Greg Schaffer:
Hi, I’m Greg Schaffer and welcome to the Virtual CISO Moment. There I am. Forgot to click a button there.
It’s early in the morning of December, and I’ve got something a little bit different today. I’m going to talk about predictions. Everybody else does predictions, so I figured I’d go ahead and do it myself too.
These aren’t going to be really your standard predictions for the security arena. These are things that over the past year—particularly over the past year, last few months I guess—really have been percolating in my mind more and more.
I’m not going to talk about frameworks or tools or breaches, at least specific ones. I want to talk about five predictions I’m going to have, not from a hype perspective, but from patterns that I’ve been seeing a lot across SMBs, but really across the industry as well too. Startups, seeing it with some audits, some of the consulting agreements that we’ve been working on, and also just conversations that I’ve had with you all—for example, what we’ve done on The Virtual CISO Moment over the past year, and what we talk about on LinkedIn, what we talk about in person.
These aren’t futuristic predictions. They’re second-order consequences of things that are already happening today.
So let’s go ahead and jump into it.
Prediction #1: SOC 2 Will Lose Its “Easy Button”
The first one you’re probably going to be a little familiar with. Prediction number one, I want to frame it as the SOC 2 will lose its easy button.
Everybody knows that the SOC 2 is never meant to be a seal of security. It’s an attestation of things that are in place right now—basically attesting to what the company is saying that they’re doing, they’re actually doing with regards to information security. It’s not a framework, it’s not a certification, and it’s never been meant to be this end-all, do-all seal, if you will, of information security.
But that’s often how it’s treated.
I think everybody, for the most part, will agree that SOC 2 has become almost like a check-the-box exercise. We see a lot of audit firms, for example, they rely heavily on automation. We see this too with consulting firms where they’re focused on helping organizations pass, not improve their security programs.
You see minimal auditor engagement. Little or zero on-site validation. You don’t have the interaction with the auditor explaining or at least trying to understand what the system description is about. It’s been a while since I’ve been involved in a SOC 2 audit where they’ve really dug into that.
I can spool back like five or six years ago—this is early in my vCISO days—flying up to Iowa to actually meet with the auditor there at a client site. And we spent the day, maybe it was two days, really digging through stuff. It was collaborative.
Fast-forward to last year, I was on a SOC 2, barely had meetings with folks. It was just all exchange on a platform.
Now, excuse the pun, but this has resulted in a false sense of security. You remember back in the day when people had firewalls? I think there was a commercial—I think it was Barracuda actually. I don’t mind calling them out now. It’s been a while.
But this exchange between a couple of people in an office, and it’s obviously very poor actors, but one person’s really worried about the security, and the other person’s like, “No, we’re all good. IT just told me that we have now a firewall, and everything is fine. We’re all secure.”
Well, the SOC 2 has become something like that as well too. We have our SOC 2, so we must be secure. That’s how it’s presented to the C-suite, to the board of directors. And that is dangerous.
Now, the AICPA has recognized that declining audit quality has already begun tightening guidance. So they’ve got clearer expectations around control effectiveness, stronger emphasis on professional skepticism, and more scrutiny of audit firms that are issuing these reports. This is so much needed.
If we can get back to a point where the SOC 2 actually had some meaning beyond what it is now—now I’m not going to discount it one hundred percent. In some ways, for some organizations, it is a good beginning step to building security programs. So there is still value there. It’s just the way it’s treated.
If we can flip that back to where folks aren’t building security programs to meet the SOC 2 attestation requirements, rather they’re building security programs to secure information and then validating—at least at a point in time—their controls through a meaningful SOC 2 exercise, then it’ll regain its value.
So by 2026, or in 2026 I should say, auditors will be more engaged, more technically competent. Really hope to see this. Have you ever had a discussion with an auditor and it almost seems like you’re explaining basic InfoSec 101 compensating controls?
Evidence quality will matter more than evidence volume. And that’s the way it should be. Instead of being able to produce these reams and reams of data, just show from a risk perspective why this control takes care of that requirement.
They’re also going to become harder to pass without exceptions. And that’s good, because I think they’re going to be holding feet to the fire—more accountability.
Now, for you CISOs and vCISOs, this is obvious. I’ve said it before, I’m going to say it again: the SOC 2 should always be a byproduct of the security program, not the goal.
So my hope is that you all manage towards that point. And to those virtual CISOs that are out there promoting the SOC 2 as the goal first—please reconsider what you’re doing.
Prediction #2: Vibe Coding Will Create a New Class of Security Incidents
Alright, prediction number two. And this is a little bit more near and dear to me based on a project—or a couple of projects—I’ve been working on for the last couple of months.
Vibe coding will create a new class of security incidents.
So I don’t know how familiar you are with this. I love analogies, always have loved analogies. So the analogy I use is WordPress—and you’re probably thinking, oh gosh, this is going to be a bad analogy—but bear with me for a second. GoDaddy may be a good one as well too.
When HTML first came out, when we as old folks would build websites, we would do just that. We would actually build it using code—HTML code—line by line. Knew what each thing represented. Of course, websites were a lot simpler back then as well too.
It became a little bit harder to do, and then it became really impractical—impossible to do. I don’t think anybody codes a website by hand unless it’s just a very simple type page.
