As organizations look toward 2026, infrastructure security is becoming one of the most defining challenges for cybersecurity leaders. Expanding cloud adoption, hybrid IT environments, growing reliance on APIs, and a rapidly widening digital footprint are making it harder for organizations to understand what assets they actually own and expose to the internet. Against this backdrop, attack surface visibility is emerging as a central concern for CISOs shaping their long-term cybersecurity strategy. To understand how security leaders are prioritizing these challenges, The Cyber Express (TCE) conducted a LinkedIn poll asking, “What will be the top infrastructure security priority for CISOs in 2026?” The results point clearly to a growing consensus: before organizations can defend effectively, they must first gain visibility into their expanding digital attack surface.

The Cyber Express Poll Results: Attack Surface Visibility Takes the Lead

The poll generated strong engagement from cybersecurity professionals across roles and industries. The final results were:

• Attack surface visibility – 40%
• Cloud and hybrid security – 25%
• Identity and access security – 25%
• Ransomware resilience – 10%

With 40% of respondents selecting attack surface visibility, it emerged as the top infrastructure security priority for CISOs heading into 2026. The result reflects a growing recognition that organizations cannot secure what they cannot see — particularly as assets are spread across cloud platforms, SaaS tools, APIs, endpoints, development environments, and third-party services. Both cloud and hybrid security and identity and access security tied for second place, each receiving 25% of the vote. Ransomware resilience, while still a major operational concern, ranked lower at 10%, suggesting that many security leaders are shifting focus toward foundational controls that reduce exposure before attacks occur.

Why Attack Surface Visibility Is Rising to the Top

The dominance of attack surface visibility in the poll reflects a practical reality facing modern enterprises. Infrastructure today is no longer limited to on-premise servers and corporate networks. It now includes cloud workloads, remote endpoints, APIs, shadow IT, and externally facing services that change constantly. Without accurate, real-time visibility into these assets, even mature cybersecurity strategies struggle to apply controls consistently or detect threats early enough to prevent impact. Marcos S, Founder & CEO and Senior Full Stack Developer specializing in email infrastructure and cybersecurity, highlighted this shift in focus. He said, “It's interesting to see how organizations are adjusting their focus towards infrastructure security as digital transformation accelerates. Investing in robust API security solutions could play a crucial role when facing evolving threat landscapes.” His comment underscores how modern attack surfaces are increasingly shaped by APIs, integrations, and digital services that were not part of traditional security models. “They’re All Intertwined” — The Link Between Visibility, Cloud, and Identity While attack surface visibility topped the list, the close ranking of cloud and hybrid security and identity and access security shows how interconnected modern infrastructure security priorities have become. Mary Teisserenc, who works in MFA and access security for Active Directory, captured this reality in a comment on the poll. She wrote, “It's hard to alienate all of these, they're so intertwined. How do you have hybrid security without strong IAM?” Her observation reflects a common challenge for CISOs: visibility alone is not enough if identity controls are weak or cloud environments are misconfigured. Each layer of infrastructure security depends on the others to be effective.

CISO Priorities for 2026: Identity, AI, and Leadership

The themes emerging from the TCE poll closely mirror what senior security leaders are already predicting. Adam Palmer, CISO at First Hawaiian Bank, recently shared his top three predictions for cybersecurity in 2026:

1. AI becomes the foundation of security operations, but governance lags adoption.
2. Boards will continue to seek CISOs who translate risk into business decisions.
3. Identity becomes the dominant control strategy led across PAM, Zero Trust, and SSO.

He added, “Across all three predictions, the differentiator will not be technology. It will be leadership.” Palmer’s post reinforce why identity and access security and attack surface visibility are gaining traction as top CISO priorities for 2026. Both are foundational controls that support AI-driven operations and help translate cyber risk into business impact.

AI, Scale, and a Growing Digital Attack Surface

Matthew Rosenquist, Founder of Cybersecurity Insights and CISO at Mercury Risk, also pointed to artificial intelligence as the defining force shaping cybersecurity in 2026. He warned that attackers will use AI to scale proven techniques faster and more effectively, while defenders struggle to keep pace. He said: “AI is an amazing tool for computing, but in 2026, there will be significant pain, public failures, and a few uncomfortable Board conversations.” As attacks become faster and more automated, blind spots in the digital attack surface will become far more dangerous — further elevating the importance of continuous visibility.

