CISO Radar 2026: Top 30 actions for 2030
Published November 27, 2025
- Cybersecurity
Key takeaways
- Cybersecurity is undergoing major transformations, requiring the rollout of numerous initiatives by 2030
- The current regulatory tsunami is forcing organizations to evolve quickly
- Geopolitical tensions are redefining IT models and resilience
- Several levers are essential to building strong foundations: visibility, trust, and execution speed
- An operational roadmap is necessary to turn cybersecurity into a long-term strategic enabler
As many organizations are completing the implementation of their 2025 cybersecurity strategies, attention is already turning to the future. The next strategic cycle, looking ahead to 2030, requires a rethink of priorities and a clear roadmap. This reflection is even more crucial as the nature of risks, technologies, and regulatory constraints is evolving rapidly. The 2030 cycle is not limited to extending actions already undertaken. It requires an integrated and forward-looking vision, considering all scopes, systems, processes, and stakeholders.
From this perspective, we have chosen to look further ahead by identifying the TOP 30 actions for 2030, as part of our usual reflection aimed at building the CISO radar. We have worked collaboratively across Wavestone to build a clear trajectory, integrating trends, risks, and levers of action, so that cybersecurity becomes a genuine driver of acceleration and transformation rather than a simple defensive function. This trajectory will, of course, need to be specialized for each client’s specific domains but remains valid and insightful for building the 2030 strategy.
Four essential transition forces toward 2030
By 2030, evolution paths are multiple and depend on factors such as industry sector, geographic location, available resources, and threat developments. However, we believe it is useful to identify priorities that are common to many players.
Cyber-attacks are diversifying and becoming more sophisticated. Attackers now target not only traditional infrastructure (workstations, Active Directory, etc.) but also third parties such as partners, suppliers, and subcontractors. According to the CERT-W Report 2025, more than half of incidents involve these external actors, highlighting the need to strengthen risk management and oversight of external relationships.
Cloud platforms, SaaS services, and instant messaging tools have become major targets because they concentrate sensitive data and critical flows, as demonstrated by attacks on Salesforce in summer 2025 (open in a new tab). Some attacks rely on direct infiltration by fake employees, illustrated by North Korea’s strategy of embedding IT experts into Western companies, or through social engineering techniques. Attacks are also becoming increasingly targeted and adaptive, adjusting their modus operandi to detected vulnerabilities, often leveraging automation and artificial intelligence.
The cybersecurity regulatory landscape continues to grow more complex, with new texts imposing increasingly strict and detailed requirements. European regulators foresee potential simplification by 2030, aiming to harmonize some rules, but in the short term, companies must cope with a multiplicity of frameworks and directives.
Worldwide regulations are covering critical infrastructure, resilience, and product security, among other domains. This layering of regulations creates a dense regulatory environment, requiring organizations to optimize implementation and compliance while maintaining operational agility.
Geopolitical developments directly influence IT models and cybersecurity strategies. They translate into specific regulatory requirements, such as mandatory data localization or the use of certain technologies in countries like China. International conflicts, such as the Ukraine-Russia situation, have also highlighted the need for shutdown or activity transfer plans to protect critical operations.
These transformations require organizations to move from a standardized global approach to more regional or foreign-supplier-independent architectures. Geopolitical fragmentation forces a rethink of data localization, operational continuity, and the ability to maintain security and resilience in varied and sometimes unstable environments.
Artificial intelligence is becoming a key factor in digital transformation. Its rapid adoption is transforming business processes, accelerating exchanges between partners, whether business or technological, and modifying attack surfaces. It also creates new compliance and security requirements. The complexity of autonomous decisions and potential for malicious manipulation require particular vigilance to ensure trust and resilience in this new digital environment.
CISO Radar 2026
For over 10 years, Wavestone has maintained a CISO Radar cataloging all the topics cybersecurity professionals face.
The CISO Radar and its “Top 30 for 2030” presents a selection of key topics for cybersecurity and operational resilience professionals. It is organized into key themes divided into three maturity levels:
- Mature: must be mastered by every CISO
- Current: being operationalized, first lessons learned can be shared
- Emerging: little-known, evolving, or lacking clear solutions; identifying them helps anticipate future developments
The thematic identification, positioning, and analysis result from joint work by Wavestone’s cybersecurity practice teams across geographies.
CISO Radar 2026
Resilience in cybersecurity: accelerating real-time cyber defense
The four identified forces require organizations to rethink their cybersecurity posture. Cybersecurity must accelerate to remain effective in increasingly dynamic and complex environments.
