CISOs face rising scrutiny as AI escalates cyber risk

NCC Group consultants expect 2026 to mark a sharp rise in board-level scrutiny of cyber security, driven by escalating ransomware, AI-enabled attacks and tougher expectations on Chief Information Security Officers.

They also predict a shift in how employers assess CISO performance. They see greater emphasis on measurable resilience and personal accountability.

Gary Cannon, Transport Practise Lead at NCC Group, said senior security leaders will face unprecedented pressure over the next year. He expects investment to rise and tolerance for failure to fall. "2026 will not just be another year of cyber escalation, it will be the year accountability becomes non-negotiable. CISOs will need to lead with clarity, communicate risk in business terms, and prove that investment translates into resilience."

CISO role shifts

Cannon said that continued ransomware and large-scale breaches will drive the change in outlook at board level. "Cyber security in 2026: The year CISOs can no longer hide - 2026 will mark a turning point in how organizations view cyber security leadership. As ransomware and large-scale breaches continue to escalate, cyber security will climb even higher on corporate risk registers. This shift will fundamentally change the role, and accountability of the CISO."

He said that boards and executive committees will treat breaches as systemic threats. He also expects business consequences to become more direct and visible. "The rising tide of cyber risk: Breaches are no longer isolated events; they are systemic risks impacting reputation, revenue, and regulatory compliance. Boards and executive committees will increasingly see cyber risk as a top-tier business risk, not just an IT issue."

Cannon forecasts larger cyber budgets in this environment. He links those budgets with tighter oversight. "Bigger budgets, bigger responsibilities: CISOs will gain unprecedented budgets and resources in 2026. However, with greater investment comes greater scrutiny. The expectation will be clear: Deliver measurable resilience."

He also expects hiring practices to change. He said experience of a breach will no longer guarantee demand in the market. "The end of the "CISO war story" era: Historically, CISOs who experienced breaches often became more desirable candidates for "battle-tested" leaders. In late 2026, this narrative will shift: Breaches tied to poor decisions or underinvestment will no longer be forgiven. Accountability will extend beyond technical competence to strategic foresight and governance."

Cannon said that career risks will grow for security leaders who fall short. He also expects wider regulatory consequences. "Career impact: CISOs will face real consequences for failures, including stalled career progression. Organisations will demand transparency, proactive risk management, and demonstrable outcomes, not just reactive heroics. What does this mean for organizations? Cyber security will become a shared responsibility across the C-suite. Expect stronger regulatory frameworks and personal liability for executives in certain jurisdictions. The CISO role will evolve from "technical guardian" to "business risk leader"."

AI as sword and shield

NCC Group also expects AI to play a larger role on both sides of the cyber security divide. Consultants see AI in espionage, ransomware and industrial system attacks. They also expect AI in defensive tools.

Floris Dankaart, Lead Product Manager, Managed Extended Detection and Response at NCC Group, pointed to recent activity. He said AI-orchestrated espionage campaigns have already begun. "AI: 2025 marked the first large scale AI-orchestrated cyber espionage campaign, where Anthropic's Claude was used to infiltrate global targets. Earlier in the year, it was already apparent that tools that can be used for such a campaign were being developed (for example, "Villager"). This trend will continue in 2026 - and AI's use as a sword will be followed by an increase in AI's use as a shield."

Dankaart highlighted the growing impact of ransomware on manufacturing. He cited a recent attack on a major carmaker as an example of the risk. "Ransomware: In October 2025, Jaguar Land Rover suffered a ransomware attack that forced a global production halt, disrupting supply chains and causing significant operational downtime. This incident exemplifies how ransomware now targets manufacturing environments where IT and OT are deeply interconnected. Attackers combined encryption with data theft and public extortion tactics, pressuring the company to pay while production lines remained idle. The event highlighted the vulnerability of industrial networks and the cascading impact on suppliers and logistics. In 2026, this trend will continue, targeting ICS controllers and safety systems to maximize operational and reputational damage. Expect campaigns to leverage AI for adaptive payloads and lateral movement across industrial networks. For defenders, OT (micro) segmentation, anomaly detection for industrial protocols, and offline recovery plans will become non-negotiable as ransomware shifts from data hostage to operational sabotage."

He also expects identity management for devices to improve in the next year. He said this will extend identity concepts beyond human users. "Identity: In 2026, identity for "headless" devices will become more mature - e.g. in an IoT or OT environment, offering additional defensive capabilities. Expect identity governance to (slowly) extend beyond people to include device identity attestation, cryptographic binding, and lifecycle management for IoT and OT endpoints."

Agentic malware

Nigel Gibbons, Director and Senior Advisor at NCC Group, said AI will reshape attacker behaviour. He expects wider use of AI agents in core stages of intrusion campaigns. "AI is both the biggest accelerator and the biggest wildcard. Threat actors will increasingly use AI agents to automate reconnaissance, phishing, lateral movement and malware development, making attacks faster, adaptive and harder to detect."

He said ransomware will also absorb new AI techniques. He expects more advanced extortion models that target data rather than only encryption. "Ransomware - As a form of extortion, ransomware will continue to evolve and cross link with AI. Expect an early wave of 'agentic malware' and AI-augmented ransomware campaigns. Instead of just encrypting systems, ransomware will shift towards greater dynamics in stealing, manipulating and threatening to leak or alter sensitive data, targeting backups, cloud services and supply chains."

Gibbons also highlighted supply chain and identity exposures. He expects third parties and account misuse to overtake perimeter intrusion. "Supply chain and identity - Third-party services, SaaS dependencies and identity mismanagement (including human and AI accounts) will become the dominant entry vectors, overtaking traditional perimeter breaches."

He said organisations will start to compete on cyber resilience as well as on products and price. He expects architectural shifts, new tools and stronger governance.

"Cyber-resilience will become a competitive differentiator - Organisations' legitimacy and trust will become key pieces in the competitive landscape. Those that adopt zero trust, AI-powered detection, strong governance and resilience planning will outperform peers, while those relying on legacy controls will face rising operational, regulatory and reputational risk," said Gibbons.