An expert panel reviewed hundreds of submissions. These themes rose to the top.
Now in its 16th year, ISC2 Security Congress is widely regarded as the flagship conference for cybersecurity professionals driving industry standards and professional excellence.
Thousands of practitioners from around the globe will gather, October 24-28 at the Gaylord Rockies Resort and Convention Center and virtually, to stay current on evolving threats and sharpen their approaches to solving current and emerging cyber challenges.
In January, event organizers launched their 2026 call for presentations. This year’s proposals, reviewed by an advisory council panel of experts, reveal the strategic priorities of practitioners and leaders as they focus on what’s next in cybersecurity.
These eight trends are shaping this year’s agenda.
1. AI Security and Governance
It’s not just about AI threats. The focus now is on securing AI systems, governing their use and managing the new risks introduced by semi-autonomous decision-making. Panelist James McQuiggan notes, “Last year, it was model context protocol. This year, it’s Mythos and agentic AI.”
AI isn’t just another technology layer. It’s a new operating model, one that’s rewriting the rules of risk.
2. Quantum Risk and Cryptography
Cybersecurity professionals need actionable strategies for post-quantum cryptography and enterprise crypto agility. McQuiggan calls out quantum as a rising topic: “Quantum, specifically post-quantum crypto, is the topic hiding in the corner, sitting quietly.”
The timelines for replacing encryption across certificates, applications, infrastructure and vendors are massive, and delay creates long-term exposure.
3. GRC Operationalization
Governance, risk and compliance (GRC) is extending beyond policy documents and audit checklists and into strategy that’s measurable, repeatable and operational. GRC can’t just be performative anymore. Organizations are under pressure from regulators, cyber insurers, boards and customers to prove outcomes.
The question is no longer, Are you compliant? It is, Can you prove your risk decisions are sound, and your governance model actually works?
4. Zero Trust Roadmaps
Rather than treating identity as a toolset, it should be positioned as the control plane for modern enterprise security. Panelist Steve Winterfeld, CISSP, notes, “Many talks were about identity management as part of the core solution. This one surprised me a bit.”
Bad actors know identity is the easiest entry point. Credential theft, privilege escalation and identity-based lateral movement remain central to ransomware and cloud compromise. Security teams need real-world zero trust implementation strategies.
5. Incident Response and Resilience Engineering
Incident response has evolved beyond how to investigate alerts and into operational readiness at enterprise scale. Ransomware, third-party disruptions and AI-enabled attacks are increasing in both frequency and impact.
Panelist Dee Childs, CISSP, notes, “There is vulnerability management fatigue and a lack of confidence in the repetitive nature of that cycle. This seems to tie into the broader challenge of managing risk vs. cost.”
6. Cybersecurity Leadership
Cybersecurity leadership centers on running programs, building teams, influencing executives and delivering results that matter. CISOs and security managers are expected to operate like business leaders while navigating technical complexity.
In a world of constrained budgets and expanding risk, cyber leadership ability is a career differentiator. The strongest teams will be led by professionals who can translate security into action, alignment and outcomes.
7. Framework-Centered Security
Frameworks continue to dominate the language of cybersecurity, and there is a strong desire for practical guidance on how to implement them. Knowing what a framework requires is easy but how to implement it effectively across people, process and technology is more difficult.
Focused interests include NIST and ISO alignment, maturity models, control mapping and turning compliance into operational execution.
8. Practical Threat Modeling
Threat actors are innovating faster than most organizations can patch. AI-assisted exploitation, automation and adversary tool kits are compressing the time between vulnerability and compromise.
Common interests include threat intelligence integration, adversary TTP analysis, modern threat modeling methodologies and intelligence-driven prioritization.
Agenda Live Soon
The message loud and clear: the cybersecurity profession is shifting into a new era, and the people who stay ahead will be the ones who learn, connect and adapt.
Watch for the ISC2 Security Congress 2026 agenda release, coming soon. Register now for early bird savings.
