Three Strategic Imperatives for Cyber Pros in 2026
1–5–2026 (Monday)
Hello, Happy New Year, and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for middle market companies, their investors, and executive teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, January 5, 2026, and it’s time to get back to work.
While I try not to do a traditional “predictions” approach, in today’s episode I’m going to cover three things you should consider working on in 2026, and would love to hear in the comments section below what other things are going to be getting your attention this year.
Three Strategic Imperatives for Cyber Pros in 2026
Here’s the big three for me:
It’s 2026, You Need An AI Strategy
In an era of volatility, Know Thyself
Make a Friend (or two, or three)
It’s 2026, You Need An AI Strategy
Yes, we talk a lot about AI on this channel. By encouraging you to have an AI strategy, I’m not necessarily saying you have to adopt AI no matter what. Quite the opposite, in fact. What you have to do is figure out what AI can do for your organization, in terms of both delivering value and creating risk, and then have a plan for managing forward.
If you’re in knowledge work or have critical IT needs for your business, it’s going to very difficult to avoid AI altogether. It’ll come in through vendors, partners, employees, and all sorts of other ways in 2026. What you need to do is figure out where the lines are in terms of data, acceptable use, access controls, and other strategic dynamics.
If you lived through the rise of Shadow IT that the SaaS era introduced for even small enterprises, much less large ones, then you probably have at least some idea of what this change might herald. If you didn’t live through that, then I don’t know if you have a frame for just how massive this shift is going to be. The problem, of course, is that we don’t know what direction it will shift in, or when. But we do know that this shift will happen faster than our businesses can adjust, so figuring out these strategic elements ahead of time is critical - they simply can’t be done after the fact.
It also leads us nicely into the next big 2026 effort.
In an era of volatility, Know Thyself
We’re just days in to the year and we’re already getting a sense of just how crazy this year might be. The US invading Venezuela is just the start, and there’s continued concern around both Russia / Ukraine and China / Taiwan.
This doesn’t account for ransomware actors, other nation-state efforts, or the AI driven rate of change we just talked about.
Now, you and I both know that we can’t, individually, do anything about these macro dynamics. But, what we can do, is invest in a clear understanding and intentional management of the things we can control.
2026 is going to be a great year to double-down on understanding just exactly what and how your business runs, and ensuring that the critical components are resilient. This should definitely include some of the softer components, like people / identities, software / packages, and even
You can also create some significant downstream efficiencies by understanding what’s NOT in your environment, because the news of breaches, zero-days, issues and breaches will continue in 2026. Knowing what doesn’t affect you is often times just as valuable as knowing what does.
Make a Friend (or two, or three)
That brings us to our final strategic effort of the year: make friend (or two, or three).
Wired had a piece just at the end of the year headlined “Fears Mount That US Federal Cybersecurity Is Stagnating—or Worse”, with a subhead that read “Government staffing cuts and instability, including this year’s prolonged shutdown, could be hindering US digital defense and creating vulnerabilities.”
While we heard mention from President Trump about Cyber Command’s “certain capabilities” used in Venezuela agains the power grid, Wired doesn’t seem to think we should bank on those certain capabilities coming to our aid any time soon.
Instead, we’ll need to continue to build our network, relationships, and connections to get that help. In a world where synthetic relationships continue to grow, the good old-fashioned “phone a friend” is something we need to put some energy into either building or maintaining this year.
When you’re seeing something weird in your environment, or you need a sanity check on a particular decision, or you’re considering one vendor over another, the perspective of a trusted peer can be invaluable. Those relationships take time and cultivation and a sense of giving before you take. Start putting that time in now so that you can make the call when you need it. Take the call when you get it. Offer your experience. Reach out and check in. These things all matter, they all make a difference, and they’re all easy to overlook.
Fundraising
From a fundraising perspective we’ll have some updated numbers next week as the 2026 announcements trickle in over the course of this week.
We’ve already seen, however, some interesting pieces prognosticating about 2026 in the PE world, including a Sunday piece in the Wall Street Journal that reads “Private-Equity’s Consolidation Hopes May Need to Wait Past 2026,” asserting that “Underperforming buyout shops need to be pruned, but strategic M&A remains a tough proposition for all but the best performers”
That might be a tall order in an environment that’s volatile, carries lots of risk, and sees investors looking increasingly for returns, or at least liquidity.
A reminder that you can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and now sign up for our monthly newsletter, the Intentional Dispatch.
We’ll see you next week for another edition of the Intentional Brief.
Links
https://www.wired.com/story/expired-tired-wired-federal-cybersecurity/
https://www.wsj.com/articles/private-equitys-consolidation-hopes-may-need-to-wait-past-2026-8f204731