Carl Windsor, CISO at Fortinet, highlights how AI‑driven risk, geopolitical disruption, and nonstop cyber pressures are forcing CISOs to rethink resilience, governance, and business continuity.
Last November, Fortinet published “CISO Predictions for 2026,” which outlined the forces shaping the year ahead, including rapid AI adoption across every business function, escalating geopolitical tension, expanding regulatory pressure, and the continued industrialization of cybercrime. The conclusion was direct: The attack surface is expanding faster than traditional security models can adapt.
While these predictions explain what is coming, CISOs will have to decide how to address these challenges in an environment where AI accelerates both innovation and risk. According to the World Economic Forum’s Global Cybersecurity Outlook (GCO) 2025, 72% of organizations reported that cyber risk increased over the past year. In 2026, that risk will increasingly be shaped by AI systems making decisions at machine speed, often outside traditional security workflows.
The challenge for CISOs will not be preventing every failure. It will be ensuring the business continues to function when AI-enabled disruption occurs. Resilience is no longer simply a byproduct of security. It must be the organizing principle.
From CISO to Chief Resilience Officer
The boundary between IT risk and business risk has collapsed, accelerated by AI’s deep integration into operations, decision-making, and customer engagement. AI systems now influence supply chains, financial controls, hiring decisions, and customer interactions, often with minimal human intervention.
As a result, CISOs are no longer responsible only for securing systems. They are responsible for ensuring that AI-augmented business processes remain trustworthy, available, and controllable under stress. In practice, CISOs have already begun operating as chief resilience officers.
This evolution reflects reality. AI increases speed, scale, and dependency. In that environment, when failures occur, they propagate faster and farther. So in 2026, CISOs will need to assume that disruption will involve AI-enabled components, whether through compromised models, poisoned data, manipulated agents, or automated misuse. Success will be measured by how well organizations absorb and contain those failures.
What CISOs Are Hearing in World Economic Forum Engagements and Why 2026 Is Different
World Economic Forum Annual Meeting discussions and forum initiative activity have decisively moved AI beyond a purely technological discussion. It is now treated as a governance, risk, and resilience issue with direct implications for economic stability, national infrastructure, and global trust. Conversations increasingly focus on systemic exposure: the concentration of AI capability, reliance on shared models, cross-border data dependencies, and the risk of cascading failure when highly connected and automated systems behave unexpectedly.
Fortinet participates in these discussions, including at this month’s Annual Meeting in Davos, alongside government leaders, industry executives, and security practitioners, because what happens in these forums shapes how risk is understood and managed at a global level. Cybersecurity is no longer framed as an enterprise problem, but as a shared responsibility that cuts across public and private sectors. For CISOs, such conversations matter because they influence regulatory direction, executive expectations, and the standards by which resilience will be judged.
This shift is also reflected in organizational governance models. CISOs are gaining more direct access to executive leadership because boards now recognize that AI-related risk cannot be delegated to isolated teams. Instead, decisions about AI deployment, data access, automation, and control structures have direct consequences for operational continuity, regulatory exposure, and corporate reputation.
For CISOs, the implication is clear. In 2026, resilience planning must explicitly account for AI-driven scale, speed, and opacity. The question is no longer whether AI will be used, but whether it is being deployed in a way that is secure, transparent, and aligned with business risk tolerance. The discussions taking place in Davos reinforce that this is no longer a theoretical concern. It is a leadership responsibility.