The Three Most Important Words In Cybersecurity And AI, 2026

Three words have changed cybersecurity for 2026:

Secure

Thwart

Defend

These are the new terms proposed by the NIST CSF for AI (first reported by Brendan). While still in a 45-day public comment period (i.e. in draft form through about 31 January 2026), this framework or something close to it reflect the cybersecurity community's collective belief about what it takes to be successful.

In summary (quoting at length):

The Cyber AI Profile centers on three focus areas:

Securing AI systems: identifying cybersecurity challenges when integrating AI into organizational ecosystems and infrastructure

Conducting AI-enabled cyber defense: identifying opportunities to use AI to enhance cybersecurity, and understanding challenges when leveraging AI to support defensive operations

Thwarting AI-enabled cyberattacks: building resilience to protect against new AI-enabled threats

“The three focus areas reflect the fact that AI is entering organizations’ awareness in different ways,” Cuthill said. “But ultimately every organization will have to deal with all three.”

Let's explore briefly these areas and their implications.

Securing AI systems:

Fundamental to cybersecurity is securing systems such that authorized systems access is maximized and unauthorized systems access is eliminated to the greatest extent possible. A secure system manages the risk of systems access.

Thwarting AI-enabled attacks:

As cybersecurity continues to incorporate artificial intelligence (AI) and as adversaries seek advantage in attacking/accessing systems, cybersecurity personnel will need to adapt a "red-team" mindset. In its incipient form this is easy: ask yourself, if you were to attack this system, what would you do? Then try to attack it. A "blue-team" mindset is traditionally focused on better defense -- if you like castles think of this as wider moats, thicker walls, higher towers. Some systems are moving to a "purple-team" mindset as a way to blend these two though re-teamers tend to stick with red.

Conducting AI-enabled cyber defense:

Ultimately your organization doesn't know or care whether you're securing or thwarting, they care that their system is accessible, information risk is minimized, and information technology processes can be scaled securely. This is not about coding, it's about communication. What do your managers know about the security of their systems, what do they want to know, and how do you keep them informed?

We'll explore these topics over time.

Ask us how you can recalibrate your cybersecurity prowess for 2026 and beyond.