As 2026 begins, the cybersecurity industry faces a pivotal moment, grappling with persistent threats and emerging challenges. The year brings renewed focus on critical goals as discussed in the latest edition of Reporter’s Notebook, with Alex Culafi, senior news writer at Dark Reading, joined by Phil Sweeney of TechTarget Search Security and Eric Geller of Cybersecurity Dive. As seasoned reporters immersed in the field, the trio offers unique insights into what cybersecurity professionals should start doing, stop doing, and focus on as 2026 begins. Their conversation highlights pressing issues, emerging trends, and actionable advice for those in the industry.
Their conversation also highlights key areas that will shape the future of the industry. Social engineering attacks, such as phishing, remain a significant concern, with hackers continually refining their tactics to exploit human vulnerabilities. This underscores the need for smarter, more automated defenses that reduce reliance on individual employees as the last line of defense. At the same time, the transition to quantum-resistant encryption looms as a critical priority, with researchers warning of the potential for quantum computers to break traditional encryption methods. Organizations must begin inventorying their systems and preparing for this seismic shift to safeguard sensitive data against future threats.
Artificial intelligence also plays a dual role in the future of cybersecurity. While AI has the potential to enhance security operations, such as streamlining alert management in security operations centers (SOCs), its overuse and unrealistic promises risk undermining trust and creating new vulnerabilities. A measured approach to AI integration, coupled with a focus on mitigating its risks, will be essential as the technology becomes more pervasive.
Looking ahead, cybersecurity will require a balance between innovation and vigilance. As organizations prepare for the challenges posed by quantum computing, AI, and, increasingly, sophisticated social engineering tactics, the industry must adopt a forward-thinking mindset that prioritizes resilience and adaptability. By addressing these critical areas, cybersecurity professionals can help build a safer digital future that is equipped to withstand current and emerging threats.
Check out our other installments in this series: “Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats,” “Same Old Security Problems: Cyber Training Still Fails Miserably,” and “IoT Security Flounders Amid Churning Risk.”
Reporter’s Notebook: Full Transcript
This transcript has been edited for clarity.
Dark Reading’s Alex Culafi: Hi, everybody. Thank you for joining us for this edition of Reporter’s Notebook. I am Alex Culafi, senior news writer at Dark Reading, and I’m here with representatives from our sister publications. We are all part of the cybersecurity media group at Informa TechTarget. Phil and Eric, please introduce yourselves. Hello, Phil, you can go first.
Tech Target Search Security’s Phil Sweeney: Hello. I’m Phil Sweeney. I’m an editor with the Search Security team and I also work on Cybersecurity Dive a little bit with the news coverage.
Cybersecurity Dive’s Eric Geller: And I’m Eric Geller. I’m a senior reporter at Cybersecurity Dive, and I’m happy to be here.
DR’s Alex Culafi: Great. Thanks for joining me, guys. Happy to have you today. We are offering New Year’s resolutions for the cybersecurity industry as reporters that work as a small part of the industry every day.
As 2026 begins, we wanted to offer our resolutions for the community at large, including what cybersecurity pros should start doing—doing or start doing more of, as well as what they should stop doing.
The three of us each brought one resolution for each category and we’re going to go around and talk about each one. I want to start with what the cybersecurity community should start doing more of or start doing in general. It’ll go me, Eric, then Phil.
To start, I wanted to say that I think that the cybersecurity community should resolve to change how IT support engages with employees. I feel like too often we hear stories of not just social engineering lures where an IT support person supposedly reaches out and says, “Hey, I need your VPN password.” But even in legitimate circumstances we have real IT support staff reaching out saying that they need remote access without asking to get on camera, without doing that alternate verification that is generally recommended to avoid social engineering attacks. And the concern there is, even if it is the legitimate IT staff person, I worry that it teaches the wrong lessons to employees that if someone sends you a message through text asking for remote access, that that’s safe. I don’t know if you guys have seen that kind of stuff too.
CD’s Eric Geller: Oh yeah, all the time. And it’s amazing because you would think that the folks who are responsible for protecting the systems would have a better awareness of how not to look like one of the threats themselves, how not to create that kind of false positive. If I were them, I would think you would want to avoid that at all costs so that your users don’t get desensitized to those kinds of messages or those kinds of approaches. So, it really does surprise me and hopefully we see less of that.
DR’s Alex Culafi: Eric, how about you?
CD’s Eric Geller: So, the thing I want to see less of is a focus on cramming AI into every part of the conversation, into every product, into every product pitch. I think we’re seeing a lot of companies these days take their existing offering and add a dose of AI and say that this is new and improved because we have the robot doing part of it for you now. And there are definitely ways where AI can help make the product better or help make your use of the product better.
But there’s a lot of things that just don’t need to happen that people aren’t asking for. I mean, I think that the classic way you could tell that people don’t really want these AI features is that companies are turning them on by default and tying them to features that people do want.
