CISO Radar: Top 30 actions for 2030 to build your cybersecurity roadmap - Wavestone

INSIGHT CISO Radar: Top 30 actions for 2030 to build your cybersecurity roadmap Published November 27, 2025 CYBERSECURITY Key takeaways Cybersecurity is undergoing major transformations, requiring the rollout of numerous initiatives by 2030 The current regulatory tsunami is forcing organizations to evolve quickly Geopolitical tensions are redefining IT models and resilience Several levers are essential to building strong foundations: visibility, trust, and execution speed An operational cybersecurity roadmap is necessary to turn cybersecurity into a long-term strategic enabler As many organizations are completing the implementation of their 2025 cybersecurity strategies, attention is already turning to the future. The next strategic cycle, looking ahead to 2030, requires a rethink of priorities and the development of a comprehensive cybersecurity roadmap. This reflection is even more crucial as the nature of risks, technologies, and regulatory constraints is evolving rapidly. The 2030 cycle is not limited to extending actions already undertaken. It requires an integrated and forward-looking vision, considering all scopes, systems, processes, and stakeholders. From this perspective, we have chosen to look further ahead by identifying the TOP 30 actions for 2030, actions that will feed directly into a robust cybersecurity roadmap, as part of our usual reflection aimed at building the CISO radar. We have worked collaboratively across Wavestone to build a clear trajectory, integrating trends, risks, and levers of action, so that cybersecurity becomes a genuine driver of acceleration and transformation rather than a simple defensive function. This trajectory will, of course, need to be specialized for each client’s specific domains but remains valid and insightful for building the 2030 strategy. Four essential transition forces toward 2030    By 2030, evolution paths are multiple and depend on factors such as industry sector, geographic location, available resources, and threat developments. However, we believe it is useful to identify priorities that are common to many players. Threat evolution beyond infrastructure Cyber-attacks are diversifying and becoming more sophisticated. Attackers now target not only traditional infrastructure (workstations, Active Directory, etc.) but also third parties such as partners, suppliers, and subcontractors. According to the CERT-W Report 2025, more than half of incidents involve these external actors, highlighting the need to strengthen risk management and oversight of external relationships. Cloud platforms, SaaS services, and instant messaging tools have become major targets because they concentrate sensitive data and critical flows, as demonstrated by attacks on Salesforce in summer 2025  (open in a new tab) . Some attacks rely on direct infiltration by fake employees, illustrated by North Korea’s strategy of embedding IT experts into Western companies, or through social engineering techniques. Attacks are also becoming increasingly targeted and adaptive, adjusting their modus operandi to detected vulnerabilities, often leveraging automation and artificial intelligence. Managing a regulatory tsunami Geopolitical transformations and activity decoupling Digital transformation boosted by AI CISO Radar 2026 For over 10 years, Wavestone has maintained a CISO Radar cataloging all the topics cybersecurity professionals face. The CISO Radar and its “Top 30 for 2030” presents a selection of key topics for cybersecurity and operational resilience professionals. It is organized into key themes divided into three maturity levels: Mature: must be mastered by every CISO Current: being operationalized, first lessons learned can be shared Emerging: little-known, evolving, or lacking clear solutions; identifying them helps anticipate future developments The thematic identification, positioning, and analysis result from joint work by Wavestone’s cybersecurity practice teams across geographies. CISO Radar 2026 Resilience in cybersecurity: accelerating real-time cyber defense The four identified forces require organizations to rethink their cybersecurity posture. Cybersecurity must accelerate to remain effective in increasingly dynamic and complex environments. Three structuring axes emerge for the CISO: Visibility: obtaining a complete understanding of systems, flows, and risks, including areas where coverage is insufficient Trust: ensuring the security and reliability of information, identities, and critical processes Execution Speed: bringing cybersecurity closer to real-time, which requires improving the quality of cyber data, as automated process effectiveness depends directly on it These three axes are interdependent and form the basis for accelerating cybersecurity in a 2030 environment marked by continuous threats, constraints, and transformations. Increase visibility: artificial intelligence, behavior and product systems Visibility becomes a strategic lever, both regarding artificial intelligence, behavior, and industrial and product systems. Business AI: critical systems to secure We are convinced that AI, beyond mere proof-of-concepts, will become a central lever of digital transformation. Its generalization profoundly changes risks, scopes, and control requirements, even more so with the arrival of AI agents. These developments require organizations to continue and strengthen efforts in common governance, training, methodological frameworks, and ML/AI guardrails. Manage the lifecycle