Cyber threats are evolving faster than many organizations’ defenses, fueled by AI-enabled attacks and increasingly organized threat actors. As businesses become more interconnected and more reliant on cloud platforms, automation and third-party providers, cyber risk management can’t rely on static controls or annual checklists alone.
Staying resilient in 2026 will require leaders to reassess how they define risk, prioritize investments and measure readiness across the enterprise. Below, members of Forbes Technology Council share cyber risk management strategies companies need to adopt or upgrade to better address today’s rapidly shifting threat landscape.
Treating Scams And Fraud As Core Cyber Risks
In 2026, cyber risk plans must treat scams and fraud as core cyber risks. The 2025 shift is that deception now looks like normal business, built on trusted workflows, ads and brand assets. CISOs need a single cyber plus fraud view to detect and disrupt abuse across these “trusted moments,” end to end. – Rod Schultz, Bolster AI
Continuous Testing Of NIST Controls
Apply the same operational rigor across compliance and CTEM-driven exposure management. Continuously test that NIST-aligned controls work in production, and validate which exposures are truly exploitable and material. Demand evidence at every step, including retest proof that the fix held, so both audit readiness and risk reduction are based on operational truth, not documentation or scanner output. – Kirk Hanratty, SynerComm Inc.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Zero-Trust Identity Assurance For The Human Layer
Cyber strategies must reimagine zero-trust architecture for the human layer. Organizations authenticate devices and accounts but blindly trust faces and voices on video calls. With GenAI, adversaries can impersonate anyone with precision that’s never been seen before, instantly weaponizing likenesses and turning trusted digital interactions into cybercrime. Identity assurance must happen before trust is granted. – Jim Brennan, GetReal Security
Defense Against Autonomous AI Agents
With OpenClaw (formerly Clawd and MoltBot), we’re seeing the first wave of autonomous AI agents able to browse the web, access file systems, run autonomously, communicate and work together. Thousands of agents created with this open-source tool have already exposed over 1,800 API keys, credentials and histories. We need new thinking around how to protect organizations from this threat vector. – Pete Kistler, Synthesia
Identity Governance For Non-Human Identities
We must have identity governance for non-human identities. In 2026, AI agents, APIs, bots and service accounts will outnumber humans on networks by as many as 80 to 1. Cybersecurity strategies must treat identity as a living control layer, continuously verifying, limiting and revoking machine access in real time, just as if they were humans. Otherwise, risk will spiral. – Praerit Garg, One Identity
Continuous AI-Driven Risk Intelligence
In 2026, cyber risk management must evolve from static controls to continuous, AI-driven risk intelligence. Organizations need real-time insight across identities, data and third parties, mapped to business impact. The goal isn’t more tools, but faster, context-aware decisions as threats emerge. – Punnam Raju Manthena, Tekskills Inc.
Hardware- And Firmware-Layer Security
AI is accelerating attacks at the hardware layer by finding firmware vulnerabilities and targeting supply chains with precision. Traditional strategies stopping at the OS level leave this unmonitored. Organizations need intelligent hardware security that actively monitors and defends at the firmware and hardware layer, operating independently of compromised software. – Camellia Chan, Flexxon
DDoS Defense For Mega-Botnet Attacks
With new mega-botnets Aisuru and Kimwolf each controlling millions of infected devices and demonstrating the ability to coordinate bots into gigantic attacks, companies need to reexamine the risks they have associated with distributed denial of service. They need to consider the scale of attacks these new botnets introduce and reevaluate whether their defense ecosystems will be able to withstand the threat. – Carlos Morales, DigiCert, Inc.
