The data-first approach: My 2026 cybersecurity predictions

Opinions

The conversation around cybersecurity's changed. For years, the industry debated whether an attack would happen. Today, we know it's not a question of if, but when. This shift requires a new mindset for Chief Information Security Officers (CISOs): one that's focused on cyber resiliency and protecting what matters most: your data. As we head into 2026, here’s how I see organizations adapting to this rapidly evolving threat landscape.

Larry Jarvis
Larry Jarvis
Chief Information Security Officer
December 16, 2025
Digital security

Adversarial AI is the top CISO risk

The single greatest concern for CISOs right now is Artificial Intelligence (AI), viewed from two angles: as a powerful defense tool in our arsenal, and as an adversarial force used to build more sophisticated attacks.

The volume and sophistication of social engineering attacks, such as phishing, vishing, and smishing, has dramatically increased, driven by AI. We're seeing a global phenomenon with over a 100% rise in phishing attacks this year alone. While deep fake technology for voice and video impersonation is still early, the more concerning threats are emerging in the form of autonomous, evolving malware.

  • Agentic AI: This refers to malware that contains built-in instructions to execute an attack autonomously, eliminating the need for continuous instructions from a command center. Traditional protection relies on detecting the malware calling back to its control center, a weakness this new model exploits.
  • Polymorphic Malware: Typically built using the agentic model, this malware can change itself during an attack, altering security keys, scanning devices, and evading detection by our tools.

To combat this, we must leverage AI on the defensive side, a capability Iron Mountain’s been building for years. AI's speed is essential to connect the dots in real time, going far beyond what human analysts can accomplish alone.

Shifting focus to a Data Operation Center (DOC)

The adversarial world has made it clear: they don't care about your network or your servers; to them, that's just a barrier to get to the real prize, the data.

This realization is driving a fundamental shift in the industry: moving from a traditional Network Operation Center (NOC) model, which monitors infrastructure, to a Data Operation Center (DOC) model. A DOC is focused on tracking, indexing, and protecting data based on its attributes, applying intelligence and risk ratings to different data sets.

For a company like Iron Mountain, managing a massive footprint of both physical and rapidly growing digital data globally, this means treating sensitive data like medical data (PHI) or personally identifiable information (PII) with a higher level of protection than less sensitive content.

Cyber resiliency is the new disaster recovery

In the face of a major attack, we can't assume that disaster recovery (DR) alone is enough. Both your production and DR environments are likely targets that adversaries will seek to compromise.

Cyber resiliency is now critical. It means having an off-site copy of your data to ensure quick restoration of service. This is the critical step that allows an organization to recover from a catastrophic wiper or other destructive cyber attack.

Key advice for fellow CISOs and CSOs

As you establish your strategic priorities for 2026, focus on these fundamental areas:

  • Continuous Employee Training: With AI fueling the uptick in phishing, we must commit to continuous testing and training to raise the bar on employee knowledge and ensure your staff is a strong line of defense.
  • Embrace the NIST Framework: A methodical, risk-based programmatic approach to security is non-negotiable. Leverage proven structures like the NIST cybersecurity framework (National Institute of Standards and Technology), which provides a foundation for assessing maturity levels and continually raising the bar.
  • Bolster Machine-to-Machine Security: An increasing percentage of data sharing and access is conducted via non-human computer-to-computer application programmatic interfaces (APIs). Adversaries are targeting this space to imitate systems and steal data. To counter this, organizations need to replace legacy usernames and passwords with token-based fast rotation of information. Furthermore, move beyond traditional multi-factor authentication, like PINs via text, and insist on using a mobile authenticator.

The target on large enterprises is only getting bigger. Our responsibility is to be disciplined and use our capabilities, including AI, to keep our defenses ahead of the curve, always prioritizing the security of our customers’ most valuable assets.

Related news

Media center

The latest news and updates from Iron Mountain

Meet our Mountaineers

Learn more about our people and how we serve our customers

See articles
 

Other news and stories

View More Opinions
Mary Bucciarelli
Opinions

Changing careers was the right choice for me and my MS

Iron Mountain is about protecting trust, which created an environment where I could realign my work with my “why.”
November 28, 2025
People conference government
Opinions

Preparing Government for AI Adoption Responsibly and Effectively

Julia Bonder-Le Berre, Head of Global Privacy, recently participated in a panel discussion at DigiGov Expo, the UK’s leading public sector tech event. With her fellow panelists, she explored the principles of the UK’s Trusted Third-Party AI Assurance Roadmap, and how governments can turn those principles into practice.
October 20, 2025
Woman interacting with digital scene
Opinions

Unlocking our AI future: how we can address the power challenge together

Bill Meaney, President and CEO of Iron Mountain, believes a strong partnership between government and the private sector will propel the United States to develop the digital infrastructure it needs to compete effectively in the AI race.
September 24, 2025
View More Opinions