So, Google just recently started adding in AI summaries to emails and documents, and if you want to turn that off, you also have to turn off some of the features that people actually like about the Gmail, Google Calendar integration, that whole ecosystem. And that’s to me just kind of a signal flare that the AI push is not coming from user demand, but it’s coming from what the companies think is in their best interest in terms of their quarterly profits and in terms of riding the AI hype train. So, I’d like to see cybersecurity practitioners scale back their own kind of eagerness to incorporate AI into everything and maybe take a little bit more of a measured approach. Where are the areas where AI actually can help, like improving the SOC where you don’t necessarily have to have a human looking at all the alerts day in and day out but being cautious really about integration of AI into other systems.
And also, as the security people in the organization, they should be thinking about the harms and the risks of AI and how to mitigate them. Let other people cheerlead for AI in terms of integration and improving ease of use, the security folks have to be sitting there saying we got to game out the worst-case scenarios and make sure that these things don’t happen. So, I want to see a little bit more of a balanced conversation this year when it comes to AI.
DR’s Alex Culafi: I’ll tell you when I’m at events talking to just whoever — not necessarily part of an interview — or if I meet someone out in the world who’s in security, I’m always asking them about the AI stuff like “What do they got you using? Do you like it?” Et cetera.
CD’s Eric Geller: Yeah.
DR’s Alex Culafi: And even in the less negative interactions I would say I have with people, a lot of the AI tooling that folks are expected to use as part of some larger organizational push: If it works, it doesn’t work as well as people want it to, and the general tone has been that it’s been more something to deal with than necessarily something that is a revolutionary life-changing thing. So maybe even as an extension of that, I’ve been hoping for a while that companies would also start selling and pitching AI more realistically in these areas that it can be much more helpful for, but I I haven’t been very optimistic about what I’ve seen, I guess. Phil?
TTSS’s Phil Sweeney: Yeah, yeah. I was thinking maybe sort of in the same neighborhood as what you’re talking about, Alex. But let’s see if we can find a better way to counter email phishing, which is a thing and still a thing. Hackers keep going back to the phishing. Well, I guess because it never, never runs dry, right? It’s inexhaustible. There’s something in your email box that looks legit. You’re in a hurry. You click. Not that I have, but I’m told people do click. Even in 2026, you know, it’s kind of amazing. It’s a well-known problem.
Even people outside of cybersecurity are aware of the threat, but it continues to work well enough. Enough of the time that for hackers and ransomware gangs, the odds are, you know, pretty good. You’re going to get a pretty good yield in each attempt. So, if it wasn’t working. Right, it would stop being a thing. But here we are. There was a recent incident where a phishing campaign lured customers of a password manager to a page where they’d be asked to plug in their information on that page. And it looked pretty good. The page it had the look and feel of a real legit page. Unless you looked really closely and then you would see that there was an 800 number to call for assistance, but it was a 555 phone number like a 1980s TV show or something so, it sort of puts the burden on the user, the individual to be that last line of defense for things that don’t get filtered out automatically by the defense systems.
So, it leads back to that user is the last person. To decide, do I click this? Do I not? Do I report it? Do I not? And that’s, you know, I don’t know what the fix here is. The industry’s tried awareness training for a long time. And Eric, you’ve written about this. You know some of this stuff works and some of it doesn’t really work, but there ought to be a better way than putting that burden on individual people in, you know, busy situations.
DR’s Alex Culafi: I agree. I feel like I’m hearing more about innovative phishing lures and AI-powered social engineering attacks more than I’m even hearing about ransomware research these days, which doesn’t necessarily reflect what’s hitting people, what’s getting people. But the social engineering phishing stuff just keeps getting more and more aggressive. And I was talking to someone from Yubico about this maybe 6 to 8 months ago and I’m like why is the focus on phishing? And he’s like because it works, because it’s still working and it’s completely working. Over at Yubico they would say FIDO authentication is the best way to handle that, which is generally good advice whether it’s a YubiKey or not, right? And some people like their authentication apps and there there’s a bunch of ways to handle it. But I do think you have touched on something which is, although awareness training is good, it still is places too much of the burden on the standard staff, the regular employees who are going to do their best but aren’t necessarily going to get it right all the time because we’re human, right?
TTSS’s Phil Sweeney: Yeah.
DR’s Alex Culafi: All right, on to our next one. Some of us shared our starts, our stops. But for my second one, I wanted to share my stop, and this is kind of a little reporter inside baseball. But something I’ve noticed start to happen in the last 6 to 8 months — not going to name names here — but I have started to receive more AI-generated quotes over email from people I interact with. I try to get on the phone as much as I can, but sometimes you’re doing a story with a quick turnaround, and sometimes you are relying on asking questions over email and getting answers over email.
As a policy for all of us, no journalist is putting AI-generated content into their stories, and it’s very easy to spot, I would say, at least today, thankfully. But my stop is: please stop sending reporters AI-generated or AI-assisted edited commentary because we can see it, we know what it is, and it takes away all of the humanity out of your very real expertise. It harms you; it harms us, it harms our readers. It’s saving a little bit of time but having, I would say, a much more negative outcome than a lot of people realize. So, the thing I want to pass to you guys is, Eric and Phil, have you received some of what I’m talking about in the last few months?
