Ready.Set.Midmarket! Podcast: What CISOs Should Prioritize In 2026

In this episode of Ready.Set.Midmarket! we explore the evolving landscape of cybersecurity leadership in 2026 with leading CISOs and industry innovators. Discover the key shifts, challenges, and strategic priorities shaping the future of security for midmarket organizations.

Cybersecurity in 2026 is less about perimeter defenses and more about identity, control depth, and managing complex tool ecosystems. Talent development, strategic simplification, and leveraging AI are critical for midmarket CISOs aiming to stay ahead of evolving threats.

Topics we cover include:

CISOs are becoming more accountable for controls and risk ownership
The influence of AI on security controls and false positives
Managing digital risk through business resiliency and identity focus
Challenges of SaaS and tool sprawl in midmarket organizations
Deprioritizing nice-to-have security tools and focusing on control depth
Balancing external threats versus internal employee risks

Our Guests:

Richard Bird - Chief Security Officer, Singulr AI

Chris Boehm - Field CTO, Zero Networks

Cyrus Robinson - Vice President of Security Operations at C3 Integrated Solutions

The full episode can be watched on YouTube and heard on Spotify and Apple Podcasts

https://www.youtube.com/embed/_K9A8iuxU_8?si=jdptPTHbw9pPv97C

Previous RSM! episodes are here.

https://player.simplecast.com/c879811e-77a1-45f0-8b89-75df14cbad35?dark=false

Transcript

Adam Dennison

Hello and welcome. Welcome to Ready Set Midmarket! the MES Computing Podcast for all things midmarket IT. I'm Adam Dennison Vice President of MES. And as always, I'm joined by Samara Lynn She's our Senior Editor for MES Computing. And today's topic we're going to be looking at is CISO strategies and priorities for 2026. And we are a little bit well into 2026, so we're going to kind of get a sense of where things are at and where things are going to be heading over the next nine months or so. Joining us today, I want to welcome Chris Boehm He's the field CTO for Zero Networks. Welcome, Chris.

Also want to thank Richard Bird for joining us. He's the chief security officer for Singular AI. Hey Richard.

Richard Bird

Great to be here.

Adam Dennison

Thank you. And finally, have Cyrus Robinson as our third guest. He's vice president of security operations at C3 Integrated Solutions. Welcome, Cyrus.

Cyrus Robinson

Thanks Adam, happy to be here.

Adam Dennison

Thanks. So before we get started into some of the Q & A and in the meat of things, Richard and Cyrus, Richard, we'll start with you. kind of give us a quick overview of your role, kind of what you're doing today and just a couple of sentences on what you're up to right now.

Richard Bird

Sure. Well, Chief Security Officer at Singular, I've been on the startup side for about eight or nine years now. I spent 24 years in the corporate world. I was the CISO that was buying stuff and the CIO that was buying stuff back in the day. And now I'm hopefully using that knowledge transfer to help solutions companies do the right thing. But I also mentor and exchange with a lot of my former colleagues in the enterprise side. So I just like to think I'm a anthropologist of use cases and interesting best practices that I try and share with folks.

Adam Dennison

Thank you. Cyrus, why don't you give us a quick intro?

Cyrus Robinson

Sure, I'm Cyrus Robinson, the VP of Security Operations at C3 Integrated Solutions. In that role, I lead the Managed Security Services team. so I like to think of it as my responsibility is leading and teaching the team that's responsible for defense against the dark arts and cybersecurity. so at C3, we're focused on providing technology security.

Adam Dennison

And great. Chris, why don't you introduce yourself?

Chris Boehm

Yeah, everyone. My name is Chris Boehm. I am a field CTO here at Zero Networks. As you may or may not be aware, this role is different in every organization. Mine influences marketing, go to market strategy, sales, working with customers, engineering efforts. So I get to touch all the exciting parts of the business, including what is new and exciting to where is the industry going in cybersecurity. And it's one of my passions, being in this space for over 15 years myself.

