Where CISOs should set their priorities in 2026
Cyber attacks are changing more rapidly than ever – and targeting IT, cloud, OT and AI systems. The pressure on CISOs to regain transparency and control over complex digital ecosystems is increasing. The Swisscom Cybersecurity Threat Radar 2026 shows where the biggest risks lie – and how modern TDR approaches can help companies take back their ability to act.
April 2026, Text Andreas Heer 4 Min.
It is shortly after half-past two in the morning when several warning lights flash simultaneously in the control centre of a large Swiss industrial group. First, an alert regarding unusual login attempts in a cloud environment. Minutes later, anomalies in the production network, followed by a sudden, automated roll-out of a ‘routine update’ in a software component of a critical control system. None of this would be suspicious on its own. But together, the actions create a pattern – one that only becomes apparent later on, because the signs emerge scattered across IT, cloud, operational technology (OT) and external service providers in the supply chain.
While the rapidly deployed on-site engineer checks if a machine has already been tampered with, the Security team tries to find out whether the issue is a false alarm, unsecured AI processes or the start of a supply chain attack. And it soon turns out that it’s all of the above.
This fictional scene represents reality for Swiss companies in 2026. The threat situation comprises various infrastructure areas, changes dynamically – and fundamentally shifts the role of CISOs. The Swisscom Cybersecurity Threat Radar 2026 shows that for those who want to remain resilient, threat detection and response (TDR) must be seen as a key tool and not as a technology project.
The leadership dilemma: maintaining control in a volatile world
CISOs face a paradoxical situation in 2026: technology is creating more opportunities than ever before – and at the same time, we are increasingly dependent on third parties, automated systems and AI-supported decisions that are difficult to understand. The radar shows four risk areas that redefine the CISO's mandate: insecure AI, supply chain risks, digital sovereignty and OT security.These fields are more strategic than technical: they relate to governance, accountability, visibility and resilience. As a result, TDR becomes a control instrument that creates transparency regarding the risks and hence provides the basis for safe and economical operation.
The risk areas at a glance:
Insecure AI – the new blind spot on the CISO’s radar
AI models and agents make decisions that are neither documented nor verifiable. This has a direct impact on TDR:
- Traditional detection no longer applies because AI decisions cannot be verified
- New attack surfaces are emerging within the organisation: AI-generated code (‘vibe coding’) may be subject to security vulnerabilities, data leakage through prompt injection, AI agents as gateways
- Shadow AI moves security outside of official processes, for example if employees use non-approved genAI services with confidential data
AI governance will be crucial to regulating how AI is handled, as will the inventory and monitoring of the AI models and agents used.
Software supply chains – transparency as the new governing currency
Attacks on the npm ecosystem (Node.js) and the recent compromise of the popular Python library LiteLLM show that compromised modules are now an effective attack vector for infiltrating malicious code into enterprise applications and software development. It has long been a reality that companies no longer control large parts of their code themselves.
A functioning TDR must therefore cover build pipelines, suppliers, SBOMs and update mechanisms. The integrity and origin of software components become strategic indicators, comparable to financial auditing security.
Digital sovereignty – the strategic foundation of TDR
Cloud outsourcing, SaaS models and the increasing use of AI automation increase dependency on external service providers, making it more difficult to directly control data, processes and risks. At the same time, the Swiss Federal Act on Data Protection (FADP) and the European GDPR require transparency with regard to data processing.
Complete control over all digital processes is hardly feasible in globally interconnected ecosystems. As a result, digital sovereignty remains an ambitious goal. It requires companies to strategically manage their dependencies, build up technical expertise, and consciously select their partners or supply chain. To do so, companies must actively manage their risks.
TDR addresses precisely these dependencies and risk factors: it creates the necessary visibility regarding threats, data flows and behavioural patterns. Without this transparency, neither control nor real resilience are possible. As a result, TDR becomes the operative prerequisite for sovereign decisions.
OT security – when cybersecurity becomes physical
Production environments, power plants and medical systems are not easy to patch. With increasing connectivity, however, the boundaries between IT and OT (operational technology) are becoming increasingly blurred – offering cybercriminals new attack surfaces. The risks are both operational – potentially causing production stoppages and supply risks – and critical to the company’s reputation. In addition, regulatory pressure on critical infrastructures is increasing – for example, the ICT minimum standards and the NIS2 Directive.
CISOs must integrate IT and OT in hazard detection, both organisationally and technically. This requires a convergent SOC, coordinated processes and OT-specific detection mechanisms.
Strategic priorities for 2026
Current trends in both cybersecurity and IT in general determine a CISO’s agenda and define strategic priorities. The following should be at the very top of this list:
Create transparency
- Develop a central data infrastructure for monitoring in the form of a unified telemetry fabric that combines all security signals from IT, OT, cloud and AI.
- Develop inventories for AI models, software types, supply chains and critical dependencies.
Strengthen governance
- AI and supply chain governance are becoming integral components of a company’s cybersecurity strategy.
- Roles, responsibilities and approval processes must be redefined in order to integrate risks and attack surfaces from AI systems and OT.
Modernise TDR
- Integrate software parts lists (SBOM) and monitor development processes (pipeline monitoring) in order to detect tampering at an early stage.
- Use AI-supported behavioural analysis to fend off new types of attacks that are themselves based on artificial intelligence.
Realign organisational structures
- Develop a convergent SOC that combines monitoring of traditional IT infrastructure and OT.
- Promote interdisciplinary cooperation between cybersecurity, software development (DevOps), production, the legal department and data science in order to holistically manage complex risks.
Prioritise resilience
- Develop dedicated incident response playbooks for complex scenarios such as AI manipulation, supply chain failures or attacks on production facilities.
- Establish stress tests and simulations (tabletop exercises) in order to train management’s decision-making processes under realistic time pressure.
TDR is not a tool, but part of management work
2026 will force CISOs to interpret their role more broadly, moving from technical gatekeepers to enablers of resilience and sovereignty.
TDR forms the backbone of a modern security strategy: it puts alerts from different sources into context, bringing clarity to a world full of opacity, complexity and automated risk transfer.
Combining TDR, control and governance across all domains strengthens not only cyber defence, but also the ability of the entire company to act.