Quote for the day:
"The people who 'don't have time' and the people who 'always find time' have the same amount of time." -- Unknown
7 challenges IT leaders will face in 2026
IDC’s Rajan says that by the end of the decade organizations will see lawsuits,
fines, and CIO dismissals due to disruptions from inadequate AI controls. As a
result, CIOs say, governance has become an urgent concern — not an afterthought.
... Rishi Kaushal, CIO of digital identity and data protection services company
Entrust, says he’s preparing for 2026 with a focus on cultural readiness,
continuous learning, and preparing people and the tech stack for rapid AI-driven
changes. “The CIO role has moved beyond managing applications and
infrastructure,” Kaushal says. “It’s now about shaping the future. As AI
reshapes enterprise ecosystems, accelerating adoption without alignment risks
technical debt, skills gaps, and greater cyber vulnerabilities. Ultimately, the
true measure of a modern CIO isn’t how quickly we deploy new applications or AI
— it’s how effectively we prepare our people and businesses for what’s next.”
... When modernizing applications, Vidoni argues that teams need to stay
outcome-focused, phasing in improvements that directly support their goals.
“This means application modernization and cloud cost-optimization initiatives
are required to stay competitive and relevant,” he says. “The challenge is to
modernize and become more agile without letting costs spiral. By empowering an
organization to develop applications faster and more efficiently, we can
accelerate modernization efforts, respond more quickly to the pace of tech
change, and maintain control over cloud expenditures.”Rethinking OT security for project heavy shipyards
In OT, availability always wins. If a security control interferes with operations, it will be bypassed or rejected, often for good reasons. That constraint forces a different mindset. The first mental shift is letting go of the idea that visibility requires changing the devices themselves. In many legacy environments, that simply isn’t an option. So you have to look elsewhere. In practice, meaningful visibility often starts at the network level, using passive observation rather than active interrogation. You learn what “normal” looks like by watching how systems communicate, not by poking them. ... In our environment, sustainable IT/OT integration means avoiding ad-hoc connectivity altogether. When we connect vessels, yards and on-shore systems, we do so through deliberately designed integration paths. One practical example of this approach is how we use our Triton Guard platform: secure remote access, segmentation and monitoring are treated as integral parts of the digital solution itself, not as optional add-ons introduced later. That allows us to enable innovation while retaining control as IT and OT continue to converge. ... In practice, least privilege means being disciplined about time and purpose. Access should expire by default. It should be linked to a specific task, not to a project or a person’s role in general. We have found that making access removal automatic is often more effective than adding extra approval steps at the front end. If access cannot be explained in one sentence, it probably shouldn’t exist.Mastering the architecture of hybrid edge environments
A mature IT architecture is characterized by well-orchestrated workflows that
enable compute at the edge as well as data exchanges between the edge and
central IT. Throughout all processes, security must be maintained. ...
Conceptually, creating an IT architecture that incorporates both central IT and
the edge sounds easy -- but it isn't. What must be achieved architecturally is a
synergistic blend of hardware, software, applications, security and
communications that work seamlessly together, whether the technology is at the
edge or in the data center. When multiple solutions and vendors are involved,
the integration of these elements can be daunting -- but the way that IT can
address architectural conflicts upfront is by predefining the interface
protocols, devices, and the hardware and software stacks. ... The hybrid
approach is a win-win for everyone. It gives users a sense of autonomy, and it
saves IT from making frequent trips to remote sites. The key to it all is to
clearly define the roles that IT and end users will play in edge support. In
other words, what are end-user technical support people in charge of, and at
what point does IT step in? ... Finally, a mature architecture must define
disaster recovery. What happens if a remote edge site fails? A mature
architecture must define where it fails over to, so the site can keep going even
if its local systems are out. In these cases, data and systems must be
replicated for redundancy in the cloud or in the corporate data center, so
remote sites can fail over to these resources, with end-to-end security in place
at all points. The Push for Agentic AI Standards Is Well Underway
"Many existing trust frameworks were layered onto an internet never designed for
machine-level delegation or accountability. As agents begin acting
independently, those frameworks need to evolve rather than simply be imposed,"
Hazari said, who authored the book "The Internet of Agents: The Next Evolution
of AI and the Future of Digital Interaction." The agentic AI standards debate
ranges from adopting enforceable guardrails to ensuring interoperability. Hazari
pointed out that innovation is already moving faster than formal
standard-setting can go. Fragmentation is a natural phase that precedes
consolidation and interoperability. ... The Agentic AI Foundation brings
together early but influential agentic technologies from Amazon Web Services,
Microsoft and Google. These hyperscalers are rolling out controlled AI
environments often described as "AI factories" designed to deliver AI compute at
enterprise scale. Initial contributions to the foundation include Anthropic's
Model Context Protocol, which focuses on standardizing how agents receive and
structure context; goose, an open-source agentic framework contributed by Block;
and AGENTS.md from OpenAI, which defines how agents describe capabilities,
permissions and constraints. Rather than prescribing a single architecture,
these projects aim to standardize interfaces and metadata areas where
fragmentation is already creating friction. Hazari said initiatives like the
Agentic AI Foundation can absorb patterns into shared frameworks as they
emerge.7 steps to move from IT support to IT strategist
The biggest obstacle holding IT professionals back is a passive mindset.