Expanded Two-Factor Authentication Coverage
The core problem of cyber risk in 2026 remains identity management and two-factor authentication. Companies that have succumbed to data breaches in the past are more vulnerable, as threat actors can cause a double impact by harvesting identity information and misusing it due to a lack of 2FA. Investing in 2FA capabilities is critical to prevent future breaches and ensure business continuity. – Kris Lahiri, Egnyte
AI Guardrails And Visibility Controls
When an organization adopts AI tools in day-to-day operations—especially when using AI-powered security tools to fight AI-powered threats—leaders must use extreme caution and prioritize strict guardrails and visibility controls. The underlying LLMs can become attack vectors through tactics like prompt poisoning. – Guy Segal, Sygnia
Persistent, Adaptive Identity Assurance
Cyber risk management must upgrade identity from a login control to a continuous trust signal. Static credentials and one-time multifactor authentication checks can’t keep up with deepfakes, social engineering and automated attacks. Risk programs should prioritize persistent, verifiable identity assurance that adapts as behavior, context and threat patterns change. – Michael Engle, 1Kosmos
Continuous AI-Enhanced Penetration Testing
Based on my experience leading penetration testing on modern cloud platforms, 2026 cyber risk management strategies must move beyond annual checklists. AI-enhanced, continuous pen testing that simulates real attacker behavior across identities, APIs and cloud systems is essential to uncover chained attack paths early and generate actionable, real-time risk signals rather than static reports. – Nethaji Kapavarapu, Kyra Solutions Inc.
‘Crown Jewel’ Data Mapping And Behavior Monitoring
Add “crown jewel” asset mapping to 2026 strategies. Identify your most critical data, then protect it by monitoring for suspicious behavior, like unusual logins or odd data access, rather than chasing known threats. Combine this with zero-trust principles: Verify everything, limit access and assume breaches will happen. This moves teams from reactive defense to earlier, more effective risk detection. – Matthew Polega, Mark43
MFA Fraud And SMS Pumping Protections
As the usage of multifactor authentication increases, so do ways to create fraud around it. SMS pumping is growing, and companies need to put in protections to defend against it. Failing to do so may not only result in a bad experience but also a big unplanned telephony expense! – Pam Brodsack, Velera
Unsupervised ML For Hidden Threat Detection
The 2026 imperative is the broad-scale adoption of unsupervised ML to discover what we don’t know to look for. Traditional systems only catch known threats. We need AI that continuously scans for hidden patterns and coordinated networks without being told what’s suspicious, uncovering emerging attack methods and criminal rings before they execute instead of after. – Yinglian Xie, DataVisor
Modernized RBAC With Runtime Risk Signals
Role-based access control in 2026 is all about containment. If you modernize RBAC around least privilege and identity, you dramatically limit the blast radius when credentials are inevitably compromised. While RBAC remains role‑driven, it should be augmented with runtime signals (risk level, device posture, workload sensitivity). This keeps RBAC relevant in zero-trust models. – Vasanth Mudavatu, Dell Technologies
Full-Scale Data Loss Preparedness
Organizations must plan for complete data loss as threats grow more sophisticated. In 2026, cyber risk strategies should include starting from zero and regularly testing recovery plans. Preparing for full‑loss scenarios strengthens resilience and speeds recovery. This is a common oversight that should definitely be added or upgraded in risk management strategies. – Rick Vanover, Veeam
Proactive Third-Party Risk Reduction
Prioritize third-party risk reduction over compliance. Shift the focus from merely meeting compliance requirements to actively reducing risk. This involves proactive engagement with vendors and prioritizing security outcomes over box-checking. CISOs should encourage a collaborative approach with vendors, moving beyond monitoring to a partnership that can enhance security across the supply chain. – Austin Berglas, BlueVoyant
A Tested Incident Response Plan With Executive Exercises
Organizations do not rise to the occasion in a cyber event; they fall to their level of preparation. A complete and tested incident response plan and tabletop exercises that include the C-suite and board can significantly reduce losses in productivity, downtime and reputational damages. Understanding and prioritizing the business is key to recovery. – Bryant Tow, Leapfrog Services
Behavioral And Multivariate Anomaly Detection
We need to move beyond signature-based and rule-only detection to behavioral and multivariate anomaly detection that understands normal operational states of systems, data flows and users. Attackers increasingly mimic normal behavior, exploit AI-assisted automation and target data integrity. Without context-aware models, teams might either overreact or miss high-impact threats. – Diganta Sengupta, Oracle Corp.
Original Story: https://www.forbes.com/councils/forbestechcouncil/2026/03/02/2026-cyber-risk-management-strategies-to-adopt-now/