Adam Dennison

Great. Well, welcome gentlemen. I'm happy to have you here on why don't we go ahead and get things kind of kicked off. As I mentioned, you we're looking at kind of overarching -- what are some of the top strategies and priorities that are on the minds of CISOs today. Obviously, technology is moving at warp speed and security within that is constantly changing. you know, what's...What's good today is probably going to be changing within the next few months. But as we can look at it right now, know, first quarter of 2026, what are some of those kind of topics? How have things changed over the last, you know, six to 12 months? And what should they really be kind of concerning themselves with today? And go ahead and why don't we just start with you, Cyrus, and then we'll get some other feedback.

Cyrus Robinson

Sure. So I think that what's changed the most for folks in the CISO role is that they've started moving closer to operations and risk ownership. So especially in the defense industrial base with CMMC being real and not just some framework that's on the horizon. I think that CISOs are beginning to own accountability of whether their controls actually work, not just whether they exist on paper.

Adam Dennison

Got it. Other thoughts, Richard or Chris?

Richard Bird

I'd definitely fully endorse the notion that CISOs are being forced to move inward from securities to controls. You know, we've had this bad problem of just treating controls as binary. They either exist or they don't. And because security designs controls and pushes us back to control owners.

Nobody's really been keeping tabs on whether they're actually effective or not. So I think that a lot of concerns that have manifested in terms of massive amounts of false positive signaling and all of that are suggesting that controls aren't working the way that they're intended to. And that's actually becoming much more complicated now with CISOs, which I'm seeing in 2026. CISOs are now being given the mantle of security around AI things.

And this transactional dynamic nature of AI is going to static or legacy control sets even harder. So definitely a lot of rethinking going on in the CISO seat about how to address all of these emerging needs.

Adam Dennison

Chris, why don't you add your perspective?

Chris Boehm

Yeah, I can echo both Cyrus and Richard. I see the CISO role changing, especially in 2026, it's really all about governing digital risk and making sure your business is moving faster. You'll see this trend this year, I promise you, and next year, business resiliency. And there's a few things that driving this. One of them is Identity has become an issue of a real perimeter within all businesses. This is because of SaaS, cloud, APIs, remote access, vendor access. The expansion has gone so far because of how our industry has shifted. Identity is now first to mind. So CISOs have to concentrate on that focus point. The other one is kind of what they both just mentioned is there's the ecosystem of so many different tools and vendor ecosystems out there. The average company has over a hundred SaaS platforms in any company. They have so many different intersections and communications back to that identity challenge. And the third one is huge in my personal opinion, and which was brought up just a second ago was AI acceleration. There's so much debt, technical debt, and then there's moving faster as a business, staying on top of it, leveraging AI. So it's really changing how CISOs are having to shift their mindset, not just to protecting, but including and making sure the business is continuously moving forward and not having performance issues. They don't want to be in the news or they're down for two weeks because of the fact that they didn't do their job appropriately. So that's really where the shift is continuously going forward.

Adam Dennison

Yeah, well, I want to dig in a little bit around the sprawl discussion. I think that that's interesting. You certainly hear it from a cloud perspective, different SaaS applications, can't manage them. They don't even know necessarily what they have. And then even from a security standpoint, right? know, Samara and I here at MES, we have a lot of security vendors that are, that participate and sponsor our events and want to be in front of the midmarket buyers. And there's an awful lot of them out there.

And it's challenging to determine which ones to choose, which ones overlap, which one, somebody's always coming out with something new and this is the next threat and you gotta have this specific tool. How challenging is that for a CISO to get their arms around all those different tools that they have, the massive investments they're making on it and how can they kind of wrangle that in and put some checks and balances around that and really understand which ones they need to have and which ones might be nice to have or can I double down with a specific vendor and it covers three, four different areas and I don't have to have these multiple vendor relationships around a specific initiative.

