Today, we bring you the second half of Emerging Threats 2026, the first episode of which we aired last year. In the previous episode, Steve outlined the threats and challenges that enterprises and business leaders will face in 2026 and beyond. Today, he answers questions from the audience. We’ll get into artificial intelligence, supply chain and geopolitical challenges, corporate governance, risk and resilience, and more.

Key Takeaways:

1. Cyber resilience today is about data, data, and data.
2. Enterprises must help their suppliers to meet adequate security standards.
3. AI will be a big challenge for the board in 2026.

1. Managing supply-chain risk (5:07)
2. How leaders can deal with risks outside of their control (12:16)
3. An evolving cyber threat landscape (15:37)

1. “Assuming you've got your policies and your processes in place, I would suggest you have an AI committee that actually approves or otherwise the way in which these tools are then implemented across the business. Why have a committee? Because that way you can pull in representatives from different parts. You can have security, you can have IT, you can have legal and people from the mainline businesses. Everybody makes a decision based on very well-defined criteria, no comeback on any individual, and either it's approved or it isn't.” - Steve Durbin
2. “How do you avoid getting caught out? For me that's not what's happening. If you happen to be on a list. If you happen to be an organization that has something that is exceptionally interesting or useful, then somebody will want that information. Somebody will want that data. What you have to do is make yourself look pretty unattractive. So it is about all of the tedious things that we don't like. It's about patching, it's about making sure that you're making it difficult for people to access your systems. It means that your monitoring is top of its game.” - Steve Durbin
3. “What measures can we put in place to ensure our suppliers and third party partners meet our security standards? Good question that I think that requires a lot more communication. It is about being really clear as to what it is you're expecting from a security standard perspective. It's about not just setting the bar, it's about helping people to achieve what it is you're expecting them to do. And the really important piece that I would emphasize there is tell them the why. Why do you have to do it? Why is it important? This isn't about people doing tick boxes. It is about people understanding why it's important and how they can help to maintain integrity and security across the whole supply chain.” - Steve Durbin

Read the transcript of this episode
Subscribe to the ISF Podcast wherever you listen to podcasts
Connect with us on LinkedIn and Twitter

From the Information Security Forum, the leading authority on cyber, information security, and risk management.

The ISF Podcast celebrates 10 years this year. Over the decade that we’ve been in your ears every week, Steve has interviewed a lot of fascinating people: visionary business leaders, neuroscientists and physicists, world leaders, and formerly notorious cyber criminals, just to name a few. We have touched on topics like AI, the human mind, cyber resilience, leadership, and the future of technology and society.

So, to kick off 2026, we wanted to give you a look back, highlighting the very best of this first decade of the ISF Podcast. And don’t worry – we’ll link all the episodes in the show notes.

Check out our favorite episodes from the last 10 years:

1. Mo Gawdat - Rethinking the Paradigm of Artificial and Human Intelligence
2. Brian Cox — Intellectual Honesty & Learning to be a Leader
3. Hannah Fry - What Data Can & Can’t Tell Us About Ourselves
4. Peter Hinssen - The Never Normal
5. Inside the Mind of Today's Cybercriminals (Brett Johnson, Part 1)
6. Steve Wozniak In Conversation with Steve Durbin
7. Captain Tammie Jo Shults - Habits, Hope and Heroes in a Time of Crisis
8. Sadie Creese — Minimising Your Attack Surface
9. Sir Bob Geldof — Challenging Orthodox Thinking
10. Bonus Episode: Reggie Butler — Bringing Your Home to Work

Read the transcript of this episode
Subscribe to the ISF Podcast wherever you listen to podcasts
Connect with us on LinkedIn and Twitter

From the Information Security Forum, the leading authority on cyber, information security, and risk management.

1. Steve’s four key drivers of cyber risk heading into 2026 are AI, supply chain, quantum, and geopolitical instability.
2. Crucial to cyber resilience are strong governance and a security-conscious culture.
3. Adaptive governance and adaptive security are keys to managing the challenges of 2026 and beyond.

1. Steve’s four key drivers of cyber risk heading into 2026 (2:23)
2. Questions to ask, whether you’re a board member, an executive, or practitioner (16:14)
3. The changing role of the board (18:54)

1. “ Resilience really needs an organizational wide holistic approach that takes technology, it takes governance, it takes operational readiness, and really importantly, it takes people into account.” - Steve Durbin
2. “I think boards need to really take it upon themselves to absolutely recognize that cyber risk is a national risk. It is a business ending risk, and they need to ensure that they don't just have incident response and resilience in place, but that they also have a tried and tested plan, so this is good old fashioned BCP — business continuity planning — with a cyber flavor.” - Steve Durbin
3. “Cyber risk reporting has to be business outcome oriented. Boards, business executives understand revenue, operations, customer impact, legal exposure. That's the way we have to be reporting cyber risk. It's not about how many attacks we repelled, it's not about how good our systems might be. You need to translate it into business language. If you can do that, not only will you get buy-in, but you'll also have a much richer conversation about the role that cyber and therefore cybersecurity and cyber resilience play in the business.” - Steve Durbin

1. Small and medium-sized businesses must receive support to stay up-to-date with new technologies.
2. As more automation is introduced into business operations, understanding of one’s crown jewels and how to protect them is increasingly important.
3. AI is advancing rapidly with evermore funding, and globally society is not preparing as well as it needs to for what’s to come.

