ISC2 Insights spoke with ISC2’s CISO Jon France, CISSP, CGRC, CSSLP, ChCSP, about his expectations and predictions for the cybersecurity landscape in 2026, with further supply chain risks and challenges at the forefront.
As 2026 begins, it is a time for cybersecurity professionals to take stock and consider priorities and risk factors for the year ahead. Whether it is talking to members, legislators, other industry bodies, vendors and academics, as an organization ISC2 fortunate to have access to a great deal of knowledge and analysis about the cybersecurity world and what it and those working in the field are facing.
Jon France, CISSP, CGRC, CSSLP, ChCSP, is CISO at ISC2 and recently shared with us some of his predictions and perspectives about cybersecurity challenges, risks and opportunities for the coming year.
2026 Will Continue to See Heightened Supply Chain Risk
The past year saw several high-profile incidents that catapulted the security of the supply chain into the spotlight.
Recent research found that 70% of organizations are very or extremely concerned about cybersecurity risks in their supply chains. We saw attackers move further upstream, disrupt core digital services and trigger real-world consequences across multiple industries. The Jaguar Land Rover and Marks & Spencer incidents in the U.K. made it very clear how fragile supply chains can be, as well as highlighting how business continuity can depend heavily on outside partners. Cybersecurity is more immediate and interconnected than ever, especially across supply chains, making discussions on third-party risk management (TPRM), all the more critical.
“In 2026, the focus will shift from reacting to such occurrences to building durable resilience in a world where technology adoption continues to accelerate faster than governance frameworks can keep pace,” France said. “Organizations will place much greater focus on understanding their digital supply chain, stress-testing resilience and continuously evaluating exposure. We will also see rising identity-based attacks and access infrastructure, as well as more attempts to compromise AI model pipelines, because adversaries understand the leverage points. The question moving forward is not whether your supply chain will face disruption. It's whether you have the visibility, risk management, the response maturity and the resilience to operate when it does.”
Workforce Skills Take Center Stage
The latest ISC2 Cybersecurity Workforce Study highlighted that budget constraints and hiring freezes have impacted the workforce across the last two years. There is a growing focus on skill needs rather than headcount, and this trend is expected to continue into 2026. As a result, organizations will continue to prioritize skill-based hiring and upskilling their existing workforce over expanding headcount. Skills such as AI and cloud security will be essential for cybersecurity professionals to advance and meet organizational needs.
“AI will continue to support security teams, yet it will not replace the need for foundational knowledge, judgment and hands-on capability,” noted France. “We will continue to see AI as an opportunity rather than a threat and that mindset will continue into 2026.”
“Organizations that invest in their employees and their skill development will have the greatest chance of success. This approach will enable them to equip their workforces with the necessary skills to meet the demands of new and evolving technologies and working practices,” France added.
AI Maturity Shifts to Agentic Risk
The adoption of AI in 2025 continued to move faster than any technology we have seen. In many cases, security teams were securing systems after they had already gone into production. AI was embraced quickly, now governance needs to catch up.
France’s view is that in 2026, the conversation, especially within CISO communities, will shift from experimenting with AI to managing it responsibly at scale. Agentic AI will be a key focus. Organizations will need to decide how much freedom they give systems that can act on their behalf rather than simply provide suggestions. That is a new class of operational risk, and one that will test how prepared we truly are.
“We will also see more attention on how models and agents talk to each other, how data flows between them and what trust signals we rely on. For example, retrieval-augmented generative AI, which gives AI the ability to retrieve and use context in real time - alongside agent chaining through MCP or similar - will become more common. That means we must be much more thoughtful about control and transparency,” France said.
“With the general maturation and evolution of AI technologies, 2026 will reveal which organizations can balance efficiency, speed and responsible AI use, and which ones still have work to do.”
Government to Drive Quantum Urgency
Quantum computing moved from theory and experimental research systems toward commercial reality in 2025 with a slew of announcements around higher-power processors (increased qubit densities) and significant advances in error correction - a key challenge in the world of quantum. In 2026, France noted, the urgency will become impossible to ignore. Governments and regulators are publishing timelines and roadmaps, which is the clearest signal that the countdown to practical quantum capability has truly begun.
“Quantum-enabled threats sit inside every digital system that relies on asymmetric encryption, so we will see organizations shift from curiosity to structured planning. Think of it as a Y2K-style moment, but broader and with higher stakes, and unfortunately not a clear date for the diary,” France said.
“To be honest, I don't think I have seen a technology so far that will threaten widespread cybersecurity quite like quantum will in at least a generation. Where it used to be, ‘oh, this will be a concern in a decade’, we are now seeing this approach in single numbers as a concern. Large enterprises are already preparing, but many smaller organizations have not started, and that readiness gap will become a real concern.”
The ISC2 2025 Workforce Study validates this with quantum computing coming in near the bottom of the list of skills needed on security teams at 17%, illustrating that it has yet to become a mainstream or accessible technology for many organizations outside large enterprises and academia. However, the organizations that start preparing early will be the ones that avoid disruption later.
Deepfakes Become Weaponized
The use of deepfakes surged last year. According to France, we will see another major shift in the coming year as what started as a threat to public figures and political leaders moves directly into business operations.
“Aiding in identity-based attacks, threat actors will combine convincing audio and video with autonomous tools to impersonate employees, bypass identity checks and scale fraud in ways that traditional business email compromise schemes never could,” he said.
France added that this will spark new conversations around likeness rights, authenticity checks and digital identity standards. It will likely trigger deeper discussions around the ethical use of AI and rights to identity and likeness, as societies work through what trust looks like in a synthetic media world.
“Organizations that get ahead will train employees, enforce verification across multiple channels and start testing emerging deepfake detection tools rather than waiting until the technology becomes unavoidable. Deepfakes are no longer simply about influence. They are becoming a practical tool for attackers to compromise humans, and preparation needs to reflect that,” France said.
Energy and Compute Costs Impact AI and Quantum
In 2026, sustainability will become a consideration as the energy footprint of advanced computing comes into focus. The demands of AI and the cooling requirements of quantum systems will draw serious attention from regulators, investors and business leaders.
“Last year, I was surprised to find that energy consciousness or consumption is a genuine concern for AI and quantum computing but hasn't received much attention yet. It is bubbling up in conversation, but it's not a headline yet. However, it is if the discussion is around building big data centers and high-power computing environments,” France explained.
“The pace of quantum's commercial rollout will be shaped as much by energy capacity as technical readiness, and organizations will begin planning for that reality. That said, I can see the headline this year being, ‘commercial availability of quantum will be limited by conversations around energy consumption’. Energy planning will move from a back-office discussion to a core part of technology and security strategy,” France added.