of agents The first priority concerns the management of the agents themselves. Some will be linked to a user, others to a function or business service; in reality, it will likely be a combination of both. In this context, digital identity, access, and interactions must be controlled, limiting data visibility to what is strictly necessary. The fast pace of technological evolution in this field makes this task complex: protocols, frameworks, and tools change faster than standards are established, requiring continuous vigilance from CISOs. Qualify AI as trusted Strengthen AI transparency 360° Visibility of behavior: preventing insider threats The insider threat now extends far beyond careless employees: attackers increasingly exploit legitimate accounts to carry out malicious actions. Insider threats now encompass all digital populations, including partners, service providers, and AI agents. Visibility over behaviors, human and machine, will therefore become a cornerstone of cybersecurity by 2030. To respond effectively, monitoring must: Be structured around transversal governance Deploy advanced behavioral analysis tools (UEBA) Adopt a “trust & care” approach that protects employees while maintaining their confidence. Structure monitoring around transversal governance Organizations will need to rethink governance with a truly cross-functional approach. Risky behavior detection will no longer be solely a cybersecurity responsibility: it will involve HR, procurement, fraud prevention, and internal control. Together, these functions must design coherent mechanisms to monitor, understand, and contextualize weak signals legally and transparently. This approach must also include AI agents, which are now operational actors. Insider threat scenarios must integrate these new digital entities. Deploy advanced behavioral analysis tools (UEBA) Adopt a transparent and constructive “Trust & Care” approach IT, OT and digital products: toward unified convergence The final area requiring visibility enhancement is industrial environments and digital products. Today, governance is partially converged, and protection mechanisms are deployed, but the next step is to build a secure, coherent model across all these domains. By 2030, the distinction between IT, OT, and product worlds is expected to fade. Architectures, protocols, and technologies are converging, creating an interconnected system continuum where historical boundaries lose operational meaning. This evolution requires rethinking security models to ensure a unified, coherent, and effective approach. Create a unified security model Partial governance and protection convergence has begun in some organizations, but integration remains incomplete. It is no longer simply applying common policies but building a real security continuity based on the same principles, architectures, and technologies. Industrial environments increasingly adopt IT solutions: virtualized PLCs, IP-based field network protocols, real-time connections to cloud, AI, or SaaS interfaces. These changes create new attack surfaces requiring a holistic cybersecurity approach. Extending identity and access management to OT will be a key pillar of this convergence. Today, IAM solutions poorly cover industrial environments, leaving operators, PLCs, and machines on the periphery. By 2030, OT-IAM will be essential, integrated into the overall security model and adapted to industrial technology constraints. Some organizations have begun exploring this path, recognizing it as a prerequisite for long-term visibility and resilience. Prepare for the certification wave Evolve the SOC Strengthening trust Beyond increasing visibility, actions are needed to reinforce trust. Trust in certain security mechanisms erodes due to technological changes and the geopolitical context. Cryptography: renew encryption to ensure trust Cryptography is now at risk from quantum computers with sufficient power to break key current algorithms. It is no longer about predicting availability but complying with regulations: the US, EU, and others set 2030 as the deadline for upgrades. This requires major transformation of encryption systems, as traditional protocols are widespread. Teams must anticipate and plan migration to post-quantum algorithms, in a crypto-agility approach enabling continuous updates without restarting from scratch. Define dedicated governance Implementing this transition requires clear, structured governance. Responsibilities must be defined, and long-term programs managed. Scenarios may involve cybersecurity teams, IT operations, or system obsolescence teams. A full mapping of encryption usage is crucial to prioritize sensitive systems and data. Build a migration roadmap Adopt a crypto-agility framework Resilience: operating in a fragmented digital world By 2030, organizations will need to operate in a fragmented environment, where geopolitical disruptions, technology bans, or local sovereignty constraints may arise at any moment. Resilience is therefore a fundamental pillar for maintaining trust in a rapidly changing digital context. Reassess digital risks and dependencies The first step is to map digital assets accurately and update their risk profile, not only according to technical or IT criteria but based on strategic activities and revenue-generating regions. This mapping allows identification of dependencies, prioritization of actions, and protection of critical functions during crises, considering regional and sectoral specificities. Crisis scenarios must be revised to include new triggers such