Cyrus Robinson

So I'll weigh in here. So I think that one of the things that is happening is that CISOs are deprioritizing nice-to-have security tools. As you just mentioned, the nice-to-haves, think anything that adds complexity without improving detection and containment or basically being able to evidence your controls and what your control depth is. Meaningful ways to rein in identity sprawl and vendor sprawl as well. I think that those things are being deprioritized, especially in the midmarket where they're moving from breadth of coverage to control depth now.

Chris Boehm

Yeah, I can echo Cyrus on this one. I mean, every time as CISO takes on a new SaaS platform or vendor or whatever, they're taking on a new user, new accounts, new access, and then all of a sudden, your company is trusting it. Let's just use the concept of agentic AI or AI, and I know this is going to be obviously a constant talk point here, but you allow AI to be in your environment.

Okay, well you allow it to encourage in some form or fashion this one database. Well, all of a sudden your dev team is using it and it's spreading everywhere because privilege access isn't being utilized appropriately. That opens up the risk of where is the weak of connections? What is not being utilized? What is actually being emphasized? So kind of going back to the tool conversation, I don't think most companies have full graphs of what their tools are actually utilized. Even in my previous companies, we had dedicated teams to encourage you to utilize our tools effectively because we knew that if you don't utilize it, you're sticking, you're going to start going toward other places. So that's like the platformization conversation. But then there's the shift. And I've been talking to some CISOs like I don't like the platformization conversation. I feel it's too forced. There are other negatives by going in that direction. You feel like you're literally limited and stuck in this bubble of I have to be with this vendor for the rest of my life. So, there's the other scope of understanding like

Where can I as my business, what is really best for me? Is the platformization conversation really the right play? So, I would truly take a step back before aligning yourself to a full platformization conversation to say, is this what my business needs? Am I paying for what I need to utilize? And then make that decision as a business where you can drive yourself forward appropriately. And don't over capitalize on too many tools. Actually, hit the tools that you can say, here's a dot line item. I did accomplish it this year.

Adam Dennison

And you know, when you think about the threats that CISOs have to combat and plan for and prepare for, would you say right now that it's more external that they're concerned about or internal employees, either employees behaving badly or employees doing things that, know, behaving unawarely, if you say. I I know I'm behind right now on updating some of my security standards and checkpoints and whatnot that I have to do with my own organization. But what's that balance look like in terms of external threats versus an employee making a mistake or an employee behaving badly? How much time do you think is spent in today's see-saw mind and within their teams measuring and balancing that?

Chris Boehm

The main thing that I would say is not every business is in the same maturity model of where you are today. Really in my mental state of what I would say a CISO should be focusing on is reducing the possibility of an attack path. That's why Zero Trust, these frameworks are coming out, they're pushing you to a tier one to tier five, this is where you wanna go always. Now is every company doing that? Not necessarily, and each one has its own focus. I've already brought it up, business continuity, business resilience.

How can you continue moving forward and making sure your business is doing well? So to answer your question, is it internal or external? I think it's both and it'll never change. Now the real question is, I think they're looking more internally than they ever had before because it used to be perimeter, perimeter, perimeter, but now it's like, okay, well every major attack, every ransomware event, every identity scope solution, they get in and that's when the destruction really occurs.

So, we're hoping these 20 to 50 tools are doing their job to block the perimeter, but when they get in, that's where the fear kicks in. Because a lot of companies don't have a good answer for that right now.

Samara Lynn

If I can just jump in for a second. We just covered a report from HP Wolf Security that said that the perimeter is really vulnerable right now. And it's really the endpoints that really need to be the focus. And I mean, I would think that that's something that CISOs have already should know. Is there a lack of defenses once a threat actor gets past the perimeter?

Richard Bird

I mean, I'll jump in on that just simply from the standpoint that one of the overarching misperceptions is that a perimeter even exists anymore. we have spent 40 years building a security ... we've built walls, moats, firewalls, defensive protections. And once anything from the outside is inside, it looks like an insider anyhow.

It just does and it leaves with the goods. So there's definitely some struggles that we're going to have trying to address this kind of problem that we have with things leaving our boundaries because we built things to keep things from coming in.

