By: Brian Blakley, CISO, Bellini Capital
There will be endless debate this year about how AI and other emerging technologies will affect cybersecurity, and those conversations are important. But they distract from an uncomfortable truth: the biggest cybersecurity threat facing organizations is the ongoing tolerance for risks that are already known and remain unresolved.
Look at the major attacks from 2025. Patient records exposed. Ransomware attacks over holiday weekends. The mass exploitation of widely used enterprise platforms. Inevitable results stemming from unpatched systems, missed alerts, thin weekend coverage, and delayed fixes—all common vulnerabilities. Attackers don’t need extraordinary capabilities to pull off these kinds of attacks. They just need organizations to keep doing what they so often do: postpone critical cybersecurity decisions.
The playbook is familiar. Budgets are tight. Growth targets are aggressive. Digital initiatives are non-negotiable. So security risks get pushed to the sidelines. Leaders have to make these kinds of tradeoffs all the time, and it isn’t easy. But over time, compromises accumulate until eventually, an attack forces a moment of reckoning.
Cybersecurity complacency isn’t an option. It wasn’t in 2025, and it certainly won’t be in 2026.
The Basics Matter—More Than You Think
First, the bad news: attackers know to look for the vulnerabilities and predictability that make organizations sitting ducks. Now, the good news: reducing risk in those areas isn’t as complicated as you might think. No need to overhaul a security program or rush to adopt the latest tools; the best thing to do is master the basics. Fix what’s broken and address operational blind spots.
In short, minimize vulnerabilities and predictability. Examine where your organization is knowingly accepting risk and what it would realistically take to reduce it.
The Key to Smarter Decision-Making
Fixing every issue all at once isn’t pragmatic or possible. Decision-makers have to know which efforts to prioritize. These are tough calls to make, especially when technical teams and executives don’t speak the same language. When risks are presented in the form of security metrics and technical jargon, the business impact isn’t always clear.
It’s on leadership to communicate with technical teams about the most critical business functions and objectives, and to clarify the context they need to make informed decisions about cybersecurity initiatives. And it’s on technical teams to be receptive to that feedback and align their technical priorities with organizational ones.
If a platform that generates 80% of the company’s revenue has unaddressed weaknesses, that’s a significant threat to the bottom line. If the security obligations outlined in customer contracts aren’t being met, that’s a legal nightmare waiting to happen. Not every threat carries equal weight, and sharing context between business leaders and technical teams helps organizations make smarter decisions about what fixes to pursue first.
Failure Is Always a Possibility
Cybersecurity programs typically emphasize prevention against attacks. Of course, preventing incidents is preferable to responding to them. But no amount of prevention can completely eliminate the possibility of failure.
When something does go wrong—and eventually, it will—the real test of organizational readiness occurs in the first hour of an incident. Who has the authority to shut down a revenue-generating system? Who determines when customers are notified? Who decides when contractual thresholds have been triggered? Who communicates with the public, and what does that messaging look like? Those are a lot of quick decisions to make when the pressure is high.
Maintaining an incident response playbook that documents answers to these questions, along with the potential actions teams across the organization will need to take, is a good practice. As is conducting simulation exercises. But only if the exercises actually reflect the reality of real-world scenarios: the chaos, ambiguity, and incomplete information that make it hard for any leader to act. Because in the event of an attack, you won’t be sitting around a conference table with a cup of coffee, calmly walking through a logical sequence of steps.
Practicing failure isn’t about perfecting the response to a specific scenario. It’s about building the muscle memory that enables quick decision-making in stressful situations so that an organization can recover as quickly as possible.
The Real Threat Is Complacency
Cyberattacks are rarely the work of mastermind criminals like the ones we’ve all seen in Ocean’s Eleven or Mission Impossible. More often than not, the true threat is complacency.
AI and emerging technologies will no doubt introduce new layers of uncertainty to the 2026 cybersecurity landscape. But most attacks will still be traced back to obvious vulnerabilities and predictability. Instead of asking, “What do we need to do now?”, organizations that want to avoid becoming the next major headline should ask an even simpler question: “What should we have been doing all along?”