Akshay Joshi is the Head of the World Economic Forum’s Centre for Cybersecurity. He joined the Forum as a Global Leadership Fellow in 2015 and was responsible for strengthening engagement with organizations based in South Asia before taking on operational leadership of the Centre for Cybersecurity upon its launch. Prior to joining the Forum, he had over a decade of experience in management roles in sectors including maritime transport and public relations. Joshi holds an Executive Master in Global Leadership from the World Economic Forum, an MBA from the University of Manchester and a Bachelor from the University of Mumbai. He recently spoke to The Innovator about the global cybersecurity outlook for 2026.
Q: In the latest iteration of the Global Cybersecurity Outlook, we learned that nearly two thirds of organizations now factor geopolitically motivated cyberattacks into their risk strategies. Are we seeing a marked escalation during this war with Iran?
AJ: The crisis in Iran is having an impact, but it is important to note that there has been a conscious realization in the business community of the link between geopolitics and cybersecurity since we first highlighted this issue in the Global Sybersecurity Outlook in 2023. The crisis in Ukraine was a defining moment, because in the initial days of the conflict, in 2022, there was some jamming of GPS and satellites that disrupted the communication between troops but there were also wind farms in Germany that were relying on it for operation, and it had a massive impact on them. The outage that we had in Portugal and Spain last year was another defining moment. A cyberattack was ruled out as a possibility, but leaders became concerned because they realized that should a malicious state or non-state actor decide to conduct a similar operation, the impact could be very similar. Cyberspace is the fifth dimension of warfare, in addition to land, sea, air, and space. All these dimensions are being targeted at any given point in time. The sad part is that in addition to intended targets, there is collateral damage to completely harmless entities as well, just because of the nature of the Internet, so organizations must factor geopolitics into their overarching cyber resilience strategies. Overall, the number of threats that organizations report year-on-year continues to increase, whether these are state sponsored or non-state sponsored. There is often a very fine line. For the average organization, it is very hard to distinguish between them, but the threat profile is clearly increasing year on year.
Q: It is one thing to build your own resilience. What about the vulnerability of supply chains?
AJ: Large organizations rate supply chains as the single biggest barrier to achieving cyber resilience. The complexity of supply chains is such that even in good times, when the economy is growing steadily and there are limited geopolitical tensions, even then, an average organization struggles to map out their entire supplier ecosystem and make sure that there are good checks and balances to be able to assess their security. Security is also not static; it is very dynamic. So, the change in a third party’s security posture over time also has an impact on your security posture, especially when everything is very interconnected. This is in good times. Now, if you think about it, over the past year, we have seen so many trade-related tensions and conflicts in different parts of the world. This impacts business. Sometimes it is because of trade, other times because your supply ecosystem is in a part of the world embroiled in conflict, so businesses need to manage their dependencies and think about what it means to forge new supply chains. That is where it becomes tricky. On the one hand, in good times with stable supply chains, it was already a problem to keep tabs on the overall ecosystem. Now, as these supply chains are being reforged at breakneck speed in response to external stimuli, I think it just brings in a lot of vulnerabilities that organizations will increasingly have to manage.
Q: What about critical infrastructure? We are seeing oil facilities and data centers being targeted during the current war with Iran.
AJ: Most national cybersecurity strategies are developed around critical infrastructure in areas such as financial services, utilities, healthcare, energy, but there are also a lot of sectors that could dynamically be considered part of critical infrastructure, depending on the context. Think of a country where manufacturing is 80% of the GDP. If there is a hit on manufacturing, it has a direct impact on their GDP so for that country, manufacturing then becomes critical national infrastructure. This is why having a universal definition for what is considered critical infrastructure is so incredibly hard because it varies depending on the national context. There have been a lot of discussions around the fact that invariably, the burden of making critical infrastructure resilient lies with the private sector, but at the same time I think public private cooperation is needed. There are a lot of discussions around how there can be greater public private collaboration to ensure resilience with critical infrastructure. For our part, we have an initiative called Cyber Resilience In Industries that involves working across multiple critical infrastructure sectors. We have been working with the electricity sector for five or six years now and we are working with the oil and gas sector. It boils down to a culture of cyber resilience. It is important to make sure that senior leadership is involved. That was the foundational piece of all our work. Then, we looked at third party risk management, which was one of the big challenges. In oil and gas, for example, we have a good case study on how to manage this. In Saudi Arabia, Aramco, together with the National Cyber Security authority and other players, developed a framework for supply chain third party risk management, which then got almost universal acceptance across the kingdom. What that means is that if there is one entity that is vetted by, for example, Aramco, and they are good at doing business with them, the others can also almost assume that this is an entity that is okay to do business with. What it does is reduce the burden for third party risk management and all the compliance checks that go with that. This is just one example of how public/private partnerships can work. Some common discussions can lead to action, maybe not at a global level, but at a national level, and potentially eventually scale
Q: In March the Trump administration came out with its new National Cyber Security Strategy and included something in there that said that the U.S. wants to, “unleash the private sector” by creating incentives for them to “identify and disrupt adversary networks.” What role do you see the private sector playing beyond what you just described, not just in the U.S., but also worldwide, in helping curb not just cyberattacks, but also cyber crime, for things like fraud, phishing and impersonation?
