Defensible by Design: Ransomware and Cybersecurity in 2026

Ransomware is no longer just another item on the risk register. For many organizations, it has become the disruptive force that shapes technology strategy, capital allocation, and even leadership tenure.

Halcyon CISO Stacey Cameron, VP | Field CISO Tony Spinelli, and VP | Field CISO Gary Hayslip spend their days working with organizations that are on the front line of this shift. When they look ahead to 2026, they see a year where the pressure on CISOs intensifies but also a year where leaders have a chance to fundamentally reset how they build resilience.

Their message is blunt: stop chasing the illusion of “secure,” start building defensible systems, and use every lever, from people, architecture, and even investors, to raise the floor on ransomware resilience.

The Hardest Job is about to Get Harder

Stacey doesn’t sugarcoat where CISOs stand heading into 2026. In her words, “we are in one of the hardest times to be a CISO, and there seems to be no end in sight.” The job was never easy, but the rate of change on the adversary side has turned it into a constant uphill sprint.

She expects that slope to steepen as ransomware actors adopt more sophisticated automation and coordination. “In 2026, we’ll see agentic AI redefine how ransomware behaves, labor shortages will still impact the industry, and ransomware will continue to be its own organized crime category thanks to ongoing geopolitical tension and high profitability,” she said.

For many long-time security leaders, this feels like a break from the world they grew up in. The early days of the role were about maturing hygiene, centralizing control, and building repeatable processes. That foundation still matters, but it no longer guarantees stability. The environment is simply changing too fast.

Stacey is clear-eyed about what that means: “The reality is: we’ll never fully eliminate the threat of ransomware. We’ll always be in a state of figuring out the next campaign and understanding the latest TTPs.” The work ahead is not about finally closing the book on ransomware. It is about learning to live and operate securely in a world where it will always exist.

Training for a World that Never Stops Changing

If ransomware isn’t going away, the next generation of CISOs cannot be trained for a static target. They need to be built for continuous adaptation.

Stacey frames adaptability as the defining leadership skill for 2026 and beyond. “We can hone the most important skill set needed for this role: adaptability,” she said. For many of us who came up in earlier eras, adaptability feels like a muscle we have to consciously remember to work. For tomorrow’s leaders, it needs to be second nature.

That means treating the development of future CISOs as more than a mentoring side project. It becomes a deliberate part of how we design teams and programs. Instead of shielding emerging leaders from volatility, we bring them into it:

• Give them visible roles in real incident response and recovery, not just tabletop exercises.

• Have them own post-incident reviews and translate lessons learned into changes in architecture and process.

• Expose them early to board conversations, investor questions, and regulatory expectations, so they learn how to reason in business terms, not just technical ones.

“In 2026, our goal should be to mentor adaptability into younger professionals to the point where it feels like an instinct,” Stacey said. That requires CISOs later in their careers to be intentional about handing over context, not just tasks; sharing how they weigh tradeoffs, how they communicate uncertainty, and how they navigate the political realities that surround major security decisions.

Stacey’s warning is simple: if we don’t do this, the next wave of CISOs will inherit the same mountain we climbed, but with an even thinner margin for error. “It is the only way we’ll be able to make a marked difference in how organizations respond to and recover from ransomware threats,” she said.

From “Secure” to Defensible Systems

Where Stacey focuses on the people-side of the equation, Tony zeroes in on how the technology and risk model must shift.

“The myth and panacea of always ‘secure’ systems is behind us,” he said, “and 2026 will show a clear divide between organizations who acknowledge that reality and those who don’t.” That divide will not be theoretical. It will show up in the size of outages, the speed of recovery, and the ultimate cost of incidents.

The pressure is compounded by the fact that budgets are not keeping pace with the threat landscape. “As threats continue to rapidly escalate, with shrinking budgets and the global average number of weekly cyberattacks encountered by organizations growing by 58% in the last two years, companies and their CISOs can no longer afford to assume they’re impenetrable,” Tony noted.

