Skip to main content

When you think .BRAND, think CSC.

Get started about .BRAND services

CISO Outlook 2026: Authentic Intelligence in the Age of AI

Make an inquiry

All fields marked with * are required.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

By submitting this form, you acknowledge that CSC will collect and process your personal data in accordance with our Privacy Notice.

Join Mark Flegg, global director of Security Services, for an exclusive look at findings from CSC’s latest annual CISO Outlook report, based on a survey of 300 chief information security officers (CISOs) and other senior cybersecurity and technology leaders. The research explores the threats organizations faced in 2025, the risks they expect to intensify over the next three years, and how artificial intelligence is reshaping both cyber defense and cyber risks.

Webinar transcript

Disclaimer: Please be advised that this recorded webinar has been edited from its original format, which may have included a product demo and other engagement features. To set up a live demo, please complete the form above on our website. If you currently are not on our website and are watching this on our YouTube channel, there's a link to the website in the description of this video. Thank you.

Christy: Hello, everyone, and welcome to today's webinar, "CISO Outlook 2026: Authentic Intelligence in the Age of AI." My name is Christy DeMaio Ziegler, and I will be your moderator.

Joining us today is Mark Flegg. Mark is CSC's Global Director of Security Services and is responsible for advising a global client base on digital risk and the preventative measures brands can take to safeguard their digital assets. And with that, let's welcome Mark.

Mark: Thank you very much, Christy, and welcome, everybody. So I'm excited today to go through our latest CISO Outlook report. And just to give you an idea on the demographics here, you can see that the job titles of the respondents, we interviewed 300 CISOs or of that role across the world, so North America, Europe, and Asia-Pacific. And then you can see the percentage of those types of companies by their vertical sector, so which industry do they play in basically.

So let's get into the key findings. So overwhelming, 72% of respondents say the level of threats were either critical or very critical in 2025. Not surprising really is it? The way that the world is going, the more reliance we have on being online and what that means, bad actors, it's another opportunity for them to be able to do the nefarious things that they want to do. So it's always going to be there as long as we have an online presence.

What was interesting was what the top cyber threats or expectations were over the next three years. So social media impersonation and defamation, I think that's an interesting one because not everybody uses social media. But it's highly effective. People will do that if they think they can get you on the hook and to enter credentials or any information that you're willing to give them.

Domain and DNS hijacking and subdomain takeover attacks, these will remain high in the list. I think for any organization, if you control the domain or the DNS, you control the keys to the kingdom. And subdomain takeover, we've seen a massive uplift in that in the last few years, whereby people aren't doing the right zone hygiene. So it's easy for somebody to get that subdomain. We're all familiar with phishing emails and what that can do. If they can use your subdomain in that phishing email, it lends more credibility. It doesn't give off bad signals. It's got more likelihood of being clicked.

DDoS attacks, again, it's an ever-present. If somebody doesn't like what you do, they will launch these attacks. A lot of it now is coming up for monetary gain, so blackmail, exploitation, and things like that.

Cybersquatting, again, an ever-present. Been there since day one. People will register domains containing your brand whether we like it or not.

And then, of course, employee and executive impersonation, including the deepfakes. Again, this is an interesting one. There are many examples out there on the internet, if you search, where employees have fallen foul to suggestions, instructions from senior executives within their organization to tell them to make payments or do whatever it is they want them to do. And again, with the use of AI, this is only going to get worse.

If we look at the year-on-year comparison on threats, we can see, in 2024, cybersquatting, typosquatting, online counterfeit was number one. Domain and DNS hijacking was number two. DDoS attacks three. That's changed in 2025. So domain and DNS hijacking and subdomain takeover attacks has gone to number one. Cybersquatting has dropped to number two. And then we've got the introduction of ransomware and malware.

I think we've all seen in the news, certainly in the last 12 months, there have been more ransomware attacks than I think there were the previous year and obviously before that as well. They are becoming more commonplace. An organization can get breached, and the only way they'll get their systems back is if they pay the ransomware, which, of course, they probably won't get their systems back anyway. They'll just demand more money or more Bitcoin, whatever it is that they want to be paid in. So that's becoming more prevalent. So it's interesting to see that on there, and DDoS attacks drop out of the top three.

So on this one, AI-related risks are also on the rise. So we asked how concerned people were. The vast majority of respondents, 98% expressed concern about the risks of giving third-party, AI-based systems and solutions access to company data, with 41% saying they're very concerned. And this is super important. You look at the AI tools that are out there, ChatGPT, Copilot, etc., etc., do you want your staff putting sensitive information in there? Where does it go to?

And then, following on from that, a massive 86% of respondents say that AI-powered, domain-generated algorithms or DGAs, a new TLA, a three-letter acronym for us all to remember, pose a threat to organizations. And this is where AI is looking at the organization, figuring out what are sensible domain names to do with left- and right-hand side versions of it, and going off and registering them. And they could be used immediately. They could be left in a dormant position to be activated at a later date. But it's telling that 86% of our respondents were concerned about that and saw it is a threat.