AJ: Cybersecurity remains a frontier where collaboration is not only possible, but powerful. With the domain of cyber crime, there is a great possibility for public-private collaboration. At the World Economic Forum’s Centre for Cybersecurity, over the past years we’ve been nurturing an initiative called The Partnership Against Cyber Crime. The premises are very straightforward. The mandate to prosecute is that of law enforcement, whereas the technical prowess lies within the private sector. If you can create the right mechanisms for them to work together on an ongoing basis, you can achieve good things. We realized this by initially putting forward some enabling conditions for ongoing community collaboration and then bringing that to life. Four organizations – Microsoft, Fortinet, PayPal and Santander – funded an initiative called the Cybercrime Atlas. We now have roughly around 50 investigators that have been crowdsourced from different private sector organizations that are working on open-source information to analyze the modus operandi of cyber criminals and then they build credible intelligence that can support disruption efforts. One of the partners instrumental in setting up this initiative shares it through their channels with law enforcement. There have been certain takedown efforts by INTERPOL within the past year, whereby Atlas research, alongside many other data sources, has resulted in seizure of assets, arrests, etc. There is no silver bullet here, and there are dozens of data sources that go into these law enforcement actions, but it’s encouraging to see how a public/private collaborative effort can also contribute towards some of these efforts. Additionally, the Centre has recently launched a white paper ‘Fighting Cyber-Enabled Fraud: A Systemic Defence Approach’ that emphasizes the importance of collaborative efforts centered around three essential pillars: prevention by strengthening safeguards at the infrastructure layer; protection by raising user safety by default and mitigation through accelerated signal sharing and coordinated response.
Q: In the Forum’s latest global security outlook, 87% of leaders surveyed said they see AI-related vulnerabilities as the fastest growing cyber risk. What’s the best way to combat this?
AJ: AI is a double-edged sword. On the one hand, it presents unprecedented risks, but on the other hand, it also presents a lot of opportunities. We have an initiative on AI and cybersecurity. The first part of that initiative focused on ensuring existing cybersecurity controls are sufficient to manage the risks that AI presents or whether we need to rethink controls and include kill switches or human-in-the-loop controls into the mix. This year, we shifted our focus and are asking how the security part of the organization can benefit from the use of AI. We are going to launch a report on that at the annual meeting on cybersecurity in Geneva in May. This links well with a lot of the discussions in Davos. At this year’s annual meeting in Davos there was a lot of focus on agentic AI for good reason. It has tremendous promise. But if you went to any agentic AI discussion very quickly you noticed that the focus was not just on opportunity but the risks. Security is a top priority as we think about the dawn of the agentic era. That is going to be our focus for the coming year. We are going to see a rampant evolution in terms of the deployment of agents, and it is important that we do so with a security mindset in place.
Rather than being prescriptive and saying these are the five ways AI can help, we have been in exploratory mode, talking to organizations. This has helped us build a rich set of case studies. We have mapped those use cases to understand the various areas within a security organization where AI can help. We want this to be a living document whereby we can continue to add use cases, providing inspiration to organizations that are looking to adopt AI.
We believe that AI has the potential to provide significant benefits, not just for large corporations. If you look at small and medium enterprises, there is recognition that some of the state-of-the-art cyber security tooling is beyond their reach. The tools tend to be expensive, for good reason, because there is so much R&D going into them. One thing we are looking at is whether there can be lighter versions that, using the power of AI, can be scaled. We are looking at whether freemium models can be introduced and if so, what the initial layer of security that can be provided to bring people on board with their security journey would look like. We need to be thinking about how to create some incentives for people. If you think about renewables in a lot of countries, if people install a heat pump, the government gives them a rebate. What does it do? It provides a little bit of an incentive for people to take their first step in their energy transition and clean energy journey. If we can take security in that direction, whereby we are enabling organizations to take that first step without a prohibitive entry point, we can probably sensitize people a lot more to the potential and the growth potential that security can provide, because there are concrete losses linked to cyber security incidents. Once we bring people on board for that journey, I think you create the right incentive for them to go further, and that is how I believe the world will become a lot more secure.
Q: How would you advise executives to prepare for the year ahead?
AJ: For those that have not factored in geopolitical uncertainty, it’s important to make sure that is baked into cyber resilience strategies. I do not think any CEO today can afford to ignore the cyber risks facing their organization. Second, if organizations are not thinking about security of their AI tools, or equally, thinking about how AI can provide gains in their security posture, it is important they start thinking about that. The third element is relevant to all executives. Cyber-enabled fraud topped ransomware as the top risk for CEOs in our global cybersecurity outlook for 2026. Executive impersonation is pervasive now. In Davos this year, I had conversations with several CEOs who said that when they are new in the organization and their ways of working are not known to their executive teams, the number of instances of voice cloning accelerates. Their executive teams are receiving voice clone messages asking them to take a certain action. I think it is important to think about whether you have proper preparedness mechanisms, because these risks are continuing to grow, and we need to ensure that organizations do not fall prey to it. This requires defining governance practices. Amid accelerating technological change, persistent geopolitical volatility and widening capability gaps, cybersecurity remains a frontier where collaboration is not only possible, but powerful.
This article is content that would normally only be available to subscribers. Become a subscriber to see what you have been missing