1. Steve’s view on autonomous cyber defense (00:55)
2. The National Cyber Security Centre and its role in the cyber resilience of UK businesses (3:36)
3. How AI will impact jobs in cyber (7:55)

1. “You'll never get me going into an autonomous car. I just won't do it. And people will say, ‘Yes, they're being looked after by some bloke in a tower somewhere who's watching it.” I'm not buying it. I've been working in technology for far too long to know that it is fallible. And so I think we have to really move toward much more transparency in our understanding of where the AI tool is active, the data that it's using, the decisions it's making.” - Steve Durbin
2. “We are looking for large private enterprise to be working collaboratively with people like the NCSC, with people like the ISF, to really help some of these smaller organizations that don't have the luxury or resources available to them to keep a pace with [technology].” - Steve Durbin
3. “If you go back to the internet, we didn't do a good enough job of trying to forecast the way in which the internet was going to be used. We put it out there and we said, ‘Let everybody use it and let's see where it goes.” We are doing, I fear, a similar kind of thing with AI.” - Steve Durbin

1. Boards and senior executives understand there is a threat, but many still lack knowledge of how to deal with it.
2. We are too reliant on technology; for the sake of business continuity, a backup plan must be in place.
3. High-quality simulation exercises are a crucial step toward more cyber resilience.

1. The role of policy and regulation (3:17)
2. Why cyber simulation exercises are so important (5:45)
3. Steve’s thoughts on the recent AWS outage (7:54)

1. “Now, in the boardroom itself, in companies themselves, we have seen over the past few years an increasing awareness of the threat that these kinds of things can bring to really the future of an organization. But the challenge I think we now face is really helping boards, senior executives to transition from, yes, I get there's a threat, but what should I actually be doing about it?” - Steve Durbin
2. “I think that in the main, cloud service providers are still probably far better equipped to provide the level of service that most companies need than you'd be able to do yourself. However, we do need to take into account that things will go wrong. And we have to plan for that. So if you are an organization that can quite happily exist without access to data in a cloud provider, it doesn't have to be Amazon, it could be anybody else, then fine. I would question why you're using them in that case. If on the other hand, you are dependent on them, you have to have some backup in place.” - Steve Durbin
3. “All too often I'm seeing people particularly in the area of, say, cyber simulation exercises, because they're viewing it as a compliance exercise, going for least cost. That to me is a bit like saying I've just moved into an area where I know the burglary rate is quite high. What's the cheapest lock and door that I can get on my front door? It's madness. Not many of us would do it. We would try to work within our budget. We'd try to really figure out how important things were in our house. That's the mentality we have to adopt. So yes, you can get some of these things done very cheaply and you can tick a box, but it's not going to help you when things go wrong.” - Steve Durbin

1. Cyber attacks will continue to increase, and businesses must adjust.
2. Regulators must strike a balance to have clear guidelines without stifling businesses.
3. To take advantage of new technologies like AI, businesses must invest in upskilling their employees.

1. Why cyber crime is on the rise (2:17)
2. How cyber criminals target their victims (4:00)
3. Solving the cyber skills shortage (29:02)

1. “The bad guys only need to get lucky once and they can cause havoc. And so the sorts of numbers you are seeing are them plugging away at it, trying to break down defenses, trying to find a way through. And on the defensive side, of course, we have to be at the top of our game 24/7, and that's just impossible.” - Steve Durbin
2. “We also have very complex supply chains now that obviously are made up of small to mid-size companies. [...] So an easier way of accessing some of this high value information is often via the third party. So you don't necessarily need to be attacking the larger enterprise. You can target a smaller to mid-size, which probably doesn't have the same level of defense, maybe not the same level of awareness. And because it's in the supply chain and sharing information, you can then access through to the larger enterprise.” Steve Durbin
3. “You have to invest in actually looking at the skill sets that you need within your organization and making some hard calls, I think, as to whether or not you do have the right capabilities within your organization. That doesn't necessarily mean that you have to get rid of a lot of people. It means you probably do need to invest significantly in upskilling and training and thinking very hard about how you're going to use some of that new technology.” - Steve Durbin

1. Social media is a tool that can be used for good.
2. Authenticity is key for brand-building online.
3. Posting without purpose is worse than not posting at all.

1. Dr. Singleton’s background (1:21)
2. How to grow your brand authentically (10:22)
3. The risks of posting too much online (15:44)

1. “At a certain point we all just have to come to grips with, we are in charge of our behaviors. We have authority, we have much more agency than we give ourselves credit for. The tech is there. But if we use it, that's up to us. How we rely on it is up to us. Are we only using Chat GPT now? So there's a bit of authority that we still have to appoint ourselves.” - Dr. Tunisha Singleton
2. “If technology is the car, then let story be the driver behind the wheel. There has to be a point in this. Where are we going? That means what are you offering? What are you giving me that can be a utility to my life, my human experience, rather than a replacement?” - Dr. Tunisha Singleton
3. ”If we want to stick out and if we want to build our brand, then shouldn't we have the use the one thing that's different than everybody else, that's our voice. So why would we want to act like everybody else? If our goal is to stand out, then be an individual.” - Dr. Tunisha Singleton