Cyrus Robinson

I think that obviously perimeter still matters, endpoints still matter, but the reality is that organizations today are moving towards a basically, or if they're not moving towards this direction, they should be basically in a soon breach position.

Once you get past the perimeter, if you don't have your identity access management, if you don't have that lined up, if you don't have an understanding of where your data is and how it's classified and where it's stored, basically you're still at risk. So, once you're past the perimeter, identity is basically where your blast radius is either contained or limited.

And so I think that this is one of the reasons why it's really important for organizations and especially those in the midmarket to implement things like Zero Trust and also basically reigning in their identities for their integrations, AI assistance, SaaS applications. There's so many identities out there.

You have to be able to make sure that you can monitor and actually cover the assets that matter to you and your organization.

Adam Dennison

Where are we at right now in terms of talent in hiring within the security ranks? There's always been pressure points around IT in general, in particular within security. And a lot of fear on the midmarket is if I'm training this person, I get them up to speed and then somebody else picks them off and they're paying them 2X, 3X of what I can afford. So now they're kind of back to square one. Are we still seeing that right now?

Out in the market with security professionals that you interact with and customers that you have and folks that you consult with. Are you seeing a continued pressure and strain as far as the security talent pool and being able to hang on to those kind of precious employees for an appropriate amount of time?

Chris Boehm

Very much so. Like I would say it hasn't gotten better. It keeps getting worse because of the more solutions out there, more specializations. It's very appealing in the cybersecurity market. If you can be working and doing it, but then you can go sell it or go to some other solutions developing it. You could potentially make a lot more money by doing that. So there's a big churn on understanding the value because there's multiple value props there.

But the main thing that I've been seeing as a trend, which is not always exciting to hear, but it's unfortunate, especially for the mid market, is they're looking for external help more so than ever. They're leveraging more third-party solutions, more vendors, partners and organizations. That's just how the industry is at this moment in time, because they can't afford to have the 150 specialists for their 150 tools. They have that small specialized team that knows how their business works. And then they pay for this third-party group to hopefully have those 150 vendors that have those specialty experiences. So that's really where I see the shift right here. The only time I see that exception is really when you get to super large enterprises, unfortunately, and then they may have their own specialized person for each scenario, but anyone below that is usually you're looking for help elsewhere. I think the struggle is still here and it's not going away anytime soon.

Adam Dennison

Yeah, it's funny you just mentioned the potential jump over to a vendor and we're experiencing that right now. One of our MES advisory board members, I can't share who it is because it just came out this week, but he's on our advisory board. He's a great partner of ours and he's jumping over to a vendor right now to be one of their top sales engineers. So he's, I'm sure gonna be making more money than he was. Might have some more...a little different when he has a number on his head now as opposed to what he did. But yeah, we're definitely seeing some folks moving into the vendor roles and I think he's following the money.

Richard Bird

Well, we're definitely cutting. no, go please. I was going to say we're definitely cutting to the bone in the younger and inexperienced or less experienced talent pool. We're seeing this happening frequently with discussions that are happening around let's use AI tools to replace junior level SOC analysts. So when we look at what this whole dynamic of the current economic situation, as well as all the super eager, irrational exuberance around AI stuff, seasoned, experienced security professionals are in higher demand than they've ever been because they have the deep knowledge and background to take care of problems in their specific area of knowledge. But we're cutting out the generalist layer as well as the entry layer. And that's going to cause even more problems as we move into the future.

Because we're going to see, as we did, say, with mainframe technologies, we're going to see the aging out of an entire population of folks who have these deep experiences, who've sat through difficult circumstances, exploits and breaches and vulnerabilities. And then we're going to have an entire generation that didn't get those experiences because we made short-sighted decisions in the labor pool instead of amplifying people's capabilities with AI tools.

Adam Dennison

Would you say security overall is a good place to be right now for someone coming out of school and wanting to get started in an IT career?

