Jan Bee, CISO at the platform TeamViewer offers two predictions for 2026: third-party SaaS supply chains will become the primary attack point; and password-based authentication will finally become obsolete in organisations. He says:

The interconnected world of SaaS applications will emerge as the most significant vulnerability for enterprises in 2026. As companies continue moving away from on-premise infrastructure to cloud-based solutions, threat actors are shifting their focus from traditional infrastructure to third-party and even fourth-party supplier risks. The days of isolated legacy systems are ending, and with them, the old playbook for enterprise security. What makes this particularly concerning now is that adversaries are leveraging AI to accelerate their ability to identify and exploit vulnerabilities across these complex supplier networks, turning what were once time-consuming surveillance efforts into automated processes.

CISOs must prioritise speed in securing their supplier ecosystem. The challenge isn’t just identifying which applications are in use across departments – it’s understanding them quickly enough to secure them before adversaries exploit the gaps. Start by getting the foundational security posture right for each application, rather than attempting comprehensive security programs that take months or quarters to implement. The key is velocity: secure the primary tools first, then move systematically through the supplier list.

While compliance frameworks continue to mandate complex password policies, forward-thinking organisations will abandon passwords entirely in favour of platform authentication and biometric systems. The password requirements that made sense a decade ago are now actively holding back security progress. In 2026, we’ll see a clear divide between organisations clinging to outdated password mandates and those embracing passkeys, platform authentication on managed devices, and biometric verification as their standard.

CISOs should begin planning the complete elimination of passwords from their authentication workflows. Focus on platform authentication that verifies managed, compliant company devices combined with biometric authentication. This isn’t just more secure – it’s dramatically more user-friendly, eliminating the frustration and security risks of password management. Yes, some compliance frameworks still emphasise passwords, but these requirements are outdated by the current threat landscape. Security teams should work with their compliance teams to demonstrate how modern authentication methods exceed the security intent of password requirements, even if they don’t follow the letter of older regulations. The organisations that make this transition in 2026 will be significantly ahead of their peers in both security posture and user experience.