January 23, 2026
Cybersecurity in 2026: What leaders need to know
Martin Tyley
Global Lead Partner

The latest Global Cybersecurity Outlook from the World Economic Forum (WEF) highlights three forces reshaping cyber risk in 2026: artificial intelligence, geopolitics and cyber enabled fraud. For many boards, that’s going to raise questions such as “how much loss are we really exposed to?”, and “where should the next pound of investment go?”.

Cyber risk, at its core, is still a balance of likelihood and impact. What has changed is the speed and scale of events that organisations are expected to absorb. Leadership teams today want fewer technical descriptions and more clarity on which risks could materially affect strategy, cash flow and resilience. Quantifying cyber risks doesn’t remove uncertainty, but it does translate cyber events into ranges of financial loss that finance, and operations teams can work with.

In a recent meeting, a CIO told me she was “tired of heat maps that look the same every year”. She wanted cyber risk framed in the same way she sees any other major exposure: in terms of potential financial impact that involves trade offs but means there’s greater confidence in the numbers. That frustration will be familiar to many executive teams, and it sets the tone for how to read this year’s outlook.

Below are three themes from the WEF report that senior teams may want to keep front of mind as they set priorities for 2026.

1. Artificial intelligence is reshaping the threat environment

Artificial intelligence is accelerating both attack and defence. Attackers are using automated tools and generative content to probe systems faster, personalise scams and scale their operations; defenders are experimenting with AI for detection, triage and response, while working out how to govern these tools responsibly. In one recent global study, 94% of security leaders said AI will be the single biggest driver of change in cybersecurity in the year ahead, underlining how quickly it is reshaping both offensive and defensive playbooks. The result is more activity, wider uncertainty about how quickly attacks can spread, and fresh questions about where to place the next marginal pound of spend.

Quantifying cyber risk can help by showing where AI actually changes the shape of loss. In practice, that means comparing scenarios where AI increases the likelihood of specific events (for example, successful phishing led fraud) versus scenarios where it increases the speed and therefore the impact of an incident (such as ransomware). When those scenarios are expressed in financial terms, it’s more apparent to boards whether to invest in additional controls such as new monitoring capabilities or staff training – or whether the residual risk remains acceptable.

2. Geopolitics as a structural driver of cyber exposure

Geopolitical tension has shifted from being something to be aware of, to becoming a core driver of cyber exposure. State linked activity, sanctions, regional regulation and diverging requirements around data localisation are all influencing where data is hosted, which suppliers are viable and what “normal” looks like in certain markets. Nearly two thirds of organisations now explicitly account for geopolitically motivated cyberattacks – such as disruption of critical infrastructure or espionage – in their cyber risk strategies, underlining how far this has moved into the mainstream board agenda. For boards, this means the same digital estate can carry very different risk profiles depending on geography and counterparties.

Scenario based risk quantification gives leadership teams a way to compare these geopolitical effects using a common financial lens. For example, teams can weigh the potential loss from a targeted disruption of a regional data centre against a broader supply chain issue affecting a key software vendor, or test how sanctions might affect recovery options. These are not forecasts; they are structured “what ifs” that test whether existing controls, business continuity plans and insurance arrangements are proportionate to the risk faced.

3. Supply chain risk as a persistent blind spot

In every industry sector, organisations rely on complex vendor networks, cloud platforms and managed services. The WEF report points to wide variations in resilience between suppliers and highlights that third party incidents continue to feature heavily in major disruptions. Although these events may be less frequent than day to day attacks, their impact can be disproportionate because they affect shared platforms or critical dependencies.

Boards are increasingly asking for more clarity on the risk that sits across supply chains.   Quantifying the risk, supports a clearer view by modelling the specific loss events that could originate in the supply chain – for example, a key SaaS provider’s outage, a managed service provider compromise or a data handling failure at a marketing partner – and estimating the associated financial exposure. This helps identify which supplier scenarios “move the needle” and where investment or contractual changes will meaningfully reduce exposure, rather than spreading effort thinly across every third party. Because supplier data is never perfect, these numbers should be used to compare options rather than as precise predictions.

