SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
New Zealand

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Corporate boardroom dusk cyber supply chain security locks chains
#
Data Protection
#
Ransomware
#
Cloud Security

Codific sets 2026 priorities for boards on cyber risk

Tue, 13th Jan 2026
Author image
By Shannon Williams, News Editor

Codific has outlined a set of security priorities it expects organisations to put in place during 2026, as boards face rising scrutiny of cyber risk and regulators add overlapping compliance demands.

The company said security leaders should set measurable commitments that stand up to executive review and audit. It pointed to shifts in attacker behaviour, higher exposure through suppliers and software services, and new expectations around governance and reporting.

"Shift left is shifting up in the organization as the ROI on different security initiatives become more salient and are scrutinized. In 2026 we see more data driven security initiatives making their way up the chain of command," said Dag Flachet, Co-Founder, Codific.

Flachet also serves as a Board Member and Professor at Geneva Business School. He works on organisational security practices and contributes to OWASP projects and regulatory guidance related to the Cyber Resilience Act, according to Codific.

Threat picture

Codific cited recent industry reporting that points to continued pressure on manufacturing and a sustained focus on credential misuse. IBM X-Force data puts manufacturing as the most targeted sector for a fourth year, at 26% of incidents. The same data set lists exploitation of public-facing applications and valid accounts as leading attack vectors at 30%, followed by phishing at 25% and external remote services at 11%.

Vendor and supply chain exposure has also gained prominence in incident analysis. Verizon's 2025 Data Breach Investigations Report found that third-party involvement in breaches has risen to 30% across more than 22,000 security incidents reviewed. That figure indicates that roughly one in three breaches now involves external parties such as suppliers, partners, or service providers.

Ransomware patterns have also changed in ways that affect incident response planning. Verizon reported a rise in extortion-only attacks where criminals steal data and threaten disclosure without encrypting systems. It reported an increase from 3% to 10%.

Compliance teams also face a more complex environment. Codific cited Gartner's audit predictions that identify cybersecurity and data governance as leading themes in audit plans for 2026. It pointed to multiple frameworks that organisations may need to address in parallel, including the NIS 2 Directive, the EU AI Act, GDPR amendments, and SEC cybersecurity disclosure rules.

Preemptive focus

Codific's first proposed priority centres on what it described as preemptive cybersecurity. It cited Gartner research that lists preemptive cybersecurity as a strategic technology trend for 2026 and predicts that by 2030 such solutions will account for half of all security spending.

The company said organisations have started to invest more in approaches that anticipate threats earlier in the attack cycle. It listed methods such as behavioural analytics, anomaly detection, threat intelligence integration, and deception technologies.

Identity governance

The company's second priority addresses identity and access governance. Codific linked the recommendation to the prevalence of attacks that involve valid credentials. It said organisations now operate with data spread across cloud services, endpoints and third-party systems, which reduces the effectiveness of perimeter security models.

Codific described a move towards zero trust principles and least-privilege access. It also referenced continuous authentication, microsegmentation, and "identity fabric" approaches as part of an effort to reduce attacker movement after an initial compromise.

Supplier exposure

Third-party risk management forms Codific's third priority. The company said organisations should treat vendor security as a core part of security planning rather than a procurement checklist item.

It listed data loss prevention, contract requirements, continuous monitoring of vendor compliance, and incident response plans that cover third-party scenarios. Codific also said organisations should apply data classification standards consistently across external relationships where suppliers handle sensitive information.

Compliance integration

Codific's fourth priority focuses on integrated compliance architecture. It argued that separate compliance programmes for each regulation do not scale as requirements converge.

The company called for unified governance across security controls, privacy protections, and compliance documentation. It also referenced the use of platforms that give visibility into sensitive content, apply consistent policies, and produce evidence that maps to multiple frameworks.

Social engineering

The fifth priority covers social engineering, which Codific said has surpassed ransomware as the leading cyber concern in one professional survey. It cited ISACA's 2026 Tech Trends poll of nearly 3,000 professionals, in which 63% identified social engineering as their top threat.

Codific said organisations should put more weight on security culture and role-specific training. It also pointed to frequent feedback and recognition of good security decisions, rather than annual training exercises.

Metrics and reporting

Across the five areas, Codific said organisations should define outcomes in measurable terms and assign resources accordingly. It pointed to metrics such as mean time to detect and said organisations should establish a baseline before making changes.

The company also described regular reporting to leadership and ongoing communication about progress and setbacks. It framed these steps as part of a repeatable approach to governance and accountability.

Codific linked the focus on metrics to greater attention from boards, customers, and regulators. It said organisations will face more questions about their security posture during 2026, including evidence of structured application security programmes.

"Organisations see that doing more sooner is actually cheaper than fixing things down the line. This is true at a product level but even more so at an operational process level, and most of all at an organizational culture level. Customers and regulators will have more security related questions in 2026. In that context having a well documented applications security program becomes an operational edge," said Flachet.
Related stories
OPSWAT names Jan Miller CTO to lead new Technology Centre
eBPF report shows efficiency, security gains at scale
Securing the digital classroom: A layered cybersecurity approach for K-12 schools
LummaStealer returns post-takedown with ClickFix ruse
Okta unveils tools to detect & govern shadow AI risks

Top stories

Xiid & Cytex link AI governance with zero trust access
UK CIOs struggle to govern surge in business AI agents
AI romance scams surge on UK dating apps, says study
Cyber premiums fall as Lockton flags 2027 volatility risk
AI-driven ransomware attacks surge, most go unreported