Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

The economic model of cybercrime is shifting from stealing data to creating time drag on the systems that keep the business running. Loud ransomware taught everyone to expect clear incidents, but quieter attacks now focus on prolonged disruption, where boards pay to restore growth and confidence without ever declaring a cyber event.

A realistic nation state style attack is less cinematic blackout and more slow grind, with degraded services, conflicting information and outages that are hard to prioritise. Public confidence erodes as friction spreads and misinformation amplifies the chaos, and history shows societies fail when trust in key systems collapses faster than those systems adapt.

A central government department relied on a part time virtual security lead, ageing tools and no central view of security data, with nobody owning real decisions. When asked what type of attacker would target their systems or whether they had a threat led defence, nobody from engineering to leadership had an answer, despite direct access to national guidance.

Attackers broke into major gaming platform Ubisoft and started spraying free in-game currency, triggering confusion as teams tried to understand the sudden rush of skins and purchases. While everyone focused on the noisy mess, the intruders quietly stole source code for the full game catalogue, walking away with the real prize.

Geopolitics runs on the idea that if one country is not first, another will be, and that logic is now leaking into corporate strategy. Nation states can absorb failure in pursuit of an edge, but most businesses have a low tolerance for failure, so importing that mindset turns ambitious bets into existential risks.

Security leaders are not ignored because governance or risk no longer matter, they are sidelined because speed and efficiency are treated as the only metrics that count. AI is sold as a competitive edge, so any warning about second order effects sounds like friction, even though speed without control creates asymmetric risk that grows out of sight.

Cybersecurity is pricing itself out of reach. Over the past eight years, private equity and VC acquisitions have driven massive price increases across security consulting, vendor products, pentesting and compliance services. SMBs are struggling with vendor renewals climbing up to 40% while security budgets can't keep pace. From endpoint security to SIEM solutions, baseline cybersecurity is becoming unaffordable for the organisations that need it most.

This one's going to ruffle some feathers. Over the past eight years, something has fundamentally changed in the cybersecurity industry. Prices are climbing faster than most UK and European budgets can absorb. Vendor renewals that used to be predictable are now eye-watering. Consultancy rates have shot up. And it's not just about inflation or rising costs.

Security awareness surged during lockdown as ransomware and phishing exploded, then dropped as everyone chased the next big win in AI. Regulation was watered down, governments pressed to be first, and organisations pushed ahead with automation while security teams were moved back to the sidelines.

What threats should CISOs prioritise as we move into 2026? Welcome to Razorwire, the podcast where we share our take on the world of cybersecurity with direct, practical advice for professionals and business owners alike. I’m Jim and in this episode, we’re looking ahead to the challenges facing security leaders in 2026. I’m joined by Richard Cassidy, EMEA CISO at Rubrik, and together, we discuss the three themes dominating CISO conversations.