What this means for leaders in 2026

The gap between cyber activity and organisational understanding is still too great. I believe urgent up-skilling, which includes providing more meaningful data, is required.  Leaders need to better understand how cyber risk affects strategy, investment planning and resilience, in language that fits balance sheets and operational plans.

Cyber Risk Quantification (CRQ) tooling is one of the best ways to close the gap, by placing a monetary range around cyber loss it helps answer questions like: which risks do we accept? Which do we mitigate? and which do we transfer?

As one board member put it to me recently, they are not looking for certainty – just confidence that decisions rest on something measurable rather than instinct alone. In 2026, the differentiator is unlikely to be who has the most cyber tools or the loudest “future of cyber” narrative. It will be which organisations keep the conversation anchored in likelihood, impact and shared numbers, so the WEF’s outlook becomes less a source of alarm and more a prompt for better information that in turn, leads to better decision-making.

Not sure how to get started with CRQ? Reach out to the team today.

Read the next blog in the series

No items found.
Martin Tyley
Global Lead Partner
Martin Tyley is the Global Lead Partner of CRI. He has almost 30 years of experience working with clients on security transformation projects, defining and implementing security strategies, building solutions and providing assurance and certification services. Based in Manchester, Martin works across multiple industries and is passionate about changing the way we talk about Cyber Security.
Resilience
Blog
Cybersecurity in 2026: What leaders need to know
Get your copy below.
By submitting this form I agree that Cyber Risk Insights may collect, process and retain my data pursuant to its Privacy Policy.
Thank you! Use the button below to read now.
Oops! Something went wrong while submitting the form.

Summary

The latest Global Cybersecurity Outlook from the World Economic Forum (WEF) highlights three forces reshaping cyber risk in 2026: artificial intelligence, geopolitics and cyber enabled fraud. For many boards, that’s going to raise questions such as “how much loss are we really exposed to?”, and “where should the next pound of investment go?”.

Cyber risk, at its core, is still a balance of likelihood and impact. What has changed is the speed and scale of events that organisations are expected to absorb. Leadership teams today want fewer technical descriptions and more clarity on which risks could materially affect strategy, cash flow and resilience. Quantifying cyber risks doesn’t remove uncertainty, but it does translate cyber events into ranges of financial loss that finance, and operations teams can work with.

In a recent meeting, a CIO told me she was “tired of heat maps that look the same every year”. She wanted cyber risk framed in the same way she sees any other major exposure: in terms of potential financial impact that involves trade offs but means there’s greater confidence in the numbers. That frustration will be familiar to many executive teams, and it sets the tone for how to read this year’s outlook.

Below are three themes from the WEF report that senior teams may want to keep front of mind as they set priorities for 2026.

1. Artificial intelligence is reshaping the threat environment

Artificial intelligence is accelerating both attack and defence. Attackers are using automated tools and generative content to probe systems faster, personalise scams and scale their operations; defenders are experimenting with AI for detection, triage and response, while working out how to govern these tools responsibly. In one recent global study, 94% of security leaders said AI will be the single biggest driver of change in cybersecurity in the year ahead, underlining how quickly it is reshaping both offensive and defensive playbooks. The result is more activity, wider uncertainty about how quickly attacks can spread, and fresh questions about where to place the next marginal pound of spend.

Quantifying cyber risk can help by showing where AI actually changes the shape of loss. In practice, that means comparing scenarios where AI increases the likelihood of specific events (for example, successful phishing led fraud) versus scenarios where it increases the speed and therefore the impact of an incident (such as ransomware). When those scenarios are expressed in financial terms, it’s more apparent to boards whether to invest in additional controls such as new monitoring capabilities or staff training – or whether the residual risk remains acceptable.

2. Geopolitics as a structural driver of cyber exposure

Geopolitical tension has shifted from being something to be aware of, to becoming a core driver of cyber exposure. State linked activity, sanctions, regional regulation and diverging requirements around data localisation are all influencing where data is hosted, which suppliers are viable and what “normal” looks like in certain markets. Nearly two thirds of organisations now explicitly account for geopolitically motivated cyberattacks – such as disruption of critical infrastructure or espionage – in their cyber risk strategies, underlining how far this has moved into the mainstream board agenda. For boards, this means the same digital estate can carry very different risk profiles depending on geography and counterparties.

