However, since then, things have changed. Let’s revisit those predictions and make some new ones.

1. The Threat Landscape is Changing

2023: Not really.
2026: AI has entered the chat. 

For 2023 I wrote, “everybody will experience the same quality and quantity of attacks that we did in 2022. The technologies, personnel, and practices may change causing us to perceive security differently. However, the actual threats we face will remain mostly the same.”

For the most part, this prediction remains the same. The threat landscape in 2026 will be about the same as 2025, 2024, 2023, and so on. Malware is still a threat. Credential theft remains the primary focus of attackers. And hackers still have the upper hand in every way.

However, when we look at AI systems, there are tremendous changes in the threat landscape. Perhaps the most interesting of these threats are data poisoning attacks. These specifically target AI systems and large language models (LLMs) to produce flawed or misleading output. In 2024, NIST released an advisory about this kind of attack based on a study they conducted titled Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations. This study is an interesting read. It is extremely thorough and even identifies some lingering cybersecurity challenges such as the dilemma of open versus closed systems.

The mitigating factor with this kind of treat is that it targets the AI platforms, and not the end users of those platforms. This limits the scope of this threat to a handful of AI platform providers, such as OpenAI, Google, Microsoft, etc. Furthermore, I could not to locate any confirmed instance of a data poisoning attack, however that does not mean it has not happened.

What is a larger issue are employees sending company data into AI platforms with no regard to the sensitivity of that data. This poses a complex challenge for organizations who want to enjoy the benefits of AI but need to protect sensitive data. It also poses a massive challenge for regulated systems under standards such as FedRAMP, CMMC, etc.

Fortunately, the industry is responding to this with ample technologies to manage, monitor, and control AI access as well as model context protocol (MCP) servers. Some examples of AI security providers in this space include Obsidian, Zenity, and Cyberhaven.

2. Executives Will Start Taking Security Seriously

2023: Probably not.
2026: No, and you can turn in your badge with security. 

For 2023, I wrote, “Information security is an esoteric threat to executives. They know it exists, but they cannot quantify it with clear consequences. They know it is serious, but they do not know how to dimmish the threat. They know harm is possible, but it is easy to dismiss it as somebody else’s problem.”

Around 2016 or so, I noticed that many executives would tune out the moment cybersecurity was mentioned. I had CEOs once tell me he was sick of security slowing down his company. Here we are a decade later and this attitude has only become more prevalent. A recent example of this attitude happened in early 2025 when the Trump administration wiped out the entire Department of Homeland Security’s Cyber Safety Review board. The message was unambiguous: security is unimportant. 

Executive indifference to security is a massive barrier for security startups. Leaders only care about security when it becomes a catastrophe. And all they really want is to find somebody to blame.

3. Companies will Commit to Stronger Security Defenses

2023: No, they will stick with “good enough” security
2026: Good enough is pretty good.

What I wrote for 2023 remains relevant. “It is not that executives do not care at all about security. They care up until the exact point they are on par with everybody else. This is the “good enough” approach to cybersecurity. Companies focus on doing what is an “industry standard” rather than doing what is necessary.”

Fortunately, “good enough” security is getting pretty good. One example of this was AWS’s recent announcement of their security agent product. This is a cool new AI technology that can scan an environment, locate vulnerabilities, and suggest improvements. While no AI agent will ever be as good as a skilled human penetration tester, for most organization, this agent is all they really need.

Another good example of how “good enough” has improved is Azure Sentinel. What used to be a mediocre SIEM and endpoint product, has evolved into a respectable security platform. Azure environments have Sentinel built-in, so Azure customers can access and use it easily.

4. We Will See a Megabreach that Cannot be Ignored

2023: We are already ignoring them.
2026: Megabreaches, what’s that?

I cannot even think of a megabreach from 2025 that had any significant impact. Apparently, Verizon had a massive leak in August, which they denied. Whatever. This is a classic “boy cried wolf” problem.

5. Security Staffing will See Improvements

2023: Not likely.
2026: Define “improvements.”  

For 2023 I said, “Cybersecurity does not have a staffing problem; it has a staffing crappy jobs problem. There are ample people out there who want to pontificate about all their grand theories of security. What nobody wants to do is actually run anything.”

The most significant change for 2026 is that AI is changing who companies are hiring. AI can do what a lot of security analysts and engineers once did. It even can write NGINX config scripts, which is something nobody can successfully do. (Yes, that’s a nerdy joke.)

AI can also do a lot of the grunt work industry analysts do, as Richard Stiennon has proved with his IT Harvest platform.