CD’s Eric Geller: You know, I try to put up a pretty gruff and imposing facade so that PR people don’t email me. In general, I don’t want to be emailed by PR people, so I think I’m probably getting a far smaller share of that kind of stuff than other people are. I also just, like, I don’t want commentary pitches, so people know that and probably are not sending them to me. But I do know that this is a common thing, and I mean, it frankly makes me wonder what a PR person even does for their job anymore. But that’s a whole separate conversation — if you don’t even have to write up quotes, why are you here? But, you know, that’s a separate Reporter’s Notebook video.
DR’s Alex Culafi: Yeah. How about you, Phil?
TTSS’s Phil Sweeney: I’d watch that. No, no, I don’t. And maybe it’s just because I don’t open my email inbox ever. But no, I hope that that’s not a trend that picks up any kind of momentum because, yeah, then we’re just going to have to go back to the old-school ways of “let me see you and hear you, and we’ll interact face to face” and do it the old-fashioned way.
CD’s Eric Geller: Yeah.
DR’s Alex Culafi: Mm-hmm. Eric, what is your other resolution for 2026?
CD’s Eric Geller: I’ll do my start now. I’d like to see folks start talking more about the looming transition to quantum-resistant encryption, and it’s not something that’s in the headlines every day, but I think for exactly that reason, a lot of companies are not taking this as seriously as they need to. They’re not getting ready. They’re not inventorying their systems to understand where and how they use encryption.
We know that this is an important transition point because pretty soon researchers are saying we’re going to start to see the early inklings of a quantum computer that may be capable of breaking standard encryption, which could expose a lot of secrets — both government and corporate — to nation-state hackers, ransomware gangs, you name it. There is a push right now by the government to get companies to pay attention to this. This started during the Biden administration. It’s continuing now under the Trump administration, which I think is a sign that everybody understands this is not partisan, that there’s going to be an inflection point.
It behooves companies to get ready for this. It behooves them to start working now on that transition period. The government is doing its own work to get ready to transition to algorithms that are resistant to these quantum computers that, again, theoretically at some future point might be able to break encryption. So I would like to see cybersecurity folks get more involved in that conversation, both publicly — making this an issue that the community is talking about publicly — but then also with the C-suite.
Again, I go back to what is the role of the cybersecurity team or division or department in a company? It’s to be the stewards of risk management. It’s to be the advisors to the leadership on how best to manage risk and reduce risk. And one of the biggest things that you can do right now as an organization to think about long-term risk is get ready for the quantum transition. So, I do hope that internally, in the boardrooms, but then also externally on social media and at conferences, we start to hear more conversations about what this looks like and what it will entail.
TTSS’s Phil Sweeney: Right. That’s a great point because it’s not something that’s going to happen in any kind of quick fashion, right? It’s going to take a long time just to, like you said, inventory and start to think about, “All right, what would it look like? How do we prepare?” You’re talking about years and years of effort, and if you don’t start, you know, you’re never going to begin and get to where you need to be.
CD’s Eric Geller: Yeah.
DR’s Alex Culafi: Mm-hmm. And Phil, your last resolution?
TTSS’s Phil Sweeney: I would like to — not glamorous here — but I’d like to stop seeing the industry ignore the known vulnerabilities. There are a lot, and it’s hard to keep up. I get that. The sheer volume, it’s immense. And not every patch is as important as another, right? You have to prioritize. I understand that some are critical, some are drop-everything critical, and some are just ignored, right?
I spoke with a CISO recently who, you know, he wasn’t defending the slow pace of patching or not patching, but we talked about how security teams worry about, “Well, if we patch this thing here, is that going to break something else over there?” There’s a trepidation there in some instances. But when you let a known vulnerability linger in your IT environment for months and years, that just seems like rolling the dice and risking something catastrophic when you know you don’t need to, right?
These are things that are known, in some cases, for a long time. There was a recent activity on an unpatched firewall vulnerability where there was something like 10,000 firewalls that were never patched on a flaw that had been discovered and disclosed in 2020. So, you know, bad stuff’s going to happen, right? We’re talking about cybersecurity, after all.
You see surveys where researchers will ask certain security professionals about breaches, and you see responses where upwards of, you know, 70% of companies will say, “Yep, we’ve been the victim of at least one serious security incident in the past year.” So, you know, these things are going to happen, but leaving an opening — one that you know about and one that cybercriminals know about — it just seems like you’re leaving it there and hoping that it doesn’t get you.
There’s plenty of stuff you can’t see coming, but these vulnerabilities that are disclosed and the patches are there, you know, it’s right there. So not a glamorous thing, right? The drudgery of it, it’s thankless work, but it’s possible to stop some of this risk. We talk about risk management — well, there it is.
Bad actors will try, and if they encounter resistance, they will move on to a less secure target, someplace where those patches aren’t being made. So, yeah, let’s see if the industry can prioritize the lowly patch in 2026.
DR’s Alex Culafi: That’s a good one to end on. Awesome. This concludes this edition of The Reporter’s Notebook. Thank you, Eric Geller from Cybersecurity Dive, Phil Sweeney from TechTarget Search Security. I am Alex with Dark Reading. Thank you very much. We will see you next time. Thanks.
