is better handled as a managed resilience programme with clear priorities.

7) Supply chain detection and response

Third party questionnaires are still used, but they are no longer enough. Supplier risk changes quickly. New dependencies appear. Operating conditions shift.

I have seen suppliers pass assessments and still become the source of disruption because of how they were integrated into core processes. Effective supply chain risk management focuses on change. It defines thresholds, escalation points, and ownership when risk shifts.

8) The expanding role of the CISO

The CISO role continues to grow. It now includes strategy, resilience, regulation, and investment decisions. However, capacity does not always grow with it.

This creates pressure. The organisations that cope best provide structure, they define ownership, set clear thresholds and enable consistent decision making. Without this, leadership becomes reactive and unsustainable.

What this means in practice

Across all eight shifts, the message is consistent. Cyber risk management needs to move beyond checking controls. It needs to support decisions.

This does not mean discarding existing frameworks. It means grounding them in evidence, clear assumptions, and clear ownership. In a world shaped by automation, regulation, and interdependence, better risk decisions are not optional. They are a condition for operating responsibly.

You can read about these insights and more in the Cyber Considerations 2026 report here.

Key messages

01

02

03

Recent Insights

The hidden variable in cyber risk decisions: The decision environment

Inspired by Nobel prize winner, Daniel Kahneman’s timeless lessons on decision‑making, explore how his ideas can help cyber leaders improve group judgement and overcome bias in strategy discussions.
James Hanbury
Blog
CRQ in action

Calculating the impact of a cyber-attack on critical infrastructure

What would a systemic cyber-attack cost the UK economy? We recently conducted a study for the Department for Science, Innovation and Technology (DSIT) to answer that question. The findings show the scale of potential disruption and underline why resilience planning matters.
James Hanbury
Blog
Sector insights

Cyber resilience in the North West: turning risk into regional strength

According to the Department for Science, Innovation and Technology (DSIT), over 600,000 UK businesses experiencing some form of cyber‑attack. So, if cyber risk isn’t new, why do impacts keep rising? And what can we do in the North West to change the trend?
Martin Tyley
Blog
Resilience

See CRI in action

Book a personalised demo and discover how CRI can help you make smarter cyber risk decisions.
Book a demo