Getting to YES: The Anti-Sales Guide to Closing New Cybersecurity Deals

Download Guide

Author: Dror Hevlin

What the Last Year of Compliance Changes Means for 2026

Dror-Hevlin
Dror Hevlin Publication date: 19 December, 2025
Education
What the Last Year of Compliance Changes Means for 2026

In 2025, organizations across all sectors navigated a significant wave of updates to cybersecurity and privacy compliance frameworks. As digital threats evolved, regulators responded with new requirements, major transition deadlines, and heightened enforcement, making swift adaptation essential. For service providers, staying proactive with compliance was the key to avoiding penalties, building resilience, maintaining stakeholder trust, and creating a foundation for growth. Key shifts included greater demands in risk management, cloud security, and executive accountability, moving the focus from mere documentation to demonstrable oversight. 

The year’s most significant milestones included the accelerated adoption of NIST CSF 2.0, the publication of the revised ISO 27701:2025 privacy standard, and substantial revisions to the OMB Compliance Supplement. Evolving requirements also impacted CMMC, the FTC Safeguards Rule, and the HITRUST Common Security Framework. For CISOs and cybersecurity leaders, these changes marked a critical shift toward board-level accountability, with regulators and clients expecting clear executive ownership and ongoing risk management. Understanding and adapting to this new baseline is crucial for standardizing compliance, supporting clients effectively, and preparing for future regulatory expectations.  

Below, we break down the most impactful compliance changes of 2025 and the steps you need to take as a service provider to help your clients stay ahead in 2026. 

Summary of 2025 Compliance Framework Updates 

In 2025, several important adjustments, transition deadlines, and enforcement trends shaped key compliance frameworks. Each had distinct implications for businesses. 

GDPR and AI 

In 2025, European regulators intensified their focus on how organizations use AI under the GDPR. Regulators did not introduce formal amendments to the regulation. Instead, they clarified expectations through new guidance, opinions, and enforcement activity. These developments should be viewed separately from the EU AI Act, which introduced new obligations, while GDPR enforcement in 2025 focused on applying existing principles to AI-driven processing. 

Key developments include: 

  • Expanded regulatory guidance on AI and personal data, issued by the European Data Protection Board and national data protection authorities, clarifying how existing GDPR principles apply to AI systems. AI use cases increasingly require formal inventories, lawful basis documentation, DPIAs, and executive visibility, even where AI systems are internally developed. 
  • Increased expectations around Data Protection Impact Assessments (DPIAs) for AI use cases that qualify as high-risk processing, reinforcing long-standing GDPR obligations rather than introducing new ones. 
  • Continued reliance on modernized Standard Contractual Clauses (SCCs) for international data transfers, which became mandatory in earlier years but remained central to enforcement in 2025. 
  • More consistent fine-calculation methodologies across the EU, reflecting harmonization efforts adopted prior to 2025 and applied more uniformly in regulatory actions. 

Together, these developments made 2025 a year of heightened scrutiny and clearer expectations for AI governance under the GDPR. 

HIPAA 

In 2025, HIPAA compliance continued to evolve, although comprehensive updates to the Privacy Rule had not yet been finalized. 

Key areas under consideration include: 

  • Proposed enhancements to patient access rights, including shorter response timelines for access requests. 
  • Planned improvements to care coordination and case management, aimed at reducing administrative barriers to information sharing. 
  • Modernization of Notice of Privacy Practices (NPP) requirements, intended to improve transparency and patient understanding. 

While these changes remain proposed rather than enforceable as of late 2025, healthcare organizations should monitor HHS rulemaking closely and prepare for future implementation. 

PCI DSS v4.0  

While PCI DSS v4.0 was released in 2022, several key requirements became mandatory in March 2025 after a lengthy transition period. These are not minor tweaks. They represent a fundamental shift toward a more security-focused, continuous compliance model. 

Key changes include: 

  • Customized Implementation: The new standard allows organizations to meet security objectives through customized controls, but this requires robust risk analysis and documentation to demonstrate their effectiveness. 
  • Enhanced Authentication: Multi-factor authentication (MFA) requirements were expanded to cover all access to the cardholder data environment, not just administrator access. 
  • Continuous Monitoring: The focus shifted from annual, point-in-time assessments to continuous monitoring and validation of security controls throughout the year. 

ISO 27001:2022 

Similar to PCI DSS, the transition period for organizations to move from ISO 27001:2013 to ISO 27001:2022 ends in 2025. Since October 31, 2025, certifications issued under the 2013 standard are no longer valid. 

The updated standard introduces a streamlined control set and places greater emphasis on modern cybersecurity challenges. 