Three structuring axes emerge for the CISO:
- Visibility: obtaining a complete understanding of systems, flows, and risks, including areas where coverage is insufficient
- Trust: ensuring the security and reliability of information, identities, and critical processes
- Execution Speed: bringing cybersecurity closer to real-time, which requires improving the quality of cyber data, as automated process effectiveness depends directly on it
These three axes are interdependent and form the basis for accelerating cybersecurity in a 2030 environment marked by continuous threats, constraints, and transformations.
Increase visibility: artificial intelligence, behavior and product systems
Visibility becomes a strategic lever, both regarding artificial intelligence, behavior, and industrial and product systems.
Business AI: critical systems to secure
We are convinced that AI, beyond mere proof-of-concepts, will become a central lever of digital transformation. Its generalization profoundly changes risks, scopes, and control requirements, even more so with the arrival of AI agents. These developments require organizations to continue and strengthen efforts in common governance, training, methodological frameworks, and ML/AI guardrails.
The first priority concerns the management of the agents themselves. Some will be linked to a user, others to a function or business service; in reality, it will likely be a combination of both. In this context, digital identity, access, and interactions must be controlled, limiting data visibility to what is strictly necessary. The fast pace of technological evolution in this field makes this task complex: protocols, frameworks, and tools change faster than standards are established, requiring continuous vigilance from CISOs.
The second challenge lies in defining the level of trust that can be granted to an AI system. It must be measured, and the autonomy level deduced (“human in the loop,” “human over the loop,” or “human out of the loop”). These levels must be integrated into risk analyses and verified through practical tests, including AI red teaming exercises to assess model robustness and bias.
Transparency becomes imperative. Organizations must understand how their AI is designed and trained, adopting security-by-design practices (Secure by Design, MLDevSecOps). Practices like the “AI Bill of Materials,” detailing components and data used to create models, will facilitate traceability and data source analysis. SOC teams must monitor these new digital entities, detect behavior deviations, prompt injections, or non-human identity spoofing.
360° Visibility of behavior: preventing insider threats
The insider threat now extends far beyond careless employees: attackers increasingly exploit legitimate accounts to carry out malicious actions. Insider threats now encompass all digital populations, including partners, service providers, and AI agents. Visibility over behaviors, human and machine, will therefore become a cornerstone of cybersecurity by 2030. To respond effectively, monitoring must:
- Be structured around transversal governance
- Deploy advanced behavioral analysis tools (UEBA)
- Adopt a “trust & care” approach that protects employees while maintaining their confidence.
Organizations will need to rethink governance with a truly cross-functional approach. Risky behavior detection will no longer be solely a cybersecurity responsibility: it will involve HR, procurement, fraud prevention, and internal control. Together, these functions must design coherent mechanisms to monitor, understand, and contextualize weak signals legally and transparently. This approach must also include AI agents, which are now operational actors. Insider threat scenarios must integrate these new digital entities.
Technologically, behavioral visibility will rely on a new generation of AI-based behavioral analysis solutions connected to the SOC. These tools will correlate dispersed technical and organizational signals (end of a service contract, employee departure, helpdesk request, anomalies in access or data transfer) to detect risk situations earlier.
The goal is not intrusive monitoring, but a “trust and care” logic, reinforcing employee confidence while protecting against potential breaches. Programs must integrate proportionality, transparency, and high-quality communication from the design phase.
IT, OT and digital products: toward unified convergence
The final area requiring visibility enhancement is industrial environments and digital products. Today, governance is partially converged, and protection mechanisms are deployed, but the next step is to build a secure, coherent model across all these domains. By 2030, the distinction between IT, OT, and product worlds is expected to fade. Architectures, protocols, and technologies are converging, creating an interconnected system continuum where historical boundaries lose operational meaning. This evolution requires rethinking security models to ensure a unified, coherent, and effective approach.
Partial governance and protection convergence has begun in some organizations, but integration remains incomplete. It is no longer simply applying common policies but building a real security continuity based on the same principles, architectures, and technologies. Industrial environments increasingly adopt IT solutions: virtualized PLCs, IP-based field network protocols, real-time connections to cloud, AI, or SaaS interfaces. These changes create new attack surfaces requiring a holistic cybersecurity approach.
Extending identity and access management to OT will be a key pillar of this convergence. Today, IAM solutions poorly cover industrial environments, leaving operators, PLCs, and machines on the periphery. By 2030, OT-IAM will be essential, integrated into the overall security model and adapted to industrial technology constraints. Some organizations have begun exploring this path, recognizing it as a prerequisite for long-term visibility and resilience.
For digital products, new requirements are emerging with regulations such as the Cyber Resilience Act in Europe or the Cyber Trust Mark in the US. Manufacturers must not only design secure products but also demonstrate security through self-managed or third-party certifications. A certification wave is expected, changing how products are designed, tested, and launched. This challenge creates a “governance gray zone” between product teams and cybersecurity leaders, requiring clarification to ensure compliance and trust with clients and partners.
