Today, we bring you the second half of Emerging Threats 2026, the first episode of which we aired last year. In the previous episode, Steve outlined the threats and challenges that enterprises and business leaders will face in 2026 and beyond. Today, he answers questions from the audience. We’ll get into artificial intelligence, supply chain and geopolitical challenges, corporate governance, risk and resilience, and more.

Key Takeaways:

1. Cyber resilience today is about data, data, and data.
2. Enterprises must help their suppliers to meet adequate security standards.
3. AI will be a big challenge for the board in 2026.

1. Managing supply-chain risk (5:07)
2. How leaders can deal with risks outside of their control (12:16)
3. An evolving cyber threat landscape (15:37)

1. “Assuming you've got your policies and your processes in place, I would suggest you have an AI committee that actually approves or otherwise the way in which these tools are then implemented across the business. Why have a committee? Because that way you can pull in representatives from different parts. You can have security, you can have IT, you can have legal and people from the mainline businesses. Everybody makes a decision based on very well-defined criteria, no comeback on any individual, and either it's approved or it isn't.” - Steve Durbin
2. “How do you avoid getting caught out? For me that's not what's happening. If you happen to be on a list. If you happen to be an organization that has something that is exceptionally interesting or useful, then somebody will want that information. Somebody will want that data. What you have to do is make yourself look pretty unattractive. So it is about all of the tedious things that we don't like. It's about patching, it's about making sure that you're making it difficult for people to access your systems. It means that your monitoring is top of its game.” - Steve Durbin
3. “What measures can we put in place to ensure our suppliers and third party partners meet our security standards? Good question that I think that requires a lot more communication. It is about being really clear as to what it is you're expecting from a security standard perspective. It's about not just setting the bar, it's about helping people to achieve what it is you're expecting them to do. And the really important piece that I would emphasize there is tell them the why. Why do you have to do it? Why is it important? This isn't about people doing tick boxes. It is about people understanding why it's important and how they can help to maintain integrity and security across the whole supply chain.” - Steve Durbin

Read the transcript of this episode
Subscribe to the ISF Podcast wherever you listen to podcasts
Connect with us on LinkedIn and Twitter

From the Information Security Forum, the leading authority on cyber, information security, and risk management.

The ISF Podcast celebrates 10 years this year. Over the decade that we’ve been in your ears every week, Steve has interviewed a lot of fascinating people: visionary business leaders, neuroscientists and physicists, world leaders, and formerly notorious cyber criminals, just to name a few. We have touched on topics like AI, the human mind, cyber resilience, leadership, and the future of technology and society.

So, to kick off 2026, we wanted to give you a look back, highlighting the very best of this first decade of the ISF Podcast. And don’t worry – we’ll link all the episodes in the show notes.

Check out our favorite episodes from the last 10 years:

1. Mo Gawdat - Rethinking the Paradigm of Artificial and Human Intelligence
2. Brian Cox — Intellectual Honesty & Learning to be a Leader
3. Hannah Fry - What Data Can & Can’t Tell Us About Ourselves
4. Peter Hinssen - The Never Normal
5. Inside the Mind of Today's Cybercriminals (Brett Johnson, Part 1)
6. Steve Wozniak In Conversation with Steve Durbin
7. Captain Tammie Jo Shults - Habits, Hope and Heroes in a Time of Crisis
8. Sadie Creese — Minimising Your Attack Surface
9. Sir Bob Geldof — Challenging Orthodox Thinking
10. Bonus Episode: Reggie Butler — Bringing Your Home to Work

Read the transcript of this episode
Subscribe to the ISF Podcast wherever you listen to podcasts
Connect with us on LinkedIn and Twitter

From the Information Security Forum, the leading authority on cyber, information security, and risk management.

1. Steve’s four key drivers of cyber risk heading into 2026 are AI, supply chain, quantum, and geopolitical instability.
2. Crucial to cyber resilience are strong governance and a security-conscious culture.
3. Adaptive governance and adaptive security are keys to managing the challenges of 2026 and beyond.

1. Steve’s four key drivers of cyber risk heading into 2026 (2:23)
2. Questions to ask, whether you’re a board member, an executive, or practitioner (16:14)
3. The changing role of the board (18:54)

1. “ Resilience really needs an organizational wide holistic approach that takes technology, it takes governance, it takes operational readiness, and really importantly, it takes people into account.” - Steve Durbin
2. “I think boards need to really take it upon themselves to absolutely recognize that cyber risk is a national risk. It is a business ending risk, and they need to ensure that they don't just have incident response and resilience in place, but that they also have a tried and tested plan, so this is good old fashioned BCP — business continuity planning — with a cyber flavor.” - Steve Durbin
3. “Cyber risk reporting has to be business outcome oriented. Boards, business executives understand revenue, operations, customer impact, legal exposure. That's the way we have to be reporting cyber risk. It's not about how many attacks we repelled, it's not about how good our systems might be. You need to translate it into business language. If you can do that, not only will you get buy-in, but you'll also have a much richer conversation about the role that cyber and therefore cybersecurity and cyber resilience play in the business.” - Steve Durbin