What will be the biggest challenges ISACA professionals need to navigate in 2026? A recent series on the ISACA Now blog lays out many of the questions that will loom largest for the ISACA community in the new year and provides analysis of how practitioners can successfully address them.
On the security front, blog author Chirag Joshi writes that conveying cybersecurity risk in business terms, rather than technical language, will be a central challenge.
“Dashboards, maturity scores and technical metrics can demonstrate effort, but they rarely help executives understand what actually matters,” Joshi writes. “As economic pressure, regulatory scrutiny and incident costs continue to rise, this gap is becoming harder to sustain. Leaders need to make trade-offs, and they expect security teams to support those decisions with clarity.
“Risk appetite statements are often written at a level of abstraction that makes them difficult to apply to real decisions. When everything is described as ‘low tolerance’ or ‘not acceptable,’ teams are left without meaningful guidance on prioritization or trade-offs.”
This is leading toward more scenario-based risk assessment and financial expression of risk, with precision less important than defensibility, according to Joshi.
Executives increasingly expect insights rather than just information, writes Mary Carmichael, who explored how the risk profession must evolve in the increasingly digital environment.
“Risk and assurance teams now need to connect data to context, anticipate how risks interact and explain how choices affect outcomes. Communication, systems thinking and ethical judgement become central skills,” Carmichael writes. “The role is moving from describing risk to helping leaders make better decisions when information is incomplete.”
Dealing with artificial intelligence-related challenges is a common thread that connects each of the digital trust disciplines. In an audit and assurance context, blog author Maman Ibrahim writes that the ability to provide independent assurance over AI and automation risks requires a multifaceted approach.
“Independent assurance means more than a paragraph in an IT review,” Ibrahim writes. “It means you have walked a few end-to-end AI journeys, checked data and approvals, tested how outputs are monitored, and asked, ‘If this misbehaves tomorrow, whose risk is that? ’”
ISACA Hall of Fame inductee and longtime governance authority Mark Thomas surfaced several pressing governance questions in his blog post, including how governance approaches can keep pace with growing compliance complexity.
“Traditional, siloed compliance models will increasingly prove ineffective,” Thomas writes. “Governance professionals will need to promote integrated, risk-based governance approaches that align policies, controls and reporting across regulatory domains. COBIT’s focus on end-to-end governance, combined with enterprise risk management practices, provides a structure for prioritizing material risk rather than treating all requirements equally.”
Explore each of the posts in the blog series, which published between 5-8 January, at www.isaca.org/blog.