as a country decoupling, technology blockages, or Internet fragmentation, ensuring continuity plans are realistic and applicable under all circumstances. Decouple IT and empower critical systems Revise crisis scenarios and test in real conditions Identity: the foundation of digital trust Identity has become the new security perimeter: constantly targeted by attackers, essential for incident detection, and scrutinized by compliance. By 2030, identity will form the foundation of all digital interactions: employees, partners, contractors, and AI agents. The proliferation of identities and constant exposure to cyberattacks make it a critical security vector. Currently, the IAM landscape is fragmented across multiple platforms and responsibilities, insufficient for this transformation. Unify governance Today’s identity management landscape (IAM) consists of multiple often isolated platforms and solutions. Fragmentation cannot withstand accelerated digital adoption and complex threats. The solution is to unify governance across all identities, internal and external, except potentially Customer IAM, which involves hundreds of thousands of clients and constitutes a distinct scope. Introduce the Chief Identity Officer role Create an Identity Control Tower to enable Zero Trust Increasing speed Today, attacks and defenses are amplified by AI, which acts as a catalyst, accelerating processes at unprecedented speed. AI use cases for both attack and defense are multiplying. Two emblematic projects illustrate this acceleration: CVE Genie (University of California): Created an AI capable of generating exploit codes for published vulnerabilities, producing automatically usable attack codes for just a few dollars per flaw. aixCC (DARPA, US Department of Defense): A contest where teams developed AI that analyzes source code, finds vulnerabilities, corrects them, and ensures code passes production tests, achieving a $450 average cost and 45-minute timeframe per fix. This acceleration profoundly changes how cybersecurity must operate. To guarantee resilience and trust by 2030, organizations must convert cybersecurity threat and security equipment data into immediately actionable, automated responses. This requires rethinking the cybersecurity engine itself to operate at this new speed, continuously processing massive volumes of cyber data from IT systems, security tools, and business processes. Implement a Cyber Data Lake and Cyber AI Agents To achieve this speed, two key steps are required. First, enhance and automate the decision engine via an Agentic AI platform. This accelerates decision-making in security processes and automates critical actions. High-quality, real-time data is essential, as cybersecurity data today is often too slow and dispersed. The solution is a Cyber Data Lake, centralizing and correlating information from all relevant sources: security tools, IT systems, GRC processes, business data, and industry news. This infrastructure feeds the Agentic AI engine continuously, enabling real-time cybersecurity and automated responses once a risk is identified. The combination transforms the cybersecurity system into a smooth, autonomous engine capable of analyzing and reacting to massive data flows. Enable innovation: real-time assurance, response, digital twins Unlock use cases: classification, TPRM, AppSec Create a Cyber Data & AI Office to drive acceleration Create a Cyber Value Realization Office Real-time cybersecurity transformation goes beyond technology and processes; it requires organizational redesign and demonstrating tangible value. By 2030, significant investments and organizational changes will be made. Without clear demonstration of impact and value, executive and business support may be difficult to maintain. A Cyber Value Realization Office (VRO), reporting directly to the CISO, is needed to measure and highlight cybersecurity’s contribution, optimize tool portfolios, streamline processes, and show how cybersecurity accelerates sales, supports business operations, or enables new client services. Reporting and communication are critical for securing organizational support and ensuring funds for strategic programs. Cybersecurity Roadmap 2026–2030 & Conclusion Top 30 actions for your Cybersecurity Roadmap The proposed roadmap, which of course should be adapted to each context, spans from 2026 to 2030. We suggest organizing all the initiatives mentioned progressively, by major pillar. For the “real-time” pillar, a core element of the 2030 strategy, three main maturity phases will be required. Between 2026 and 2027, the goal is to lay the foundations around data and team structuring, with the appointment of a Chief Cyber Data Officer to oversee these efforts. From 2028 to 2029, the data lake becomes fully operational, and AI agents are gradually integrated into the platform to automate processes and enhance operational efficiency. Finally, by 2030, the organization aims to implement real-time cybersecurity, with the ability to ensure security and compliance instantly, and potentially deploy automated incident response, depending on the maturity reached by the various processes and technologies. The future relies on a proactive approach, based on data, resilience, and mastery of emerging technologies. Decisions taken today will shape your ability to execute this cybersecurity roadmap to 2030, turning cybersecurity into a driver of performance and innovation. Thank you to Léa Merveilleau and Antoine Hascoët for their valuable contribution to this publication. Contact us Share this content