If we look at AI as an opportunity, which, of course, it massively is, 73% said it's more of an opportunity than a risk for cybersecurity. A further 10% say it's a strong and clear opportunity. So that's almost three-quarters say AI-driven automation plays a proactive role with DNS and similar attacks, but it does require oversight or careful management. So that 16% there saying it's an opportunity and a risk, it absolutely is, and I would hope more people see it as a higher number for both. I don't think it's more of an opportunity than it is for anything else because if you're not dealing with those AI attacks, then you're going to come up short. So you have to do things in equal measure. But it is definitely a business benefit.

So if we look at managing risks in a fast-moving cyber environment, a lot of the organizations that we surveyed, they do still remain vulnerable. We can see 10% significantly underprotected. We can see 34% of very, and then slightly 10% and adequately 31%. So basically, only 14% of respondents say they are very confident in their company's ability to mitigate domain attacks. One in 10, so 10% of major companies are significantly underprotected against DNS outages, another quarter that they are slightly underprotected, 25%, and then just over a third, that 34% believe they are very protected.

So if we look at what the challenges are when mitigating domain attacks, clearly you've got DNS incidents. These typically originate from large cloud-hosting platforms rather than internal systems. I think it's fair to say that we all outsource more than we ever have done. Finding an organization with its own data center, if it's of a certain size, enterprise size, is typically hard to do these days.

Cybersecurity investments. Organizations that don't keep up with the investment and the pace of IT growth and, of course, the emerging threats, hence our poll question earlier, I think are going to fall short and will have to find budget from somewhere very quickly in order to mitigate these new threats.

And then, domain name management. A lot of organizations are now establishing a multidisciplinary team. If you think about the advent of domains, when we all decided, hey, we want to get online, well, that's highly technical. IT can own that.

And then, over time, marketing realized the value and the power of a domain name, and they said, "Hang on, we can just register a domain name in say Germany, and then we have a presence there. And we can do the same in Italy, and we can do the same in Spain. We can do the same in Hong Kong. Oh, wow, we can go global very quickly and easily without having to hire salespeople, print collateral in that language. We can just set up websites." So they got involved in the ownership of domains.

And then, clearly, legal stepped in when they found that the cyber criminals were essentially infringing on their trademark. And for any trademark holder, they all have a right to defend their mark. They're actually tasked with doing that. Otherwise it can be diluted.

So you can often tell the maturity of an organization depending on who runs the domain name portfolio. A very mature organization will have that multidisciplinary team. So it will have representatives from each department because everybody has to have their piece of the pie. It's important for the business that all departments use those domains properly. For those that are not doing that, then that's where holes tend to appear in your cybersecurity policy and posture.

This is a new one as well in terms of risk controls for supply chain and partners. Like I said earlier, we definitely outsource more than we have done in the past. But are we doing a good job to make sure that those partners are doing the right things, that they have the right security in place? We always say a team is only as strong as its weakest link, its weakest member, and it's exactly the same in business with our supply chains, with what we do, our processes, etc.

So 79% express concern that the increase of AI tool used by used by suppliers and partners poses a cybersecurity risk to their organization. So just think about those partners that are using something like ChatGPT, just throwing in information, sensitive information to pull up nice reports, formatting, whatever they're using it for. Did you sanction that? Are you allowing them to use that AI tool? It's, unfortunately, another thing that we've got to put into our supplier or vendor security assessments. AI just has to be there now. It has to have its own big section.

I mention this because regulation is becoming stronger and stronger. So if we look at the European Union, for example, in October 2024, NIS2 was introduced, Network Information Security Version 2. And this was a mandate to all member states to implement in law their guidelines. And it has some hefty fines. If you read through it, it reads very much like GDPR, back to that painful day on the 25th of May 2018, I think from memory, where that was introduced. And again, this is putting penalties against people that are not investing and not doing the right things from a security standpoint.

And AI regulations are coming into place. And obviously, we've got things like NIST that are giving organizations a good solid framework in which to organize their company and what they're doing. And then, again, EU coming out with more AI regulations and rules, and these are going to kick in from August 2nd for us in Europe. So again, it's important that you're doing the right thing. You've got the right policies.

So how do we face the future with confidence? I keep saying this pretty much in every webinar we do. Make sure you've got a comprehensive cyber policy and that it covers domains and DNS security as part of that. Why? If we look at this illustration here, we've got a lot of things that are inside the enterprise or behind the firewall, if you like, in some respects. And then we've got a lot of things that are outside the enterprise as well, where you've got third parties doing things. You need to keep an eye on them.

The easiest way to kind of visualize this in your head is you have domains that you own and you have domains that you do not. So the domains that you own, you need to get all the right security features around them. The domains that you don't, you need to monitor and you need to keep an eye on what's happening there to see what the bad actors are doing. And that's why unless you've got domain and DNS security as part of your cyber posture and your policy, then you haven't got a completed shield. There is a hole in it in terms of your defense.

And no surprise here, you need to create your policies around AI. Understand the requirements of the AI acts relevant to your country and organization, and roll that policy out across not just your own organization, but your third-party suppliers. Anybody that you outsource to, that's handling data for you, that needs to be documented, and they need to understand your policy here. The worst thing that can happen is there is a breach and it's because of a third party that you're dealing with. So you do need to get closer to them. In business, we have this know your customer. Now it's know your partner.