And so we’ve had over the years products that have come out to create this abstraction layer between the actual code and what it is that the person’s trying to do. GoDaddy and WordPress are two examples.
GoDaddy makes it very easy. They’ve sold this for years and years and years—makes it very easy for a business to get online by making website creation very simple. You can take pre-formatted templates, blocks, this and that, and put it together.
WordPress accelerates that and gives you a lot of options on what you can do with regards to putting in different modules or different other features, ways for tracking. It basically makes building a website easier so that you don’t have to learn every single little bit of code.
So vibe coding is kind of like that. Instead of learning how to be a coder to build a web-based application, vibe coding platforms allow you to do that.
I believe the reason why they call it vibe coding is because it gives you a lot of freedom. You can try something—an idea—and very easily, without getting lost in the actual coding stuff, you can see what the result is going to be.
For me, that’s so critically important because I’m such a visual person. It’s like, I know what I want my website to look like. And once I see it, that triggers more ideas.
So you see this really functional flywheel of imagination, application, business use, imagination—continuing on and on.
But here’s the risk.
I’ve seen some things happen. One example: I was using a shim product—an intermediate product—that takes information from one source and feeds it into the vibe coding platform. The application said, “Tell me what you’re trying to do, and I’ll build you the workflow.” And it did.
But it dropped a file—confidential but not overly sensitive—into an S3 bucket. And the S3 bucket was not secured. There was a long URL, sure, but that’s not security. Security by obscurity is a speed bump. It’s not real security.
I flagged it, and the AI said, “Well, yeah, we can secure that for you if you want.”
That’s the problem. By default, security wasn’t there—and I wasn’t even asked.
Now, I’m a security person. I look for that stuff. But most people won’t. They’ll say, “It works. Good enough.”
Even I’ve let things slip while learning these platforms. And that’s the danger.
As more applications are built by executives, product managers, business units, and non-technical staff, the attack surface explodes.
In 2026, we’re going to see breaches directly attributable to misconfigured low-code tools—defaults that aren’t secure.
We should have learned this lesson from early AWS S3 buckets being public by default. Firewalls should default to deny. Everything should be built with a security mindset—but we can’t rely on that.
Vibe coding is fine. I’m using it. I’m building with it. But ungoverned, unrestrained vibe coding without awareness—that’s the issue.
Prediction #3: The vCISO Market Will Self-Correct
The virtual CISO market will self-correct.
When I started almost nine years ago, virtual CISOs were experienced CISOs helping SMBs part-time. Great model. SMBs need executive security leadership, but not full-time cost.
Today, ask ten people what a virtual CISO is, and you’ll get ten answers. It’s been diluted.
You’ve got people who have never held a CISO or senior security leadership role calling themselves vCISOs. Often very technical, very weak on risk management and business acumen.
There’s also a normalized conflict of interest—gap analysis followed by “oh look, we sell the tool that fixes this.”
Pricing is all over the map. Firms like mine charge more because we bring real executive risk experience. Others undercut with far less experience. And you get what you pay for.
We’ve come in behind those engagements. Bad advice is worse than no advice.
But markets mature. Customers learn to ask better questions. They’ll start to understand the difference between strategic leadership and vendor-aligned consulting with a fancy title.
Strong, independent, experienced vCISOs will thrive. Others will retool or exit.
The vCISO model isn’t going anywhere—it’s just growing up.
Prediction #4: Security Shaming Will Cross a Line
This one’s been bugging me.
There’s a troubling trend of security influencers taking photos of strangers’ perceived security mistakes and posting them online under the guise of awareness.
Laptops on trains. Screens in coffee shops. Documents visible through car windows.
This isn’t education. It’s engagement farming.
A single photo can contain enough OSINT to identify someone or their employer. And even if it doesn’t, you don’t get to choose how someone reacts to public shaming.
I fear we’re going to see serious retaliation—even physical confrontation.
If you want to educate, generate an AI image. Don’t take someone’s picture.
Awareness should reduce harm, not create new kinds of it.
Prediction #5: The 1099 Shortcut Will Become an Existential Risk
This one isn’t talked about enough.
Startups and SMBs increasingly rely on 1099 contractors instead of W-2 employees. That’s fine—when done correctly.
But contractors are being treated like employees. Required meetings. Company equipment. Embedded leadership roles. Day-to-day management.
Here’s the rule:
If your contractor looks like an employee, works like an employee, and is managed like an employee—the government will eventually agree.
Misclassification isn’t just legal. It’s operational. Loss of service. Loss of critical security talent. Reputational damage.
From a security standpoint: inconsistent controls, weak offboarding, company data on personal devices.
In 2026, increased scrutiny will shut some businesses down entirely.
Contractors aren’t a shortcut. They’re a responsibility.
Closing
All of these predictions share a common theme. These failures don’t start with hackers. They start with governance blind spots.
Checklists. Convenience. Misaligned incentives. Assumptions that no one will notice.
The question isn’t whether these risks exist—it’s whether you’re seeing them clearly.
That’s the point of predictions. Not clout. Not virality. Awareness.
I hope this has been helpful.
And as always—stay secure. Thank you.