Richard Bird

I would say that it is a good place to be, but at the entry point, it's probably more competitive than it has been in the last 30 years for anybody to take that step from a cyber program at a well-known university or even from schools that are specializing specifically in creating cybersecurity talent. It's a much harder proposition for them to break in than it used to be.

Cyrus Robinson

This is something that me and my team have thought about a lot. I think that, you know, Richard's right here that we are cutting to the bone and that we sort of as an industry made some prioritization decisions that are going to harm us in the long run if we don't kind of rethink how we train and recruit and retain our team members.

You know, it's one of the reasons why, you know, my company, C3, we have an internship program where we basically run year round, where essentially our goal is to help provide people with that initial hands-on experience to get them up from, you know, being someone that's looking to get their foot in the door to being able to function as a Tier 1 SOC analyst. I'm also an adjunct instructor at LSU Alexandria.

And one of the things that I'm doing to kind of address some of these changes on the horizon are, for example, instead of like preventing my students and my interns from using AI, basically I incorporate AI prompt engineering and require my students to use AI on every single assignment that they turn in. And they also have to turn in a link to their

LLM conversation so you know they can't just copy it and paste it but I know that a lot of schools are trying to find ways to prevent students from using AI and I think we instead we should be figuring out ways to teach people how to use it as a tool to multiply their capabilities.

Richard Bird

Well, Cyrus, if I can, mean, the point that you're making is such a good one about how we're going to address this by amplifying people's capabilities. But I think it's really important to mention in the context of what you just said, that the Chinese government position has been publicly stated that if you have the capability to touch a keyboard, it doesn't matter what industry you work in, we're training you on AI. And in the United States, we're saying, we're going to replace you and remove you with AI.

I don't know who's right, but I think if you're going to amplify capabilities, that sounds like a much better strategy than taking a balance sheet strategy and reducing hundreds or thousands of jobs and saying that they're being replaced by technology.

Cyrus Robinson

I agree, and I think it goes back to something Adam mentioned at the beginning of this portion here, where he was saying, what happens if you hire and you train these people and then they go somewhere else and they're making more money somewhere else. I think that companies basically have to make a decision on where they are going to invest their budget with training. Basically, for me and my company and my team, we decided that we think it's really important to be able to train and equip people at the front end of their career, get them trained up. If someone ends up leaving to go somewhere else to another team or another company where they're making more money or where it fits their personal priorities better, I don't see that as a loss. I see that as a win. It validates the training and the work that we put into equipping our teammates.

I sat through a Women's and Cybersecurity Conference, our local group, just a few months ago. And this was actually a great topic that was brought up, is women in industry gaining into the challenges with interviewing and getting into the scope of cybersecurity. One of the things that was brought up, and I don't want to derail the conversation, was how even the interview process is being scrutinized, because they assume you're using AI now.

I don't know if you guys are doing this yourselves, but you can have someone come in and start saying some really smart things and really intuitive things. And you're like, is this guy really as good as he say or as good as she say he is? Or are they just prompting it and prepping themselves? Actually, LinkedIn is now even prepping you. If you hit apply for a role, it says, here's some interview questions. Would you like to practice? Like that is something that people can kind of.

It's kind of like being doctored on every interview questionnaire. And I think that's another reason why there's a big shift is because previously you'd have to gain that experience, learn and then really know your shit to be clear and then be able to move up in your role. Well, now you have this tool that can kind of feed you an appropriate answer on an executive level to business level to you don't even have to have industry experience and you can kind of have answers. You may not understand them, but you'll have the answers. So it's just kind of the whole school scenario again, like

Well, what is real, what is not real? And that is something that's truly a problem in this hiring industry as well. And so that's another factor I think is playing into the cybersecurity industry as well.

Adam Dennison

But it's pretty quick though when someone gets exposed, right? You I just went through an exercise and I won't get into it, you know, looking at some of our financials around, you know, some of our products and services and you know, we use Copilot and all these cool things to come up with the data. And I'm like, that's great, that's the data, but it's the commentary that matters most, right? What does this all mean? What does it mean to our business? What does it mean historically? I can have as many...There's many data sheets and data points, but if you can't explain that to your boss and other folks, you become exposed real quick. And I think that's something that, yeah, if someone's doing an interview and they sound fantastic and all of they get in the door and they don't have a clue what they're talking about, that's an embarrassing moment.