Scenario based risk quantification gives leadership teams a way to compare these geopolitical effects using a common financial lens. For example, teams can weigh the potential loss from a targeted disruption of a regional data centre against a broader supply chain issue affecting a key software vendor, or test how sanctions might affect recovery options. These are not forecasts; they are structured “what ifs” that test whether existing controls, business continuity plans and insurance arrangements are proportionate to the risk faced.

3. Supply chain risk as a persistent blind spot

In every industry sector, organisations rely on complex vendor networks, cloud platforms and managed services. The WEF report points to wide variations in resilience between suppliers and highlights that third party incidents continue to feature heavily in major disruptions. Although these events may be less frequent than day to day attacks, their impact can be disproportionate because they affect shared platforms or critical dependencies.

Boards are increasingly asking for more clarity on the risk that sits across supply chains.   Quantifying the risk, supports a clearer view by modelling the specific loss events that could originate in the supply chain – for example, a key SaaS provider’s outage, a managed service provider compromise or a data handling failure at a marketing partner – and estimating the associated financial exposure. This helps identify which supplier scenarios “move the needle” and where investment or contractual changes will meaningfully reduce exposure, rather than spreading effort thinly across every third party. Because supplier data is never perfect, these numbers should be used to compare options rather than as precise predictions.

What this means for leaders in 2026

The gap between cyber activity and organisational understanding is still too great. I believe urgent up-skilling, which includes providing more meaningful data, is required.  Leaders need to better understand how cyber risk affects strategy, investment planning and resilience, in language that fits balance sheets and operational plans.

Cyber Risk Quantification (CRQ) tooling is one of the best ways to close the gap, by placing a monetary range around cyber loss it helps answer questions like: which risks do we accept? Which do we mitigate? and which do we transfer?

As one board member put it to me recently, they are not looking for certainty – just confidence that decisions rest on something measurable rather than instinct alone. In 2026, the differentiator is unlikely to be who has the most cyber tools or the loudest “future of cyber” narrative. It will be which organisations keep the conversation anchored in likelihood, impact and shared numbers, so the WEF’s outlook becomes less a source of alarm and more a prompt for better information that in turn, leads to better decision-making.

Not sure how to get started with CRQ? Reach out to the team today.

Key messages

01

02

03

Resilience
Blog
Cybersecurity in 2026: What leaders need to know

Summary

The latest Global Cybersecurity Outlook from the World Economic Forum (WEF) highlights three forces reshaping cyber risk in 2026: artificial intelligence, geopolitics and cyber enabled fraud. For many boards, that’s going to raise questions such as “how much loss are we really exposed to?”, and “where should the next pound of investment go?”.

Cyber risk, at its core, is still a balance of likelihood and impact. What has changed is the speed and scale of events that organisations are expected to absorb. Leadership teams today want fewer technical descriptions and more clarity on which risks could materially affect strategy, cash flow and resilience. Quantifying cyber risks doesn’t remove uncertainty, but it does translate cyber events into ranges of financial loss that finance, and operations teams can work with.

In a recent meeting, a CIO told me she was “tired of heat maps that look the same every year”. She wanted cyber risk framed in the same way she sees any other major exposure: in terms of potential financial impact that involves trade offs but means there’s greater confidence in the numbers. That frustration will be familiar to many executive teams, and it sets the tone for how to read this year’s outlook.

Below are three themes from the WEF report that senior teams may want to keep front of mind as they set priorities for 2026.

1. Artificial intelligence is reshaping the threat environment

Artificial intelligence is accelerating both attack and defence. Attackers are using automated tools and generative content to probe systems faster, personalise scams and scale their operations; defenders are experimenting with AI for detection, triage and response, while working out how to govern these tools responsibly. In one recent global study, 94% of security leaders said AI will be the single biggest driver of change in cybersecurity in the year ahead, underlining how quickly it is reshaping both offensive and defensive playbooks. The result is more activity, wider uncertainty about how quickly attacks can spread, and fresh questions about where to place the next marginal pound of spend.