The SOC must evolve to cover these hybrid domains, collecting and correlating signals from IT, OT, and product environments, handling new protocols, and responding to unprecedented incidents. This requires new response playbooks, specific triggers, and adapted analytics tools to detect weak signals characteristic of industrial environments. The goal is an extended SOC capable of continuous monitoring across IT and operational infrastructures while meeting growing regulatory requirements for product security.
Strengthening trust
Beyond increasing visibility, actions are needed to reinforce trust. Trust in certain security mechanisms erodes due to technological changes and the geopolitical context.
Cryptography: renew encryption to ensure trust
Cryptography is now at risk from quantum computers with sufficient power to break key current algorithms. It is no longer about predicting availability but complying with regulations: the US, EU, and others set 2030 as the deadline for upgrades. This requires major transformation of encryption systems, as traditional protocols are widespread. Teams must anticipate and plan migration to post-quantum algorithms, in a crypto-agility approach enabling continuous updates without restarting from scratch.
Implementing this transition requires clear, structured governance. Responsibilities must be defined, and long-term programs managed. Scenarios may involve cybersecurity teams, IT operations, or system obsolescence teams. A full mapping of encryption usage is crucial to prioritize sensitive systems and data.
Rebuilding the crypto foundation will be strategic, updating key infrastructure such as PKI, HSMs, and KMS while ensuring quick migration to new algorithms. Including clauses in IT contracts for post-quantum algorithm support is recommended to ease future migrations and guarantee partner compliance.
Crypto-agility is central. Encryption systems must not be static; post-quantum implementations may have vulnerabilities. Systems must be designed for continuous evolution, reducing the need for costly, large-scale migration programs.
Resilience: operating in a fragmented digital world
By 2030, organizations will need to operate in a fragmented environment, where geopolitical disruptions, technology bans, or local sovereignty constraints may arise at any moment. Resilience is therefore a fundamental pillar for maintaining trust in a rapidly changing digital context.
The first step is to map digital assets accurately and update their risk profile, not only according to technical or IT criteria but based on strategic activities and revenue-generating regions. This mapping allows identification of dependencies, prioritization of actions, and protection of critical functions during crises, considering regional and sectoral specificities. Crisis scenarios must be revised to include new triggers such as a country decoupling, technology blockages, or Internet fragmentation, ensuring continuity plans are realistic and applicable under all circumstances.
Resilience also requires designing largely isolated but interconnected environments capable of autonomous operation while maintaining global coordination. Cybersecurity becomes central, ensuring isolated zones remain protected while enabling coordinated detection and response across the organization. This approach requires rethinking network architectures, creating secure zones, and defining communication and monitoring mechanisms suited to a fragmented world.
Trust in resilience cannot be theoretical; it must be verified through rigorous, regular testing. Exercises should include internal systems, partners, suppliers, and in some cases competitors, to simulate real crisis situations and evaluate the robustness of continuity plans. Regular, immersive practice ensures organizations can respond effectively to complex and unpredictable scenarios, demonstrating true resilience to internal and external stakeholders.
Identity: the foundation of digital trust
Identity has become the new security perimeter: constantly targeted by attackers, essential for incident detection, and scrutinized by compliance. By 2030, identity will form the foundation of all digital interactions: employees, partners, contractors, and AI agents. The proliferation of identities and constant exposure to cyberattacks make it a critical security vector. Currently, the IAM landscape is fragmented across multiple platforms and responsibilities, insufficient for this transformation.
Today’s identity management landscape (IAM) consists of multiple often isolated platforms and solutions. Fragmentation cannot withstand accelerated digital adoption and complex threats. The solution is to unify governance across all identities, internal and external, except potentially Customer IAM, which involves hundreds of thousands of clients and constitutes a distinct scope.
The complexity and criticality of identity as a trust foundation justify a strategic new role: the Chief Identity Officer. This leader will manage identity transformation, ensure unified governance, supervise the centralized platform, and guarantee a reliable, verifiable source of identity and access for all critical operations. This role becomes a key lever for reinforcing internal and external trust, supporting regulatory compliance, and securing all digital interactions in a world where identities are constantly challenged and attacked.
Unification involves centralizing and streamlining platforms to create a true “Identity Control Tower,” a single source of trust and pivot for all security, detection, and compliance operations. This centralized platform supports Zero Trust implementation, integrating conditional access mechanisms, adaptive authentication, and just-in-time/just-enough access principles. These features control in real-time who accesses what, when, and under what conditions, including AI agents, ensuring strict access limits and full identity visibility, contributing to organizational security and trust.