Any final comments or questions?

Samara Lynn

What I wanted to ask each of you gentlemen, if there are two priorities that CISO should make in 2026, especially at the midmarket level where they're resource strapped, they're budget conscious, what would those two security priorities be in your opinions? And Cyrus, maybe we can start with you.

Cyrus Robinson

I think the first thing is reduce complexity before adding new tools. Basically make sure that what you have is configured correctly and works before you start deploying more tools. And then my second one is the conversation we just had. Treat workforce development as more than an HR initiative. It is a control. People are part of the attack surface but they're also part of our detection and containment and security controls as well.

Samara Lynn

Maybe Richard?

Richard Bird

Yeah, I ... probably the first that I share all the time, it doesn't matter the size of your company or organization is just go to chat GPT or, or Claude enter a prompt and say, give me for the last 20 years using Verizon DBIR CrowdStrike global threat, IBM cost of a breach, the top 10 most common exploit techniques. And then take that list and go evaluate your environment and ask yourself.

Am I protecting myself from these 10 most common? We're spending a lot of time talking about theoretical hypothetical attacks, concerns as it relates to new technologies like AI. And in the meantime, 80 to 85 % of all breaches are still credential theft and credential related. So if you're not doing the basics well, the foundational capabilities well.

Um, you're just going to continue to have a bad day every day. And again, that doesn't matter if you're a fortune 50 or you're a mom and pop shop, right? think the second thing is, is there is a time now in history to evaluate, um, whether or not. Our, our personal company architectures and frameworks are actually conditioned to what we are adopting and what we want to do. If you want to use AI, you have to make some.

You know, some very, very conscious decisions about what needs to be changed in your environment. AI is being declared as transformational and no time in history is a transformational technology ever successfully been backfitted to old garbage processes, frameworks and legacy architectures. It doesn't work that way. Now, maybe it isn't transformational and then that's a different conversation altogether, but you can't take new tools and use old rules. And I think that.

Any CISO needs to be assessing what their company is asking them to do. And if it's all AI on IP block and we never allow it, that's a different conversation about what you're going to do to keep up. But you have to make a decision on whether or not you're going to change fundamental things in your organization to accommodate the business needs.

Chris Boehm

I'm going to echo Cyrus and Richard here. I agree on both things. reduced complexity. And I'm just going to say that one. And then the two is the really the actually the main things that I would say focus on is look at how the Richard just say impacts what is being done, how it's being exploited. Look at the past. This is another fun one with AI. What are the biggest compromises in 2025? What is the biggest compromises in 2024? Most of them are company wide, huge impact industry disruptions through some third party and almost all of them, think it's 90 % is through identity. So treat identity as your security control plane. I highly encourage that. And then walk through the moment of saying, I know there's maybe not this checkbox that requires me to do this, but is lateral movement something that's possible? If I had your credentials today, how far could I go through your environment? If I can say I can touch anything and do anything with no friction whatsoever, so could attackers. So think about that.

That's what I'm trying to point out is put the mindset of if someone was on your machine and you look normal, what would happen? So that's what I would say for any CISO consider that for this 2026 agendas this year.

Samara Lynn

Those are all great points. Thank you, gentlemen.

Adam Dennison

Yeah, thank you so much. Appreciate everybody joining us today. We are at the end of our time, but Richard, Chris, Cyrus, thank you so much. Samara I'll be seeing you in less than two weeks down in Jacksonville at our MES IT security event. So we're really, really happy to have that coming right up here in the next couple of weeks as well. Get Samara and I out of the blizzard stricken Northeast for a few days down in Jacksonville. So again, thank you so much.

Samara Lynn

Thank you.

Richard Bird

Thank you.

Chris Boehm

Thank you.

Cyrus Robinson

Thank you all.