Security Trends 2026: Risk

Fb “When you look ahead to 2026, what do you see as the most significant shift affecting the security and risk environment?”

JA “One of the most significant shifts affecting the security and risk environment is the convergence of security threats. Organisational exposure is no longer confined to discrete domains such as physical, cyber, technological, and personnel security. Instead, these areas increasingly intersect with enterprise governance and regulatory accountability, requiring a more unified and integrated approach to security oversight, risk management, and organisational decision making.

A clear example can be seen in cyber incidents that no longer stop at data loss. A ransomware attack on an organisation’s systems can now halt physical operations, disrupt supply chains, trigger regulatory investigations, and expose serious weaknesses in crisis leadership. What begins as a technical issue quickly becomes an organisational and reputational crisis.

Another example is climate related disruption. Extreme weather events are not simply environmental risks. They interrupt logistics, displace staff, strain infrastructure, and increase the likelihood of opportunistic crime. These pressures interact rather than occur sequentially.

In 2026, the defining change is not about the emergences of new threats, but how quickly risks compound. For senior leaders, this represents a fundamental change in how risk must be understood. Traditional frameworks that separate security, compliance, resilience, and wellbeing are proving inadequate. The most exposed organisations are often those that appear well prepared on paper but lack integration across functions. 

Looking ahead to 2026, the defining challenge will be managing uncertainty rather than predicting specific threats. Organisations that succeed will be those that invest in adaptability, shared risk awareness, and decision making structures that recognise how interconnected modern risk has become.”

FB “Which risks or pressures do you think are currently being underestimated by organisations, and why?”

JA “One of the most underestimated pressures is the human dimension of risk. Organisations continue to focus heavily on technical controls and formal policies, while underestimating human risks and organisational pressures. For example, following major incidents, post event reviews often reveal that staff were aware of emerging problems but felt unable to escalate concerns due to workload, hierarchy, or fear of blame. These cultural factors rarely appear on risk registers, yet they are decisive in how incidents unfold.

Another underestimated area is the cumulative effect of regulatory and accountability demands. Many organisations treat compliance as a static requirement rather than a dynamic risk driver. In reality, regulatory expectations are evolving rapidly, and failure to keep pace can expose leaders to reputational and personal accountability risks that extend far beyond fines and enforcement actions.

There is also a tendency to underestimate how quickly external incidents can disrupt and compound internal risk. For instance, climate related events, geopolitical instability, and digital disruption rarely appears as a single isolated incidents. Instead, they interact with existing weaknesses such as under resourced teams, outdated processes, and poor communication channels. These risks are underestimated because they do not always appear dramatic and immediate. They build quietly, often across silos, until an incident exposes how fragile underlying systems have become. By 2026, organisations that fail to address these pressures holistically are likely to find themselves reacting rather than leading.”

FB “Where do you see the biggest gap between how organisations think about risk and how it actually plays out in practice?”

JA “The biggest gap lies between strategic confidence and operational reality. At a senior level, many organisations believe they have a clear understanding of their risk exposure because policies are in place and reporting mechanisms exist. However, risk as it plays out on the ground is often shaped by informal workarounds, resource constraints, and competing priorities that are not fully visible at board level.

In practice, risk rarely follows neat categories or predefined scenarios. Staff at the operational level frequently manage overlapping pressures, making judgement calls in environments where guidance may be ambiguous or outdated. This lived experience of risk is often poorly captured in formal assessments.

Another dimension of this gap is time. Decision makers tend to think in terms of planned cycles and linear escalation, while real incidents unfold unpredictably and at speed. By the time information reaches senior leaders, the context may already have shifted.

This disconnect matters because it creates false reassurance. Organisations may believe they are resilient when, in reality, resilience depends on individuals compensating for systemic weaknesses. Closing this gap requires leaders to engage more directly with how risk is experienced, not just how it is reported.”

FB “What assumptions about security or risk do you think are most likely to be challenged over the next few years”

JA “One assumption likely to be challenged is that investment in technology automatically equates to security. While technological solutions are essential, they are not sufficient in an environment defined by complexity and rapid change. Over reliance on tools can create blind spots if organisations neglect judgement, adaptability, and human oversight. For example, organisations may deploy advanced monitoring systems yet fail to train staff adequately to interpret alerts and act decisively. When incidents occur, the technology functions as designed, but human response falters.

Another assumption is that past experience is a reliable guide to future threats. Many organisations still plan on the basis that tomorrow’s risks will resemble yesterday’s incidents. However, the pace of change means that new combinations of risk are emerging faster than traditional learning cycles can accommodate. Recent events have shown how new combinations of risk can emerge unexpectedly, such as cyber attacks coinciding with geopolitical tension.

There is also an assumption that resilience can be achieved without addressing organisational culture. Research as repeatedly show that poor communication, unclear authority, and fear of accountability exacerbate incidents. Technical controls cannot compensate for these weaknesses.

I believe that in 2026, these assumptions will be increasingly untenable. Security will be understood less as a state of protection and more as a continuous capability to adapt, learn, and respond under uncertainty.”

FB “If senior decision makers were to rethink one aspect of how they approach risk as they plan for 2026, what should it be?”

JA “Senior decision makers should rethink the idea that risk ownership can be neatly delegated. Too often, risk is treated as the responsibility of specialist teams, while strategic decisions are made elsewhere. In reality, leadership behaviour, priorities, and incentives shape risk outcomes more than any single policy or function.

Planning for 2026 requires leaders to see risk as a shared organisational condition rather than a compliance exercise. This means asking not only whether controls exist, but whether they are usable under pressure and understood by those expected to apply them. For instance actively testing assumptions through scenario discussions, staff engagement, and stress testing of plans. Asking how systems perform under pressure often reveals gaps that routine reporting misses.

Another critical shift is moving from assurance to curiosity. Instead of seeking confirmation that risks are under control, leaders should actively look for weak signals, dissenting views, and uncomfortable insights. This approach is more demanding, but it is far better suited to a volatile environment.

Ultimately, the most effective leaders will be those who create space for honest conversations about uncertainty and failure. By reframing risk as something to be continuously explored rather than definitively solved, organisations will be better positioned to navigate the challenges ahead.”

FB “Is there anything else you think is important for people to understand about the outlook for 2026 that we have not covered?”

JA “There are two interrelated points that are not covered but particularly significant. First, is that reputation, trust, and organisational legitimacy are now as critical to security as technical competence and control measures. Experience increasingly shows that attempts to minimise, delay, or obscure incidents from stakeholders often cause greater and longer lasting harm than the original event itself.

Second, security in 2026 will be assessed less by the absence of disruption and more by the quality of organisational response and recovery. In a highly interconnected operating environment, incidents are no longer exceptional but inevitable. What distinguishes resilient organisations is not only how quickly they recognise emerging threats, adapt under pressure, and learn from experience, but also how effectively they prepare in advance through presilience. Presilience is a relatively new approach that focuses on anticipating uncertainty, strengthening adaptive capacity, and using disruption as a source of learning to enhance preparedness and decision making before future risks materialise.”