Last year will be a year CISOs remember. So much happened, it seems impossible to pick the top three most impactful events. Of course, in cybersecurity, most years feel that way. There was the VMware vSphere espionage campaign targeting VMware vSphere systems, and the Lazarus APT group's theft of $1.5 billion from the Dubai-based cryptocurrency exchange Bybit, reportedly the largest such theft recorded. There was also the Salesforce/Salesloft-Drift OAuth breach.
The three we chose are Salt Typhoon's ongoing breach of telecommunication systems, the Solarwinds legal resolution and fallout, and the acceleration in software supply chain vulnerabilities. These three issues will reverberate.
First, there’s the SEC and Solarwinds. The Nov. 20 US Securities and Exchange Commission (SEC) announcement that it would drop its lawsuit against SolarWinds and its CISO, Tim Brown, sent relief to CISO offices across the nation.
It also wasn't all good news.
The SolarWinds litigation established legal precedent that CISOs can face personal liability for securities fraud when public statements about cybersecurity materially contradict their internal knowledge. However, while the SEC dismissal and (current) shift to less aggressive enforcement priorities lifted immediate legal threat, the liability risk continues.
Last year also witnessed software supply chain attacks nearly double (on numbers from last year that also doubled), while upstream vulnerability remediation by open-source publishers stretched to 500 days.
The Year US Telecom Became Known as Untrustworthy
Throughout 2025, defenders based in the US watched as Salt Typhoon (believed to be a Chinese Ministry of State Security-linked advanced persistent threat group) emerged from a suspected long-running espionage effort into a publicly acknowledged cybersecurity and national security crisis, prompting urgent hardening guidance from CISA/FBI and fueling debates over telecom cybersecurity regulations. The revelations underscore the challenges associated with defending against patient, well-resourced adversaries in complex, interconnected infrastructure. The effects will likely linger for years as exploitation risks remain ongoing.
While China has denied involvement, US and allied agencies strongly believe they have the correct attribution. Salt Typhoon has executed one of the most consequential cyber campaigns ever, methodically compromising telecommunications networks across more than 80 countries and gaining direct access to some of the most sensitive lawful intercept systems. The attacks appear to have begun in 2019, with evidence of exploitation prompting the FBI, NSA, and CISA to issue a rare joint Cybersecurity Advisory alongside intelligence partners from a dozen allied nations—a clear signal of the sheer scope of the situation.
The operational significance is high: Salt Typhoon's access to lawful intercept systems — fundamentally systems with entry points mandated by the Communications Assistance for Law Enforcement Act (CALEA) for legal law enforcement monitoring. Essentially, CALEA requires US telecommunications equipment to be engineered to contain design vulnerabilities. These mandates create privileged interfaces that bypass standard user privacy controls, while also being powerful enough to work in real time across massive networks.
Any such mechanism, if discovered or exploited, can be abused by unauthorized parties such as threat actors from foreign intelligence agencies.
CALEA systems provided Chinese intelligence the ability to monitor millions of Americans' real-time locations, record phone calls at will, and intercept text messages—essentially bypassing decades of legal frameworks designed to protect privacy while enabling authorized law enforcement surveillance.
What makes this particularly troubling for enterprise security leaders isn't just the espionage windfall, but the methodology behind it. Salt Typhoon relied on publicly disclosed vulnerabilities dating back years, legacy systems that organizations had failed to patch, and standard administrative tools with capabilities like Cobalt Strike that any reasonably mature security team should have been able to detect.
By December 2025, as telecommunications companies admitted they couldn't prove they'd removed the intruders from their networks, it underscored why patching vulnerabilities after a sophisticated adversary has established persistence isn't incident response—it's theater.
Salt Typhoon exposed a systemic vulnerability that no amount of forensics, after-the-fact hardening, or remediation will likely solve fully, as modern critical infrastructure was never designed to withstand patient, well-resourced nation-states willing to wait years for opportunities. The industry's approach to breach response assumed defenders would eventually win. Salt Typhoon shows again defenders have some way yet to mature.
