Jay Thurston | Field Chief Information Security Officer (CISO) at Thales
More About This Author >
Jay Thurston | Field Chief Information Security Officer (CISO) at Thales
More About This Author >
As we stand at the dawn of 2026, CISOs are looking for fast, high-impact wins before budgets and priorities reset for the new financial year. If you’re worried about the time crunch, don’t be: this is actually one of the most strategic windows for tightening controls and closing gaps before the new year is in full swing.
In that spirit, here are five actionable steps CISOs should take to shore up their security posture, prove their contributions to business value, and set themselves up for success in 2026.
1. Discover
Run an automated data discovery scan to map where sensitive data actually resides including cloud buckets, file shares, and collaboration tools like Microsoft 365 or Slack.
This puts you where you need to be for a strong start to the new year. It’s important to scan both structured and unstructured data stores in different formats and global languages to leave no stone unturned. Then, you have a solid roadmap for remediation and protection to guide you through 2026.
Once sensitive data is discovered, you can leverage tools to automatically classify it based on its severity, value, and regulatory requirements. Or earmark that portion for the start of next year. According to the Thales Data Threat Report, most enterprises (70%) can only classify less than half of their data assets.
Quick win: Reveal “shadow data” that was created by AI tools or shared externally, and flag unencrypted or misclassified files for remediation in Q1.
2. Detect
Fine-tune bot and API detection rules before the holiday surge in automated traffic.
The Imperva 2025 Bad Bot Report reveals that bots now make up more than half of total internet traffic, thanks largely to AI. Attacks targeting APIs accounted for 44% of advanced bot traffic, and AI is fueling the surge by lowering the bar for entry with advanced tools like ByteSpider Bot, Claude Bot, Perplexity AI, and more.
Every year, bot attacks and vulnerable APIs cost companies billions (up to $186 billion) and bot-related incidents are always on the rise, increasing by 28% in 2023 and 88% in 2022.
Quick win: Use recent logs to identify suspicious patterns (e.g., repetitive login attempts or scraping spikes) and update thresholds or signatures without major re-architecture.
3. Defend
Enforce encryption-by-default for all newly created cloud resources and rotate stale keys older than 12 months.
In two years, more than half (51%) of all data processing and IT requirements will be in the cloud, according to our Thales 2025 Cloud Security Study. Making encryption a default control across cloud resources is one of the most effective ways to slide in a future-proof policy before the year ends.
Cloud Data Encryption solutions are key to making this a regular habit, allowing you to deploy encryption across cloud resources uniformly, from a centralized location, and at scale.
And while you’re rotating out stale keys, consider making the process automatic to save yourself time and eliminate the chance of forgetting next year, the year after, and the year after that. Tools like Thales CipherTrust Cloud Key Management (CCKM) can help with that.
Quick win: Key rotation and encryption-by-default instantly reduces data exposure risks and demonstrates measurable progress toward stronger crypto hygiene.
4. Disrupt
Turn on file activity monitoring rules to flag and freeze unusual data movements like mass downloads, renames, or transfers to personal cloud drives.
You want real-time control over your unstructured data, wherever it goes, to prevent unauthorized use and intentional misuse. According to IDC, unstructured data accounts for 90% of all data worldwide.
File Activity Monitoring (FAM) lets you monitor unstructured data at scale, while Thales CipherTrust Data Security Platform tightens the reins on structured data. Built-in GenAI tools across these resources allow teams to track every file across complex environments and stop foul play where there were once only visibility gaps.
Attackers are looking to infiltrate business systems and maintain persistence well into the New Year. Activating file activity monitoring rules as soon as possible lessens their chances to do so.
Quick win: This stops risky insider or compromised-account behavior in real time by disrupting data exfiltration before it spreads. Even one suspicious user action can trigger an automated containment response that saves weeks of cleanup later.
5. Decommission
Identify and retire one legacy application, unused S3 bucket, or inactive server that still holds sensitive credentials or business data.
Forgotten workloads can contain leftover identity tokens, unencrypted files, and hard-coded secrets. As attackers look for where we’re not looking, these will be first on the list—especially as they’re typically not secured to the same standards as other active resources.
Scan abandoned storage, S3 buckets, and legacy systems to identify which hold exposed credentials, proprietary IP, or other valuables. If you’ve identified data that must be kept in cold storage, secure it with cryptographic protections, governed keys, and monitored access.
However, if you can let it go, do so. It’s safer all around.
Quick win: Decommissioning prevents an incident where an unretired system becomes an open back door for attackers.
Closing Thoughts
If you want to start 2026 with confidence, now is the time to act. Thales provides teams with the tools to maximize end-of-year security wins with automation and ease, setting you up for a lighter load in the new year.
Go further with Thales as we work to build a future we can all trust.