From Strategy to Execution

Industry research is also pushing CISOs toward execution-focused priorities. William Luders, Business Development Associate at Gartner, highlighted key initiatives leaders have recently prioritized:

• Developing an actionable zero-trust strategy
• Maturing governance with NIST CSF 2.0
• Embedding cybersecurity into GenAI governance
• Enhancing data security with cyberstorage
• Monitoring and managing OT, IoT, and IIoT systems

He asked, “Which of these initiatives will you prioritize in 2026? And how will you measure success?”

A Clear Shift Toward Foundational Security

Taken together, the poll results and industry perspectives reflect a practical shift in how CISOs are approaching infrastructure security. Rather than prioritizing isolated threat categories, leaders are increasingly focusing on core capabilities that support every layer of defense — particularly attack surface visibility, identity control, and governance. The strong preference for attack surface visibility highlights a growing recognition that security programs cannot function effectively without a clear understanding of what needs to be protected. As CISO priorities for 2026 continue to evolve, infrastructure security is shaping up to be less about deploying more tools and more about strengthening fundamentals — visibility, identity, leadership, and execution.

Artificial intelligence is increasingly embedded in enterprise environments, creating new cybersecurity risks alongside operational benefits. To address this shift, the National Institute of Standards and Technology (NIST) has released a preliminary draft of guidance called the Cyber AI Profile, aimed at helping organizations align their cybersecurity strategies with AI adoption. These draft NIST guidelines are presented in a new document known as the Cybersecurity Framework Profile for Artificial Intelligence (NISTIR 8596), commonly referred to as the Cyber AI Profile. The publication is intended to help organizations apply the NIST Cybersecurity Framework, specifically CSF 2.0, to the secure and responsible use of AI technologies. The goal is to accelerate AI adoption while mitigating the cybersecurity risks that accompany AI’s rapid advancement. 

Why Do We Need AI Cybersecurity Guidelines? 

According to NIST, AI affects cybersecurity in multiple ways. Organizations must secure AI systems themselves, consider how AI can strengthen cyber defense operations, and prepare for a growing class of AI-enabled cyberattacks. The Cyber AI Profile reflects this reality by organizing its guidance around three overlapping focus areas: securing AI systems, conducting AI-enabled cyber defense, and thwarting AI-enabled cyberattacks.  Barbara Cuthill, one of the authors of the profile, stresses that organizations cannot afford to treat AI as a distant concern. “Regardless of where organizations are on their AI journey, they need cybersecurity strategies that acknowledge the realities of AI’s advancement,” she said. 

Inside the Cyber AI Profile and Its Three Focus Areas 

The Cyber AI Profile is the result of a year-long collaborative effort involving NIST cybersecurity and AI specialists, supported by extensive public engagement. Over the course of the project, more than 6,500 individuals joined a community of interest to provide input. NIST released an initial concept paper in February 2025, followed by a workshop in April 2025 and a series of community meetings during the summer. This process led to the release of the preliminary draft, which is now open for a 45-day public comment period.  Each of the three focus areas addressed in the Cyber AI Profile serves a distinct role. Securing AI systems involves identifying cybersecurity challenges that emerge when AI is integrated into organizational infrastructure and ecosystems. Conducting AI-enabled cyber defense examines how AI can be used to strengthen cybersecurity operations while recognizing the risks associated with deploying AI in defensive roles. Thwarting AI-enabled cyberattacks focuses on building resilience against threats that use AI to increase their scale, speed, or effectiveness.  “The three focus areas reflect the fact that AI is entering organizations’ awareness in different ways,” Cuthill said. “But ultimately every organization will have to deal with all three.” 

Applying CSF 2.0 and the NIST Cybersecurity Framework to AI 

Through the lens of the NIST Cybersecurity Framework, the Cyber AI Profile helps organizations clarify their cybersecurity objectives related to AI and CSF 2.0. It offers structured insights to help organizations understand, evaluate, and address AI-related cybersecurity concerns while integrating AI into existing cybersecurity programs in a deliberate way.  NIST refers to the Cyber AI Profile as a “community profile,” meaning it applies to CSF 2.0 to shared goals across multiple sectors. The Cyber AI Profile joins similar community profiles developed for manufacturing, financial services, telecommunications, and other industries.  The preliminary draft is intended to gather public feedback before NIST releases an initial public draft in 2026. That version is expected to refine the guidance further and include expanded mappings to additional NIST resources. When finalized, the profile will help organizations incorporate AI into cybersecurity planning by identifying priority actions.  Cuthill said the authors hope the Cyber AI Profile will continue to evolve as a practical resource. “The Cyber AI Profile is all about enabling organizations to gain confidence in their AI journey,” she said. “We hope it will help them feel equipped to have conversations about how their cybersecurity environment will change with AI and to augment what they are already doing with their cybersecurity programs.”