For him, the language shift from “secure” to “defensible” is more than semantics. It reflects a fundamental architectural change:

• You assume that prevention will fail at some point.

• You design systems so that when it happens, the blast radius is constrained, and recovery is fast.

• You invest as much in response, resilience, and recoverability as you do in blocking the initial intrusion.

“The days of believing that all attacks and threats are prevented are behind us,” Tony said. Instead, he argues for environments built around resilient and recoverable systems, or what he calls “defensible systems.” Those systems are characterized by a thoughtful layering of controls, clear prioritization of what matters most, and a realistic understanding of how the organization will actually operate during an incident.

“Those that shift towards a combination of thoughtful security techniques combined with strong response and immediate resiliency will have a defensible security posture their business can rely upon,” he said. In 2026, that defensibility becomes the real currency of trust—with boards, with regulators, and with customers.

When Capital Becomes a Security Control

Ransomware risk is no longer confined to the SOC or the IT budget. It is now a board-level and investor-level issue, and Gary believes 2026 will crystallize that shift in concrete ways.

“If 2025 is any indication, 2026 will have a positive outlook for cybersecurity investment,” he said. “Although total funding rounds were down, mega deals dominated in 2025, signaling that investors are willing to invest but are highly selective about where they put their capital.” One of the least discussed but most powerful filters in that selection process is security.

“A little-known but incredibly influential factor that helps investors determine if they will invest? A company’s cybersecurity posture,” Gary explained. In his years conducting cybersecurity due diligence on behalf of investors, he saw this play out repeatedly.  

“Having conducted cybersecurity due diligence for years on behalf of investors, I can attest that they are much more aware of the risk a cybersecurity breach poses to their investment than many realize. When we saw security red flags, it would often derail entire deals.”

Sometimes, though, strong fundamentals and market opportunities outweigh current security gaps. In those cases, the investment itself became a lever to improve security maturity. “If we saw enough potential in a company, we would use our investment to mandate necessary security improvements over time,” he said.

Gary believes this is where CISOs and investors can become unexpected allies, especially for younger companies. “These companies are disproportionately targeted by ransomware attacks, and they often lack the resources to recover as effectively as more mature companies,” he noted. That is exactly where investor pressure can be most beneficial.

“It benefits everyone for them to have the core tenets of security in place, and if investors can help elevate the standard of what that should look like, then it’s all the better,” Gary said. Looking ahead, he expects that “in 2026, we’ll see more investors use security not only as a criterion for investment, but as an opportunity to raise the bar of what security should be for promising young companies.”

For CISOs, that means security posture is increasingly intertwined with valuation, deal velocity, and access to capital. Ransomware resilience becomes part of the growth story, not just a defensive expense line.

Walking into 2026 Prepared

Taken together, Stacey, Tony, and Gary are not predicting an easier year. They’re describing a landscape where ransomware continues to evolve, where resources remain constrained, and where the consequences of getting it wrong grow more severe.

But they are also pointing to a very specific playbook for CISOs heading into 2026:

• Treat adaptability as a primary outcome of your security program, not a soft skill. Build it deliberately into how you mentor and promote the next generation of leaders.

• Shift your internal language from “How do we become secure?” to “How do we stay defensible?” Design architectures, playbooks, and roadmaps on the assumption that some attacks will land.

• Use capital as a control. Make sure your security posture stands up to investor-grade due diligence and, where possible, turn investor mandates into fuel for long-deferred improvements.

None of this is about conceding defeat to ransomware. It is about recognizing the reality that, as Stacey put it, “we’ll always be in a state of figuring out the next campaign and understanding the latest TTPs” and building organizations that can operate confidently in that reality.

For CISOs, the opportunity in 2026 is to redefine success, from preventing every incident to ensuring that when ransomware comes knocking, your organization can withstand the hit, recover quickly, and keep earning the trust of the people who rely on you.

For more insights and research on ransomware and cyber resilience, explore the Halcyon blog and the Halcyon Ransomware Research Center.

‍