Infrastructure security is undergoing the most significant transformation in decades. Once viewed as the quiet, foundational layer beneath applications and endpoints, today it has moved to the center of how global enterprises operate, scale, and defend themselves.
This CISO Point of View article offers a curated, abridged view of our full Infrastructure Security Guide, featuring insights from leading CISOs on how enterprises are redefining infrastructure security in 2026. To read the full Guide, click here.
How do you balance investment between traditional security domains (like endpoint or application security) and infrastructure protection?
Mark Thomson
Deputy Group CISO
Howden
“Conduct thorough risk assessments to identify critical assets and vulnerabilities, ensuring resources are directed where they mitigate the greatest impact. For instance, businesses heavily reliant on cloud services may prioritize infrastructure segmentation and identity controls over endpoint hardening.
Internal strategies and frameworks such as ISO 27001 and PCI-DSS reinforce this alignment by linking controls to business objectives and compliance requirements.
Beyond prioritization, investment needs to be balanced between prevention, detection, and response across endpoint, application, and infrastructure security.
As infrastructure becomes increasingly hybrid and distributed, what are the biggest visibility or control challenges you face?
Gernette Wright
Former IT Security Officer - Americas
Schneider Electric
“Without a doubt, it’s about knowing where data is and who can access it. When you combine on-premises systems, multiple clouds, SaaS platforms, and older systems, it becomes hard to keep track.
Access control gets trickier because each platform handles permissions differently. This opens the door for privilege creep. When teams rush or do not follow proper procedures, over-provisioning often results.”
Another important aspect is knowing where the data came from, how it has changed, who worked with it, and whether the right permissions were in place at each step.
Without this traceability, accountability becomes unclear. It also increases security risks because sensitive information can unintentionally end up in systems not meant to store it.”
How do you ensure IT teams and security teams stay aligned on priorities and accountability?
Rick Doten
Former VP Information Security
Centene
“Priorities are easy, make sure that which is critical to the business is protected, resilient, and stable. We spend too much time chasing the priorities given by the tools or CVE scores without understanding business context and impact.
We have only statically evolved our prioritization based on external facing, or known exploit. But even that might not matter to the business, based on the specific platform.”
Erdal Ozkaya
CISO
Morgan State University
“The old 'Castle and Moat' model? It’s gone. It’s comfortable to think, 'If I secure the perimeter, the inside is safe,' but it’s a lie.
We operate on Zero Trust now, which sounds like a buzzword, but it’s actually a mindset shift. It means I treat my internal corporate network with the same suspicion I treat the open internet. It’s paranoid, sure, but in this job, paranoia is a virtue. We assume the bad guy is already inside.”
How do you approach securing “invisible infrastructure” — the underlying systems that run across hybrid cloud, APIs, and automation pipelines?
Girish Kulkarni
CISO
Aurionpro
“Invisible infrastructure requires security by design. This includes API security gateways and runtime protection, CI/CD pipeline hardening with secrets management, and Infrastructure-as-Code (IaC) scanning before deployment”
Matthew Lang
Former CISO
State Employees' Credit Union (SECU)
“As far as hidden IT outside the organization, you need extremely good contracts with all 3rd parties – including the right to scan for weaknesses.”
Storage and backup systems are often overlooked but critical in cyber resilience. How do you ensure they’re properly secured?
Gernette Wright
Former IT Security Officer - Americas
Schneider Electric
“From my perspective, backup systems are arguably the most critical piece of your BCP and DR strategy. Outside of cost, there are two other critical areas I look for: immutability and speed of restoration.
On the operational side, these backup systems must be tested. I ensure regular restorations are done quarterly and a full restore done annually of a critical system or systems.
Storage security addresses the same fundamentals, encryption, access control, patching, and monitoring. It’s important to make sure the storage platform is properly secured through encryption, tight access control, patching, and monitoring, and that sensitive data isn’t being copied to locations that weren’t meant to hold it.”
Bob Turner
Former CISO
Penn State University and University of Wisconsin-Madison
“To think about the future, you have to go back to basics: where is your information actually kept?
Your primary data lives in central storage systems that people use to do business. Today, backup systems are also often kept online in some form, which can be risky.
Any primary data source that is critical to the enterprise needs either an offline backup or a very well-isolated backup.
Enterprises that are doing this well aren’t usually talking about it publicly, but they’re quietly adopting the best security controls the industry can provide. If you’re not there yet, that’s where you need to be heading.”
Do you see a growing convergence between infrastructure reliability and cybersecurity — especially when it comes to data protection and recovery?
Mark Thomson
Deputy Group CISO
Howden
“There is certainly an increasing convergence between infrastructure reliability and cybersecurity, particularly in data protection and recovery.
Traditionally, disaster recovery focused on physical resilience while cybersecurity addressed digital threats, but today these domains intersect as cyberattacks can disrupt critical infrastructure as severely as natural disasters.
Organizations need to embed cybersecurity into resilience frameworks, aligning backup strategies with business continuity plans, and leveraging technologies such as Zero Trust and cyber-resilient storage to ensure operational continuity under attack conditions.”
Girish Kulkarni
CISO
Aurionpro
“Absolutely. Cybersecurity and reliability are now inseparable. Ransomware has made backup integrity a security priority.
We integrate cyber resilience metrics into business continuity planning.”
What new trends or technologies do you think will most impact Infrastructure Security in the next 2–3 years?
Mats Nygren
Former VP Information Security
U.S. Bank
“Resilience will be regulated and require measurability – disclosure requirements and market pressure will make resiliency a board-level expectation.
Recovery time, identity hygiene, and cloud posture drift will become quantitative indicators of infrastructure security maturity.
Infrastructure security will be judged not only on how well it prevents incidents, but how well it recovers from them, in addition to driving value for the business.”
A word from our sponsor; 
StorageGuard – by Core6 – is the ONLY Security Posture Management solution for enterprise storage & backup systems.
It verifies and hardens the security of all enterprise storage and backup systems, and ensures these systems remain compliant with industry standards and regulatory requirements.
With a major surge in breaches on storage & backup systems over the past year, along with changes to industry standards by NIST, ISO and CIS – the topic continues to be extremely relevant.
