August 22, 2025

The 2026 Roadmap for Tech Execs: Economy, Execution, and Cultural Environment

Yael N
author
Chris Veltsos
co-author

Related Articles

2026 Roadmap Planning Guide

Mindmap to Self-Assess Your Security Program

Technology Governance Primer

#2026 Roadmap#CISO Roadmap

CISO, here’s what you’ll want to know as you start your 2026 roadmap. 

 

As CISOs begin shaping their 2026 plans, they do so against a backdrop that is “K-shaped.” This should be understood and reflected in your specific initiatives. 

Coined by Peter Atwater, the “k-shaped recovery” is a metaphor for the chasm between those thriving and those struggling in today’s economy. Atwater, a Wall Street veteran turned professor and consultant, reflects a ‘lived’ Wall Street experience in identifying the k-shape. He emphasizes that as confidence rebounds unevenly, the asymmetry between the “haves” and the “have‑nots” becomes structurally embedded in organizations and markets.

For CISOs and tech leaders, this matters profoundly. The K-shape isn’t just an economic headline; it’s a signal of where risk is growing, where trust is eroding, and where business expectations are diverging. Every company sits differently on the K.

A shrinking share of the population controls more of the economic direction than ever. The rich are getting richer. Companies are offsetting losses with higher prices, fewer services, and narrower customer bases. Growth is concentrated in a handful of sectors; financial services, luxury/hospitality, and healthcare (as examples), while others manage through contraction.

Whether your company is a ‘have’ or a ‘have-not,’ the business decisions, hiring plans, budget allocations, and security priorities reflect this context.

 

CISOs, what this means for you is that your 2026 InfoSec roadmap must mirror a dual reality:

  • On one hand, you may work for a company that is in  an industry that is experiencing growth — new product launches, M&A, digital innovation—or you may work for a company in an ecosystem that is contracting. 
  • On the other hand, many employees and ecosystem participants are strained and straining—burned out, under-resourced, or distrustful.

For nearly 30 years, we’ve had a front-row seat as executives succeed and fail in cycles like this.  The ones who land their roadmap “apply the principles used in Psychological Operations and Social Engineering to more effectively craft and execute a message to deliver measurable impact and active engagement” (we expand on this in an 2019 article: Mind Tricks CISOs Already Know). 

 

In 2026, your roadmap should include a focus on four core areas: 

  1. Mature Business Information Risk 
  2. Invigorate a Crown Jewel initiative and 
  3. Prioritize process improvement over technology innovation while 
  4. Actively nurturing the team you have. 

This upcoming year will challenge the experienced and ambitious CISOs to deliver in spite of the market conditions.
To get to 2027, you’ll need to swim with the current — not against the tide. In this article, we describe these 4 initiatives. 

 

 

1. Mature Business Information Risk

Ownership of security doesn’t sit solely with the security team. In 2026, re-underwrite the scope of InfoSec to put responsibility back with the business or strengthen the accountability that already exists. Present this as helping business units with their risk, resilience, and integration efforts.

Essentially, the initiatives you pursue here will feel like activities that emphasize communication and collaboration. 

Possible initiatives:

  • Relaunch an Information Risk Committee.
  • Stand up Business Information Security Officer (BISO) roles.
  • Build business-level security dashboards.
  • Refresh governance metrics.
  • Embed communications plans that speak the business’s language.
  • Anticipate AI-driven fraud, attack, and extortion tactics.

Why it works:

  • Increased ownership — when there is an owner, work gets done (reported and managed). 
  • Generates fresh ideas with a wider lens of context and shared goals. 
  • May right-size your security team naturally and with less disruption. 

2. Invigorate a Crown Jewel Initiative

Yes, it’s a buzzword. But it belongs on every roadmap — with a meaning that fits your company. Your “crown jewels” are the most business-critical assets to protect. The initiative isn’t just naming them — it’s to organize people and processes around their protection. 

Every CISO, regardless of their ‘position’ on the K, and the size of their team or budget – should have a focused initiative to fortify the company’s crown jewels.