None of this is good news for job seekers. While the cratering US economy accounts for a lot the downsizing, AI is only making it worse. AI will never entirely replace humans, but organizations are testing the limits of that. Teams are being shrunk, and the remaining staff is expected to fill the gaps with AI tools.

This adds up to a bleak outlook for security staffing in 2026.

6. Cloud Eats Security

However, the ultimate prediction for 2026 is that security is everywhere, integrated into everything. In 2021, I identified a growing cybersecurity trend: Cloud Eats Security (also called “platformization”.) Cloud providers, like AWS, Azure, and GCP, and SaaS providers like Salesforce or ServiceNow, were (are) slowly consuming many of the traditional security capabilities (firewall, intrusion detection, vulnerability management, web-application firewalls, etc.)

The impact of this trend is that security is now integrated into the platforms companies use. Companies do not need to purchase individual point-solutions which demand complex and expensive integration efforts. However, even the point solutions are getting on board with this trend, making their products much simpler to roll out and fully integrated into cloud and SaaS offerings.

This was one of the reasons why Google paid $32B for Wiz in 2025. Wiz is a powerful platform that simplifies a lot of cloud security functions. Cloud security providers, like Cloudflare, are also rolling out new capabilities practically everyday. And some of those are free, such as Cloudflare Tunnels which allows anybody to securely host anything on the Internet.

To help monitor all these integrated systems, there are emerging AI-powered security operations products from companies such as AI Strike, Torq, and Dropzone AI.

If all this AI stuff seems unstoppable, and wildly insecure, well, it is. However, there are promising emerging technologies such as Automated Moving Target Defense.

And the final piece of this trend is the rise of automated, integrated managed security providers who can keep an eye on everything. In early 2025, I worked on an MSSP analysis project. I was stunned at how many MSSPs had fully embraced automation, AI, and the cloud in their offerings. Unless your organization is gigantic or a government agency, there is no reason to do security internally. Hire an MSSP. There are a lot of great ones out there that can further simplify security.

Conclusion

For 2026, I predict cybersecurity will continue down the path of more integration, more platformization, and more simplicity. This will not stop attackers, but it does swing the odds of success toward the defenders.

As for the attackers, like the rest of us, they are going to use AI to do their dirty work. And like the rest of us, they are going to generate a lot of pictures of cats playing pickleball. Which means defenders do not need some whiz-bang quantum oscillating over-thruster to stop them. They merely need to make the most of the security tools they already have.

NOTE: The companies mentioned in this blog are for examples only. I received no compensation for mentioning them nor do I endorse them or their technologies. 

The post 2026 Cybersecurity Predictions appeared first on Zenaciti.

How many times have we heard some variation of:

• Attacks against ____ will increase.
• _____ attacks will continue to evolve and become more sophisticated.
• The rise of ____ will give attackers new ways to _____ (AI is the latest in this category.)
• Boards will finally get serious about security.
• The cybersecurity staffing crisis will continue.

The cybersecurity industry is stuck in a loop. It keeps predicting the same things, repeating the same stories, and advocating the same exhausted cliches expecting things to change. Every year attacks increase, new technologies will save and/or kill us, and executives are on the edge of finally accepting security as a serious issue. These predictions never come true.

See the 2026 Cybersecurity Predictions

Therefore, I present my anti-predictions for 2023 cybersecurity industry:

The Threat Landscape is Changing

Not really.

In 2023, everybody will experience the same quality and quantity of attacks that we did in 2022. The technologies, personnel, and practices may change causing us to perceive security differently. However, the actual threats we face will remain mostly the same.

In fact, I believe that the threat landscape has remained static for the past 20 years. The threats of today are not dramatically different than 2003. Viruses and worms are now called ransomware, but they function largely the same. Hackers are still hunting for credentials and cracking passwords. The avenues of attack are mostly the same, email, websites, etc. Attacks cause more damage today, but that is relative. Everything is more complex and operating at a larger scale than 2003.

In 2023 we have more technologies to detect threats and more words to define them, but the actual threats are the same.

Executives Will Start Taking Security Seriously

Probably not.

One thing you can always count on when there is a big data breach is social media channels filled with “thought leaders” exasperated at how leadership ignored such obvious security problems. These insufferable Captain Obvious crusaders cannot comprehend how people can be so irresponsible.

The reason for executive inaction is simple, it is easy to blame somebody else. When a breach happens, the board or CEO can line up the IT department and blame them. They can then make a promise to fix everything. (See: Solarwinds case for proof of this.)

Information security is an esoteric threat to executives. They know it exists, but they cannot quantify it with clear consequences. They know it is serious, but they do not know how to dimmish the threat. They know harm is possible, but it is easy to dismiss it as somebody else’s problem.

