18 May 2026 Retrospectives .
You like this content ?
Share it on the networks
The CISO’s title hasn’t changed.
But the reality of the role has.
Ten years ago, cybersecurity was still built around a relatively stable perimeter: internal networks, employee workstations, and a limited number of business applications. A fortress with clearly identified walls.
That model no longer exists.
Today, the real perimeter of an organization extends far beyond what security teams directly control. SaaS platforms activated without IT approval, third-party vendors connected to critical systems, cloud environments deployed by business teams, and unmanaged AI usage all contribute to an attack surface that is constantly evolving, fragmented, and often invisible.
The challenge is no longer just protecting the information system.
The challenge is understanding where it actually begins and ends.
Attackers, meanwhile, have adapted faster than most organizations.
Reports published by the French ANSSI, IBM, and RM3A between late 2025 and early 2026 all point in the same direction: cyberattacks are not necessarily becoming louder or more spectacular. They are becoming more precise, more discreet, and significantly more damaging.
At first glance, some indicators may appear reassuring. Fewer high-profile ransomware cases. Fewer large-scale attacks dominating headlines. Less visible chaos.
But beneath this apparent calm, cyber risk has undergone a profound transformation.
According to RM3A, France recorded 54,000 cyber incidents during Q1 2026, representing a 37% increase compared to the same period the previous year.
At the same time, ANSSI reported a sharp increase in data exfiltration incidents:
196 documented cases in 2025, compared to 130 in 2024.
Cybercriminal groups are gradually shifting away from noisy ransomware operations toward quieter and more strategic intrusion models focused on:
data theft,
espionage,
extortion through exposure,
and long-term persistence.
The most revealing figure may come from IBM: 241 days was the global average time required to detect and contain a breach in 2025.
In practical terms, this means an attacker can remain inside an organization’s environment for more than eight months before being stopped.
Eight months to:
map assets,
understand internal workflows,
identify critical dependencies,
and prepare high-impact operations.
The core issue is no longer simply preventing attacks.
It is achieving real visibility.
In many cases, attackers know your perimeter better than you do.
The most significant cyber incidents of 2025 and 2026 all share one common characteristic:
the initial weakness was not located inside the primary victim’s infrastructure.
It was located somewhere in the ecosystem.
The attack against Marks & Spencer in April 2025 perfectly illustrates this shift. Attackers did not compromise M&S directly. Instead, they targeted Tata Consultancy Services, the company’s IT helpdesk provider. The consequences were severe: online operations disrupted for 46 days, supply chain issues, and hundreds of millions of pounds in losses.
The same logic appeared in the Cegedim Santé breach in February 2026. By compromising a single SaaS provider, attackers indirectly gained access to the data of thousands of French medical practices. More than 15 million patient records were exposed.
The Eurofiber France incident pushed the concept even further: one compromised telecom operator impacted more than 3,600 customers, including SNCF, Airbus, Orange, and multiple government entities.
These incidents reveal a critical reality:
An organization’s attack surface is now inseparable from its ecosystem.
Third-party vendors.
Cloud providers.
SaaS applications.
Operational partners.
Subsidiaries.
Mapping only what you directly own is no longer enough.
One of the most important changes observed since 2025 is the growing discretion of attackers.
The objective is no longer always disruption or encryption.
Increasingly, the goal is persistence.
One technique illustrates this evolution particularly well: self-patching.
The scenario is straightforward:
an attacker exploits a critical vulnerability on a VPN or edge device;
establishes persistent access;
then applies the security patch themselves.
As a result:
the vulnerability disappears from scans,
security reports return “green,”
but the attacker remains active inside the environment.
From the security team’s perspective, the device appears compliant.
From the attacker’s perspective, the operation remains successful.
This exposes the limitations of overly periodic security approaches:
closing the entry point does not remove the intruder.
It also challenges traditional security models built primarily around:
scheduled scans,
static inventories,
and periodic audits.
Several categories of assets now concentrate a significant portion of real-world exposure precisely because they often escape traditional governance and inventory processes.
Forgotten staging environments.
Legacy acquisitions.
Abandoned pilot projects.
These assets often remain publicly accessible long after internal teams have stopped monitoring them.
In many cases, they no longer appear in any official inventory.
Yet they still respond on the internet.
VPNs, firewalls, Citrix, Ivanti, and Fortinet appliances have become priority targets.
Why?
Because they provide direct access into enterprise environments.
And because exploitation windows are now measured in hours rather than weeks.
The issue is no longer just the vulnerability itself.
It is the growing gap between attacker speed and organizational response time.
Cloud adoption has dramatically accelerated business agility.
It has also accelerated exposure.
Entire applications can now be deployed without security validation, sometimes exposing:
administration interfaces,
unauthenticated APIs,
excessive permissions,
or insecure default configurations.
All without clear visibility from security teams.
Shadow IT never disappeared.
It evolved.
With generative AI, integrating a new tool into business workflows no longer requires:
deployment projects,
complex integrations,
or IT involvement.
A browser and a few clicks are often enough.
The problem is that these tools do not simply process files.
They ingest context:
internal conversations,
HR information,
source code,
client discussions,
strategic documents.
Often without governance or visibility.
Common examples are already emerging:
developers pasting sensitive code into ChatGPT;
HR teams connecting AI recruitment tools through OAuth;
sales teams using AI assistants to summarize customer negotiations.
In each case, sensitive information leaves the organization’s traditional security perimeter.
According to IBM, 20% of breaches in 2025 already involved Shadow AI as either a contributing factor or an exposure vector.
This is no longer a theoretical discussion.
It is already operational reality.
Frameworks such as NIS2, DORA, and ReCyF are fundamentally changing the logic of compliance.
For years, many organizations relied on documentation-heavy approaches:
annual audits,
static policies,
declarative compliance.
That model is reaching its limits.
Auditors now expect evidence that is:
continuous,
timestamped,
verifiable,
and immediately available.
Three areas are becoming central:
visibility over exposed assets;
mapping of third-party dependencies;
traceability of vulnerability remediation.
The €42 million CNIL fine imposed on Free Mobile in January 2026 sent a strong signal across the European market:
regulatory sanctions are no longer theoretical.
Yet there is also an important positive shift.
Organizations that implement continuous exposure visibility often improve, almost automatically:
operational security,
governance maturity,
risk management,
and regulatory readiness.
In other words, compliance increasingly becomes the consequence of operational maturity rather than a standalone objective.
The primary challenge for CISOs in 2026 is not adding more security tools.
Most large organizations already operate dozens of overlapping security solutions. Yet security teams continue facing the same problems:
too much noise,
too little visibility,
too little time.
The real challenge is developing the ability to continuously understand real-world exposure.
Like an attacker would.
From the outside.
At all times.
This requires a fundamentally more dynamic approach:
continuous discovery of exposed assets;
monitoring third-party dependencies;
identifying new exposures quickly;
maintaining immediately usable evidence trails.
Because in 2026, the main problem is no longer just the attack itself.
The real problem is the exposure nobody sees.