Possible initiatives:

  • Security operations overhaul (e.g. alert review and cleanup; DLP program reset and re-energize).
  • Asset inventory simplification and dimension expansion.
  • Policy and control review or audit.
  • Annual information asset review process for security ops. 
  • Unstructured data cleanup.
  • Business tailored dashboard for sensitive information protection.

Why it works:

  • Improves and enhances business partnership.
  • Enables and expands technical controls because of a renewed focus (including simply enabling features of ‘widely deployed’ tools).
  • Validates that expected controls are adequate.
  • Raises awareness of data sensitivity and sprawl.
  • Builds trust by aligning with colleagues’ priorities.

3. Prioritize Process > Innovation

In a constricting economy, process discipline is worth more than chasing untested innovation.  It signals prudence, steadiness, and the kind of restraint that builds lasting trust.  In 2026, amid rapid technological change, CISOs should over-index on process improvement, efficiency, and refinement. This strengthens execution now while laying groundwork for future advances.

Possible initiatives:

  • Reconfirm (or set) SLAs/SLOs with stakeholders.
  • Improve core functions: security operations, alerting, incident response, inventory cleanup, access reviews, risk analysis.
  • Automate routine tasks (or elements of them) such as alert tuning, evidence gathering, access reviews.
  • Pause (and then stop) activities that no longer serve the business or compliance.

AI guidance:

  • Use AI to augment staff, create repeatable routines, expand capacity, and scenario-test threats, controls, and communications.
  • Avoid using AI for inferring motives or making production-impacting policy changes without human review.

Why it works:

  • Demonstrates execution strength; which is measured, evaluated, and discussed in the board rooms and executive committees. 
  • Saves time and resources now and quickly.
  • Positions you to innovate when the business is ready.

4. Nurture, Educate, and Support Your Team

Tight budgets demand that you shift from buying/hiring talent to building it. While it takes effort, invest in understanding the styles, behaviors, and triggers of your current team. Afterall, you already know them. Avoid a potential disruption or delay that comes with onboarding unknown team members. 

A fortified, unified team delivers scale through cohesion. A cohesive and connected team enables scale and improves program stability faster and with less cost and disruption. In 2026, Security Leaders who interact with and motivate their teams with fervor will build stable and influential teams. 

Possible initiatives:

  • Assess whether the current workforce fits what the program needs now and next.
  • Provide targeted training to close individual skill gaps.
  • Challenge, correct, and motivate each team members.
  • Act quickly to involve and action HR recommendations. 

Why it works:

  • Strengthens culture and accelerates delivery.
  • Reduces churn, avoiding downtime, costly mistakes, and loss of institutional knowledge.
  • Tailored expectations improve satisfaction and throughput.
  • You already know each person’s nuance. Put that knowledge to work to strengthen performance and cohesion.

The 2026 CISO Roadmap Mindset

CISO, the reality is that 2026 won’t be even. Some parts of your company will sprint ahead; others will struggle to keep up. That’s the essence of a K-shaped recovery. It’s also why your roadmap must be grounded, balanced, and tuned to the dualities around you.

Executives who thrive in these moments don’t fight the current, they work within it. They link their plans to the company’s true culture, not the one written in glossy reports. They align priorities to what investors, customers, and regulators will actually tolerate before confidence cracks. And they shape initiatives that reflect where the business is, not where they wish it were.

For you, that means anchoring your 2026 roadmap in four truths: 

  • Business ownership of risk. 
  • Protection of the company’s crown jewels.
  • Disciplined processes over shiny innovation.
  • Working with the team you already have.

Do those well, and you’ll deliver resilience in a tough year while you also earn the trust to participate when the economy turns upward again.

In short: swim with the current, not against it. 

 

* Atwater built asset‑backed securities at JPMorgan from 1983 to 1996, then, at age 35, became Treasurer of Bank One when they acquired his prior employer in 1997. In later years, he navigated operations as a divisional COO and then Head of its private client services. Today, he teaches behavioral economics, and consults with executives on confidence in decision making. 

This site uses cookies and may process personal data based on our Privacy Policy
Read privacy policy Ok!
Verified by MonsterInsights