Navigating the New Year: Security, Governance, Risk & Compliance in 2026

As 2026 begins, security leaders aren’t facing a single new challenge, they’re facing convergence. Geopolitical tension. Expanding regulation. Cloud concentration risk. Sovereignty debates. Escalating penalties. AI acceleration.

In Episode 49 of ChatDPS, Nick, Adam, and Robert unpack what 2025 taught us, and what organisations must get right in 2026.

The message is clear: complexity is rising, but the solution isn’t more noise. It’s stronger fundamentals.

A Year of Acceleration — and Consequence

The past 12 months delivered major regulatory shifts across privacy, cybersecurity, AI governance, ransomware reporting, and online safety. At the same time, high-profile breaches and service outages intensified scrutiny on boards and executives.

As Robert notes, it’s easy for leaders to feel overwhelmed:

“There’s been so much change in the law over the last couple of years — your head can start swirling.”

But regulatory expansion isn’t theoretical anymore. Financial penalties are landing. Enforcement is real. And expectations of due care are rising.

For 2026, organisations must move from reactive compliance to proactive risk management.

Data Sovereignty and the Cloud Recalibration

One of the strongest themes emerging from the discussion is the shift in cloud thinking.

For years, “cloud-first” dominated strategy conversations. But geopolitical tension and data sovereignty concerns are now reshaping that mindset. Across Europe and Australasia, organizations are reconsidering concentration risk and reliance on overseas hyperscalers.

As Adam puts it:

“Once you take away ownership of a thing, you no longer have control of that thing.”

Recent DNS-related outages affecting major global platforms reinforced a deeper issue: trust and resilience. When foundational infrastructure fails, even the largest providers are vulnerable.

Boards are now asking harder questions:

• Should we be all-in with one cloud provider?
• What are the consequences if that provider goes down?
• Do we need diversification?
• Does hybrid make more sense?
  

The consensus: 2026 may mark the return of balance — a pragmatic mix of cloud and on-premises rather than ideology-driven architecture.

The ACL Penalty: A Regulatory Turning Point

The Australian Clinical Labs (ACL) breach — and its $6 million Privacy Act penalty — signaled a new era of enforcement.

This was not merely about breach notification. It was about inadequate cybersecurity practices. That distinction matters.

Regulators are no longer focused only on whether an organisation reports an incident. They are scrutinising whether reasonable steps were taken to prevent it. For CISOs and boards, the implication is clear: cybersecurity maturity is now directly tied to financial and reputational risk at the executive level.

The Evolving Role of the CISO

With enforcement rising and infrastructure risk increasing, the CISO role continues to expand beyond technical oversight.

Today’s CISO must:

• Translate technical risk into business language
• Influence board-level decision-making
• Integrate compliance into operational culture
• Ensure resilience is embedded, not bolted on
  

Security is no longer a back-office function. It is a governance issue. And governance requires structured thinking.

Back to Basics — But With Intent

Despite the complexity of modern risk landscapes, the episode repeatedly returns to a deceptively simple theme:

“Get those basics right.”

Adam challenges technology leaders to strip away unnecessary complexity:

• Are systems patched and up to date?
• Is multi-factor authentication enforced?
• Are backups tested?
• Are changes properly validated?
  

He makes a critical point:

“Those very basic ideas reduce more risk than any of the big-ticket things people talk about.”

Robert reinforces this with a framework mindset. Start by identifying assets. Define what matters. Understand the threats. Design detection, response, and recovery. Train people. Then mature from there.

Before chasing certifications or standards like ISO 27001, organisations must ensure foundational controls are operational and effective. Most incidents, after all, remain people-led.

Framework Thinking for 2026

Rather than reacting to every new regulation or headline, the episode advocates for lifecycle-based thinking:

1. Identify critical assets and data
2. Protect with appropriate controls
3. Detect anomalies early
4. Respond decisively
5. Recover with tested resilience
   

This structured approach allows organisations to align cybersecurity with business outcomes — not just compliance checklists.

Key Takeaways for the Year Ahead

As 2026 unfolds, organisations should focus on:

• Proactive risk management over reactive compliance
• Diversified and resilience-driven cloud strategies
• Board-level engagement on cybersecurity governance
• Strong foundational controls such as patching, MFA, and tested backups
• Cultural awareness and staff training
• Framework-based security maturity
  

The landscape will continue to evolve. Laws will expand. Threat actors will adapt. Technology will accelerate.

But the organisations that succeed won’t necessarily be the ones with the most tools.

They’ll be the ones that understand their risks, own their controls, and build from strong foundations.

2026 isn’t about reinventing cybersecurity.

It’s about doing it properly.

‍