As such, they fall back to the next item on this list.

Companies will Commit to Stronger Security Defenses

No, they will stick with “good enough” security.

It is not that executives do not care at all about security. They care up until the exact point they are on par with everybody else. This is the “good enough” approach to cybersecurity. Companies focus on doing what is an “industry standard” rather than doing what is necessary.

This is why executives are obsessed with copying what other company’s are doing. They reason that if a product is good enough for a big company, like Netflix or Apple, then it must be good for everybody. This ignores the fact that technology is useless unless it is implemented and managed properly.

Companies keep throwing technologies at security problems and consistently fail to operationalize those technologies. That is because doing the operationalization work is complex, unrewarding, tedious, and does not get you likes on LinkedIn. This is a positive feedback loop: bad security, begets more tech, begets more complexity, begets weaker security, and return to start.

Or as RoboCop’s Dick Jones says, “who cares if it works.”

We Will See a Megabreach that Cannot be Ignored

We are already ignoring them.

2023 will undoubtedly see plenty of data breaches. They will get plenty of coverage and then fade from memory. This is partially due to breach fatigue, but also because breaches are not that serious to most companies. They cause a brief period of turmoil, and then are quickly forgotten.

The recent Lastpass breach is a good example. While some of us dumped Lastpass, thousands shrugged off the news. It is too difficult, time consuming, and complex for most organizations to replace them. Once a technology is entrenched in organizations, removing it is painful.

Megabreaches are also so common these days, that they have lost their impact. There is little we can do to stop them.

Security Staffing will See Improvements

Not likely.

Cybersecurity does not have a staffing problem; it has a staffing crappy jobs problem. There are ample people out there who want to pontificate about all their grand theories of security. What nobody wants to do is actually run anything.

This is because working blue team defense in cybersecurity is like being the janitor’s assistant’s intern. All the miserable work (such as compliance implementation) is dumped on you. The executives treat you with contempt. If you report any serious issues, you are either ignored or retaliated against. When there is a breach, you are blamed, fired, and humiliated. Meanwhile, you are expected to know how to secure everything, everywhere, with flawless perfection.

The cybersecurity industry is top-heavy with self-important thought leaders who are unable or unwilling to get their hands dirty with the operational realities of security. The industry keeps venerating these people, while ignoring the regular folks who grind away everyday keeping things safe.

This also causes skilled security people to seek out careers that are safer, such as penetration testing. Oddly enough, breaking into environments is a more rewarding job than protecting them.

Bitter, Party of One

Okay, maybe all of this sounds a little bitter.

I point out these problems because I know they are fixable. I have seen organizations with strong, effective information security programs. I have met some brilliant operators who can single-handedly solve vexing problems. I believe…no…I KNOW there is a brighter future for security.

That brighter future is frustratingly difficult to achieve when there are so many impediments to success. Annual cybersecurity predictions are only perpetuating these problems.

The Brighter Future

Let’s set the cynicism aside and think about what we could do differently this year. Here are some of my ideas:

• Stop buying new technologies, or settle on new ones and plan to stick with them at least a few years.
• AI will not solve everything. It is merely a new tool. It must be mastered like any other tool.
• Hire people that are slightly unqualified for security roles. Grizzled “experienced” people often come with a ton of baggage.
• Focus security on operationalizing and automating every aspect of security.
• Stop making excuses and move all your workloads to the cloud. Containerize as much as you can.
• Pay your operators more so you can attract the smart ones. Hire more of them so they can learn from each other. Reward the creative ones.
• If you hire a managed security provider, hold them accountable. If they cannot deliver, fire them quickly and replace them
• Focus on changing faster, making people more comfortable with change, and making your environment able to change at a moment’s notice. Ability to change = effective security.
• You are not going to educate your users. Users are human and all humans do stupid things. If your company cannot handle human stupidity, then you will never be secure. Human stupidity is a constant. Build systems that can withstand constant interactions with stupidity.
• If you do not have a person on staff who can write (decent) documentation, get one. Now. Document everything. Follow it.

These are only a few ideas. I would love to hear your ideas. That is where real answers begin to emerge. When we accept that something is not working and want to make it better.

Conclusion

I predict in 2023 cybersecurity will make many of the same mistakes. I also predict, a few people will start to see a brighter future. They will become agents of change. They may be disliked and even feared. Yet, they will make a difference.

Making a difference is all any of us can hope for in the coming year.

This article was revised on 11/24/2023 to be a little less cynical.

The post Cybersecurity Anti-Predictions for 2023 appeared first on Zenaciti.