Sitting back and waiting to be told what to do prevents IT teams from reaching
the strategic partnership level they want, said Eric Johnson ... Noe Ramos,
vice president of AI operations at Agiloft, emphasized that strong IT leaders
see their work as part of a bigger ecosystem, one that works best when people
are open, share information, and collaborate. ... IT professionals need to
show up as partners by truly understanding what’s going on in the business,
rather than waiting for business stakeholders to come to them with problems to
solve, PagerDuty’s Johnson said. “When you’re engaging with your business
partners, you’re bringing proactive ideas and solutions to the table,” he
said. ... Rather than having an order-taking mindset, IT professionals should
ask probing questions about what partners need and what’s driving that need,
which shifts toward problem-solving and focuses on outcomes rather than just
implementing solutions, DeTray said. ... “IT professionals should frame every
initiative in terms of the business problem it solves, the risk it reduces, or
the opportunity it unlocks,” he said. ... Johnson warns against constantly
searching for home runs. “Those are harder to find and they’re harder to
deliver on,” he said. “Within 30 to 60 days, IT pros can build understanding
around metrics and target states, then look for opportunities to help, even if
they start small.”Spec Driven Development: When Architecture Becomes Executable
/articles/spec-driven-development/en/smallimage/spec-driven-development-thumbnail-1767777707872.jpg)
The name Spec Driven Development may suggest a methodology, akin to Test
Driven Development. However, this framing undersells its significance. SDD is
more accurately understood as an architectural pattern, one that inverts the
traditional source of truth by elevating executable specifications above code
itself. SDD represents a fundamental shift in how software systems are
architected, governed, and evolved. At a technical level, it introduces a
declarative, contract-centric control plane that repositions the specification
as the system's primary executable artifact. Implementation code, in contrast,
becomes a secondary, generated representation of architectural intent. ... For
decades, software architecture has operated under a largely unchallenged
assumption that code is the ultimate authority. Architecture diagrams, design
documents, interface contracts, and requirement specifications all existed to
guide implementation. However, the running system always derived its truth
from what was ultimately deployed. When mismatches occurred, the standard
response was to "update the documentation" SDD inverts this relationship
entirely. The specification becomes the authoritative definition of system
reality, and implementations are continuously derived, validated, and, when
necessary, regenerated to conform to that truth. This is not a philosophical
distinction; it is a structural inversion of the governance of software
systems.Decoupling architectures: building resilience against cyber attacks
The recent incidents are tied together by a common approach to digital
infrastructure: tightly coupled architectures. In these environments, critical
applications such as ERP, warehouse, logistics, retail, finance are
interconnected so closely that if one fails, other critical systems are unable
to function. A single weak point becomes the domino that topples the rest. This
design may have made sense in a simpler, more predictable IT world. But in
today’s highly interconnected landscape, with constantly evolving threats
accelerated thanks to the AI revolution, this once-efficient design has turned
into the perfect setup for system-wide issues. ... Instead of linking systems
directly, a decoupled architecture provides a shared backbone where each system
publishes what happens. That means if one system is compromised or taken offline
during an incident, the others can continue to function. Business operations
don’t have to come to a standstill simply because a single component is isolated
— and when the affected system is restored, it can replay the missed events and
rejoin the flow seamlessly. Some architectures, like event-driven data
streaming, can keep that data flowing in real time despite an attack. ... For
CIOs and CISOs, this shift in mindset is critical. Cyber resilience is no longer
just about perimeter defense or detection tools. It’s about designing systems
that can limit the blast radius when hit. absorbing and isolating the damage to
ensure a quick recovery.AI, geopolitics & supply chains reshape cyber risk
Organisations are scaling AI in core operations, customer engagement and decision-making. This expansion is exposing new attack surfaces, including data inputs, model training pipelines and integration points with legacy systems. It also coincides with uncertain regulatory expectations on issues such as transparency, auditability and the handling of personal and sensitive data in machine learning models. ... Map the above challenges alongside the geopolitical fragmentation the WEF report highlights, cyber risk is really being challenged in ways many traditional compliance frameworks were not designed for, via issues such as sovereignty, supply-chain and third-party exposure. In this environment, resilience absolutely depends on an organisation's ability to integrate cyber security, information security, privacy, and AI governance into a single risk picture, and to connect that with their technology decisions, regulatory obligations, business impact, and geopolitical context. ... Hardware, software and cloud services now rely on dispersed design, manufacturing and operational ecosystems. Attackers exploit this complexity. They target upstream providers, third-party tools and managed services. ... Regulatory fragmentation around AI is emerging alongside an increase in reported misuse. This includes deepfakes, automated disinformation, fraud, model theft and prompt injection attacks, as well as concerns over opaque automated decision-making.Five key priorities for CEOs & Governance practitioners in 2026
As Banking and Fintech industries are embracing cutting edge technologies,
without a skilled workforce to implement these technological solutions, the
financial services industry will suffer a lot. According to IDC, IT skills
shortage is expected to impact 9 out of 10 organizations by 2026 with a cost of
$5.5 trillion in delays, issues, and revenue loss. Thus, CEOs and governance
professionals should take up skills management as their top priority ... AI’s
explainability and transparency are to be addressed on priority. Finally, AI is
creating lots of environmental impacts contributing to greenhouse gas emissions
due to its high energy and water consumption, which leads to the Environmental,
social, governance (ESG) issues to be focused on by governance professionals.
... CEOs and governance professionals must take measures towards preemptive
cybersecurity. They should realise that cybersecurity gives the foundation of
trust for all the stakeholders of any enterprise and they cannot afford to
compromise on it. ... Traditional strategic planning involved fixed, long-term
goals, detailed forecasts, and periodic reviews. This is not suitable in the
face of constant disruption. Agile strategic planning by contrast is having
short planning cycles, incremental objectives, and adaptive learning. ... The
future of information systems management lies in the seamless integration of
cloud and edge computing – a distributed intelligent architecture where data is
processed wherever it is more efficient to do so.
/dq/media/media_files/2025/12/18/the-cio-playbook-2025-12-18-16-35-26.jpg)