Increasing speed
Today, attacks and defenses are amplified by AI, which acts as a catalyst, accelerating processes at unprecedented speed. AI use cases for both attack and defense are multiplying. Two emblematic projects illustrate this acceleration:
- CVE Genie (University of California): Created an AI capable of generating exploit codes for published vulnerabilities, producing automatically usable attack codes for just a few dollars per flaw.
- aixCC (DARPA, US Department of Defense): A contest where teams developed AI that analyzes source code, finds vulnerabilities, corrects them, and ensures code passes production tests, achieving a $450 average cost and 45-minute timeframe per fix.
This acceleration profoundly changes how cybersecurity must operate. To guarantee resilience and trust by 2030, organizations must convert cybersecurity threat and security equipment data into immediately actionable, automated responses. This requires rethinking the cybersecurity engine itself to operate at this new speed, continuously processing massive volumes of cyber data from IT systems, security tools, and business processes.
To achieve this speed, two key steps are required. First, enhance and automate the decision engine via an Agentic AI platform. This accelerates decision-making in security processes and automates critical actions. High-quality, real-time data is essential, as cybersecurity data today is often too slow and dispersed.
The solution is a Cyber Data Lake, centralizing and correlating information from all relevant sources: security tools, IT systems, GRC processes, business data, and industry news. This infrastructure feeds the Agentic AI engine continuously, enabling real-time cybersecurity and automated responses once a risk is identified. The combination transforms the cybersecurity system into a smooth, autonomous engine capable of analyzing and reacting to massive data flows.
This transformation opens up new opportunities, particularly in terms of innovation. First, it enables organizations to measure trust levels (the well-known “assurance” in English) in real time for compliance and security. Organizations can instantly assess their posture, detect gaps, and apply necessary corrective actions before risks materialize. Second, in the future, it could enable automated responses to alerts and incidents: detection, blocking of flows, system reconfiguration, or deployment of patches could be executed in real time, thereby limiting the impact of attacks. Third, this data will allow the creation of digital twins to simulate and test vulnerabilities, configurations, and changes before deployment, providing a practical tool for risk assessment and stress testing the overall resilience of the system.
This transformation also unlocks, in the short term, use cases that are currently impossible to implement at scale. Among these concrete opportunities, artificial intelligence enables the automation of data classification, strengthens third-party management by continuously monitoring and evaluating suppliers, and optimizes application security by automating vulnerability detection and remediation. These use cases represent a significant gain in terms of efficiency and reliability, while also freeing up human resources for higher-value tasks.
A new organizational entity is required: the Cyber Data & AI Office. This team of data engineers, data scientists, AI, and cybersecurity experts builds and maintains the data lake, develops and supervises AI agents, and supports teams adopting new processes. They define priority use cases, assess ROI, and establish trust metrics to ensure system reliability.
The convergence of approaches requires deploying a target platform to centralize and harmonize modules: in-house solutions, GRC or SOC extensions, or progressive integration of existing AI tools. The goal is to create a fluid, reliable, adaptable cybersecurity engine capable of real-time reaction, unlocking new use cases, and preparing the organization for predictive, automated cybersecurity in 2030.
Create a Cyber Value Realization Office
Real-time cybersecurity transformation goes beyond technology and processes; it requires organizational redesign and demonstrating tangible value.
By 2030, significant investments and organizational changes will be made. Without clear demonstration of impact and value, executive and business support may be difficult to maintain. A Cyber Value Realization Office (VRO), reporting directly to the CISO, is needed to measure and highlight cybersecurity’s contribution, optimize tool portfolios, streamline processes, and show how cybersecurity accelerates sales, supports business operations, or enables new client services. Reporting and communication are critical for securing organizational support and ensuring funds for strategic programs.
Roadmap 2026–2030 & Conclusion
Top 30 actions for 2030
The proposed roadmap, which of course should be adapted to each context, spans from 2026 to 2030. We suggest organizing all the initiatives mentioned progressively, by major pillar. For the “real-time” pillar, a core element of the 2030 strategy, three main maturity phases will be required. Between 2026 and 2027, the goal is to lay the foundations around data and team structuring, with the appointment of a Chief Cyber Data Officer to oversee these efforts. From 2028 to 2029, the data lake becomes fully operational, and AI agents are gradually integrated into the platform to automate processes and enhance operational efficiency. Finally, by 2030, the organization aims to implement real-time cybersecurity, with the ability to ensure security and compliance instantly, and potentially deploy automated incident response, depending on the maturity reached by the various processes and technologies.
The future relies on a proactive approach, based on data, resilience, and mastery of emerging technologies. Decisions taken today will shape your ability to execute this cybersecurity roadmap to 2030, turning cybersecurity into a driver of performance and innovation.