Further, Salt Typhoon shattered the assumption of secure telecommunications systems. Foreign adversaries gained persistent, real-time access to US calls and location data, and these APTs may prove impossible to evict. The campaign also shows how government-mandated "backdoors" created for law enforcement monitoring are also distinct vulnerabilities that nation-states can and will weaponize at scale.
Consequently, security leaders must now operate under the presumption that cellular networks are compromised channels.
2026: Firewalls Won't Save The CISO; A Good Lawyer May
If 2024 was the year of the CISO's dread, 2025 was the year the fever broke—yet a bad headache persists. The dismissal of the SEC's case against SolarWinds CISO Tim Brown in November 2025 was a legal win, for sure. It was also a judicial rebuke of the idea that a victim of a cyberattack is automatically a co-conspirator of that attack.
However, the regulatory risk landscape for CISOs in 2026 has changed, not vanished. While the threat of prison has faded for now, the 4-day disclosure rule remains the law of the land, creating a dangerous friction between compliance and reality.
For the CISO entering 2026, the impact is murky. A CISO can now be held liable for making misleading public statements about an enterprise's cyber readiness. This legal framework—established by federal securities law, SEC rules (effective December 2023), and a federal court ruling in July 2024—remains in place regardless of the SEC's dismissal of the SolarWinds case in November 2025. The SEC's voluntary dismissal reflects a shift in enforcement priorities under new leadership, not a change in the underlying legal liability framework.
Private shareholder lawsuits also remain available as an enforcement mechanism.
In 2026, a CISO's most critical defense isn't a firewall; it remains a good lawyer.
The Supply Chain Reckoning: Why 2025's Attack Surge Signals a Structural Crisis for CISOs
2025 was a pivotal year in application security as supply chain attacks shifted from isolated, high-profile events (hello, SolarWinds) to a chronic, industrialized crisis, with attack volumes doubling and malicious open-source packages also nearly doubling year over year. This surge overwhelmed traditional remediation processes, and in 2024, upstream remediation efforts by open-source developers took over 500 days to address some critical vulnerabilities, proving that existing Third-Party Risk Management models are fundamentally inadequate. Consequently, the "supply chain breach" became one of the primary, most expensive, and least defensible vectors for corporate compromise, forcing CISOs to confront a threat enterprises can no longer simply audit away.
What began as a predictable spike in attacks has morphed into a structural crisis that fundamentally redefines the threat landscape facing security professionals in 2026 and beyond.
The numbers aren't good. Attack volume doubled year over year starting in April 2025, and 70% of organizations experienced a supply chain security incident in 2025, nearly double the number Gartner predicted four years ago.
What makes this moment different is not the novelty of supply chain attacks but their industrialization. We could see it coming: Sonatype found that malicious packages in open-source repositories surged 156% in 2024-2025, with over 700,000 hostile components detected. Sonatype reported a 156% surge in malicious packages in 2024, bringing the total to 704,102. However, 2025 accelerated: Q2 2025 saw a 188% year-over-year increase, and by Q3 2025, Sonatype had identified 877,522 total packages.
The remediation machinery that once contained vulnerability risks has simply stopped working. Critical flaws now take over 500 days for open source publishers to remediate upstream—a half-year window during which the global supply chain remains exposed. This is not a temporary backlog; it is the new normal.
This adds to the potential 2026 liability. As SEC enforcement and board scrutiny intensify, CISOs will face mounting pressure to monitor suppliers they have no contractual authority over, using visibility tools they were never budgeted for, while lacking the organizational authority to force remediation timelines. When a breach flows through a vendor's compromised software, regulators will ask: Why wasn't it caught?
The reality: many enterprise security teams cannot catch it, not because they are negligent, but because the supply chain has become mathematically unmonitorable. The attack surface has outpaced human and technological capacity to defend it. In 2026, the question facing security leaders is no longer whether supply chain breaches will occur—they will.
And they'll be looking for a name to put on the liability.
