Cybersecurity leaders heading into 2026 face a more complex phase of risk management driven less by a shortage of tools than by an overload of signals, products and rapid technology change, Qualys Chief Risk Technology Officer Rich Seiersen said.
Seiersen said many of the problems chief information security officers grappled with in 2025 stemmed from “too much of everything”, with security teams struggling to separate what matters from what does not as organisations added new security products and generated ever larger volumes of data.
He described the challenge as the “three Ts” of technology, tools and telemetry. Technology reflects the speed of AI adoption and digital transformation across the business. Tools refers to the growing number of security products organisations deploy or evaluate. Telemetry is the flood of signals those tools generate.
“When these three factors come together, security teams find it difficult to distinguish between what is important and what is not,” Seiersen said, adding that AI has amplified the problem because adoption has moved faster than governance.
He said employee use of consumer-facing AI tools without formal approval has accelerated high-risk shadow IT, while more formal AI programmes are increasingly blending software-as-a-service with on-premise infrastructure and autonomous agents that can act with limited human intervention, adding operational complexity.
As that complexity rises, Seiersen said expectations from business leaders have shifted. Executives want security teams to explain how assets, threats and vulnerabilities connect to business value, and to show where limited security spending will have the biggest impact.
CISOs are under growing pressure to demonstrate active risk reduction
That means moving away from treating every alert as equal, he said, and towards prioritising the most consequential attack paths and taking targeted, non-disruptive action to reduce high-impact risk. Seiersen said CISOs are under growing pressure to demonstrate active risk reduction aligned with business priorities rather than passive monitoring.
One of the most underestimated issues in 2026 will be the AI risk surface that many organisations are not measuring closely enough, Seiersen said. Companies are investing heavily in AI, often driven by fear of falling behind, and security leaders are expected to reduce AI risk while also using AI to help manage it.
He warned that in the rush to deploy AI widely, basic risk questions are often missed, including what could be lost if systems are misused or fail and what evidence would indicate those losses are occurring.
He added that organisations often set broad, universal standards across all AI activity rather than focusing on areas where AI directly supports revenue-generating business units, an approach he said can dilute defences.
Seiersen also said cyber insurance is entering a more measured phase. He expects a modest tightening in 2026 that could bring greater focus on controls, some premium increases and more selective underwriting, while noting that a systemic event such as a widespread cloud outage or supply chain attack could accelerate market shifts.
He said organisations are increasingly treating cyber insurance as part of broader risk financing, with CISOs working more closely with chief financial officers to balance risk transfer through insurance against risk reduction through security investment.
As 2026 approaches, Seiersen said the key test for organisations will be their ability to cut through noise, tie AI risks to business realities and make disciplined choices about where to invest.