Quantifying cyber risk can help by showing where AI actually changes the shape of loss. In practice, that means comparing scenarios where AI increases the likelihood of specific events (for example, successful phishing led fraud) versus scenarios where it increases the speed and therefore the impact of an incident (such as ransomware). When those scenarios are expressed in financial terms, it’s more apparent to boards whether to invest in additional controls such as new monitoring capabilities or staff training – or whether the residual risk remains acceptable.

2. Geopolitics as a structural driver of cyber exposure

Geopolitical tension has shifted from being something to be aware of, to becoming a core driver of cyber exposure. State linked activity, sanctions, regional regulation and diverging requirements around data localisation are all influencing where data is hosted, which suppliers are viable and what “normal” looks like in certain markets. Nearly two thirds of organisations now explicitly account for geopolitically motivated cyberattacks – such as disruption of critical infrastructure or espionage – in their cyber risk strategies, underlining how far this has moved into the mainstream board agenda. For boards, this means the same digital estate can carry very different risk profiles depending on geography and counterparties.

Scenario based risk quantification gives leadership teams a way to compare these geopolitical effects using a common financial lens. For example, teams can weigh the potential loss from a targeted disruption of a regional data centre against a broader supply chain issue affecting a key software vendor, or test how sanctions might affect recovery options. These are not forecasts; they are structured “what ifs” that test whether existing controls, business continuity plans and insurance arrangements are proportionate to the risk faced.

3. Supply chain risk as a persistent blind spot

In every industry sector, organisations rely on complex vendor networks, cloud platforms and managed services. The WEF report points to wide variations in resilience between suppliers and highlights that third party incidents continue to feature heavily in major disruptions. Although these events may be less frequent than day to day attacks, their impact can be disproportionate because they affect shared platforms or critical dependencies.

Boards are increasingly asking for more clarity on the risk that sits across supply chains.   Quantifying the risk, supports a clearer view by modelling the specific loss events that could originate in the supply chain – for example, a key SaaS provider’s outage, a managed service provider compromise or a data handling failure at a marketing partner – and estimating the associated financial exposure. This helps identify which supplier scenarios “move the needle” and where investment or contractual changes will meaningfully reduce exposure, rather than spreading effort thinly across every third party. Because supplier data is never perfect, these numbers should be used to compare options rather than as precise predictions.

What this means for leaders in 2026

The gap between cyber activity and organisational understanding is still too great. I believe urgent up-skilling, which includes providing more meaningful data, is required.  Leaders need to better understand how cyber risk affects strategy, investment planning and resilience, in language that fits balance sheets and operational plans.

Cyber Risk Quantification (CRQ) tooling is one of the best ways to close the gap, by placing a monetary range around cyber loss it helps answer questions like: which risks do we accept? Which do we mitigate? and which do we transfer?

As one board member put it to me recently, they are not looking for certainty – just confidence that decisions rest on something measurable rather than instinct alone. In 2026, the differentiator is unlikely to be who has the most cyber tools or the loudest “future of cyber” narrative. It will be which organisations keep the conversation anchored in likelihood, impact and shared numbers, so the WEF’s outlook becomes less a source of alarm and more a prompt for better information that in turn, leads to better decision-making.

Not sure how to get started with CRQ? Reach out to the team today.

Key messages

01

02

03

Recent Insights

Beyond the questionnaire: Why Third-Party Risk is now a boardroom number

The UK Cyber Security and Resilience Bill is moving supply chain security from compliance to calculus. The days of managing third-party risks with just questionnaires are over. It's time for a new approach.
Elizabeth Huthman
Resilience
Blog

What’s the impact on your customers if your company gets hacked?

The cost of a cyber-attack on companies is well understood. But what is the impact on the consumers those companies serve?
Blog
Sector insights

How do we preserve human agency in a world of AI-driven cyber defence?

AI is increasingly playing an essential role in cyber defence, yet every layer of automation carries both benefit and trade-off. The benefit lies in speed, scale, and consistency. The trade-off lies in the gradual displacement of human interpretation. The question is not whether automation is valuable but whether it remains an extension of human intent or becomes a substitute for it.
James Hanbury
Blog
Mega trends

See CRI in action

Book a personalised demo and discover how CRI can help you make smarter cyber risk decisions.
Book a demo