Cybersecurity is not changing because of a new tool or framework. It is changing because the way organisations use technology has changed. Automation is deeper. Regulation is more complex. Accountability is clearer when things go wrong.
KPMG’s Cybersecurity Considerations 2026 report is written for cybersecurity leaders and decision makers navigating that reality. For many, this change shows up in simple ways. They are asked tougher questions. They are expected to explain decisions, not just controls. And they are finding that some familiar approaches do not hold up when pressure is applied.
The report highlights eight shifts that stand out in 2026. They are not theoretical. They are already showing up in incidents, audits, and board discussions today.
Security tools are no longer just supporting people. In some cases, they are acting for them. I have seen automated systems block access or isolate devices quickly. The response was technically correct. The challenge came later when the business asked who had approved the impact.
As automation increases, organisations need clarity. Who sets the rules? Who oversees them? And how do they know the automation is behaving as expected? Speed without visibility creates risk of a different kind.
Cyber risk is now tied closely to geography. Data location, access rights, and regulatory expectations differ by region. These are no longer background details.
I have seen cloud strategies need to shift lately because a regulator took a different view on data residency. I have also seen suppliers create exposure in one country while operating acceptably in another. Compliance is not static. Organisations need to make deliberate choices and be able to explain them.
AI is now consistently improving everyday processes across multiple industry sectors. The security questions are changing as a result – teams need to be able to understand and have confidence around things like the way decisions are made and what data is used. When to have a person in the middle vs when decisions can be made autonomously by agents are quickly becoming the conversations that matter.
In several cases, AI deployments have paused not because of technical weakness, but because governance was unclear. Today, AI security is about assurance as much as protection. Organisations need to show control across the full lifecycle, not just at deployment.
Most environments now contain more machine identities than human ones. These include service accounts, automation, and system credentials. They often persist for years.
The risk is rarely obvious. Access grows gradually. Ownership becomes unclear. I have seen incidents traced back to an old service account that no one actively managed. Identity governance needs to cover machines more effectively, including lifecycle, access, and monitoring.
Operational systems are no longer isolated. Sensors, remote access, and connected platforms are common. This brings efficiency, but it also brings risk.
I have seen incidents where IT systems recovered quickly, but business operations did not. Production took longer to restart. Safety checks had to be repeated. When IT and operational systems are connected, accountability for response and recovery must be clear.
Quantum risk is not an immediate operational issue. It is a long term strategic one. Decisions made today will still matter years from now.
Many organisations struggle to identify where cryptography is embedded across systems and suppliers. Treating this as a future upgrade increases cost and disruption. It is better handled as a managed resilience programme with clear priorities.
Third party questionnaires are still used, but they are no longer enough. Supplier risk changes quickly. New dependencies appear. Operating conditions shift.
I have seen suppliers pass assessments and still become the source of disruption because of how they were integrated into core processes. Effective supply chain risk management focuses on change. It defines thresholds, escalation points, and ownership when risk shifts.
The CISO role continues to grow. It now includes strategy, resilience, regulation, and investment decisions. However, capacity does not always grow with it.
This creates pressure. The organisations that cope best provide structure, they define ownership, set clear thresholds and enable consistent decision making. Without this, leadership becomes reactive and unsustainable.
Across all eight shifts, the message is consistent. Cyber risk management needs to move beyond checking controls. It needs to support decisions.
This does not mean discarding existing frameworks. It means grounding them in evidence, clear assumptions, and clear ownership. In a world shaped by automation, regulation, and interdependence, better risk decisions are not optional. They are a condition for operating responsibly.
You can read about these insights and more in the Cyber Considerations 2026 report here.