Key changes include: 

  • Updated Annex A Controls: The number of controls has been reduced from 114 to 93, consolidated into four themes. The themes are Organizational, People, Physical, and Technological. 
  • New Controls: Eleven new controls address emerging security needs, including threat intelligence, data leakage prevention, and cloud service security. 
  • Attribute Tagging: Controls can now be categorized by attributes, such as control type and security properties. This makes it easier to align an ISMS with other frameworks. 

These changes better reflect cloud-first environments, SaaS dependencies, and the growing importance of third-party and supply chain risk management. 

Additional Framework Developments in 2025 

In addition to major changes in GDPR, HIPAA, PCI DSS, and ISO 27001, 2025 saw notable developments across other frameworks: 

  • NIST Cybersecurity Framework 2.0 (CSF 2.0): Although released in 2024, adoption accelerated in 2025. Organizations increasingly aligned to the new “Govern” function and integrated cybersecurity governance into enterprise risk management. 
  • ISO 27701:2025: ISO published a revised version of ISO 27701 in 2025. The revision strengthened privacy governance requirements and clarified how a Privacy Information Management System (PIMS) can be implemented alongside ISO 27001 or implemented more independently. 
  • OMB Compliance Supplement 2025: Significant updates were introduced for Single Audit requirements and federal award internal controls, affecting organizations that receive federal funding. 
  • Cybersecurity Maturity Model Certification (CMMC): In 2025, the U.S. Department of Defense finalized the CMMC rule. The final rule launched a phased rollout that will require defense contractors to demonstrate specific cybersecurity maturity levels for handling Controlled Unclassified Information (CUI). 
  • FTC Safeguards Rule: Organizations continued adjusting to strengthened Safeguards Rule requirements that took effect in 2023 and 2024. In 2025, regulators issued additional guidance and enforcement activity increased. 
  • HITRUST Common Security Framework (CSF): HITRUST continued its transition to CSF v11, with 2025 serving as a key milestone year for organizations migrating away from earlier versions. 
  • Cloud Security Alliance’s Cloud Control Matrix (CCM): The CSA released updates to the CCM in 2025. The updates refined controls to address emerging cloud security risks and evolving regulatory expectations. 

What to Expect in 2026 and Beyond 

Looking ahead, compliance will continue evolving toward deeper integration with core business strategy. Several trends are expected to gain momentum: 

  • GDPR: Regulators are likely to focus more closely on AI governance and cross-regulatory alignment with the EU AI Act. This will increase complexity for AI-driven organizations. 
  • HIPAA: The continued growth of telehealth and connected health technologies may drive new guidance on securing PHI outside traditional healthcare environments. 
  • PCI DSS: The emphasis on continuous compliance under v4.0 will mature. Additional guidance is expected around customized implementations and ongoing validation. 
  • ISO 27001: As adoption of the 2022 standard increases, organizations may see greater emphasis on supply chain security, cloud-native environments, and integration with broader risk management programs. 
  • Accountability: Across regions, governments are increasing expectations around cyber resilience and executive accountability. In the UK, the proposed Cyber Resilience Bill signals a move toward stronger security obligations for digital products and services, complementing broader EU trends in AI and cybersecurity regulation. 

How to Prepare for Compliance Changes 

Navigating this complex landscape requires a structured, strategic approach. 

  • Conduct Regular Risk Assessments: Understanding your and your clients’ current compliance posture is foundational. Regular, automated assessments help identify gaps and prioritize remediation. 
  • Embrace Automation: Manual compliance management is no longer scalable. Centralized platforms can automate evidence collection, policy management, and reporting while improving consistency. 
  • Standardize Your Advisory Services: A repeatable compliance framework enables delivery of high-quality, CISO-level services efficiently, even with lean teams. 
  • Adopt a Continuous Compliance Mindset: Move beyond point-in-time audits by implementing tools that provide real-time visibility into controls and compliance status. 

Build a Scalable Compliance Practice 

Staying informed about compliance updates is only the first step. The real opportunity lies in translating regulatory complexity into scalable, profitable services. By leveraging automation and standardized frameworks, organizations can manage compliance for more clients with fewer resources. 

Platforms like Cynomi act as a CISO copilot, delivering built-in expertise and intelligent workflows that streamline cybersecurity and compliance management in order to increase recurring revenue, and improve efficiency. By automating risk assessments, remediation planning, and reporting, teams can reduce manual effort, boost productivity, and deliver high-impact services that strengthen client resilience and retention. Learn more at www.cynomi.com.Shape

Accelerate Your Cybersecurity Services with Cynomi vCISO Platform

Breaking the Cycle: How Context Switching Impacts vCISOs and What to Do About It

Dror-Hevlin
Dror Hevlin Publication date: 21 January, 2025
vCISO Community
vCISO

Breaking the Cycle: How Context Switching Impacts vCISOs and What to Do About It

After more than two decades in tech and security, I recently joined Cynomi as the company CISO. Over this period of time, I’ve served as an in-house CISO, as a member of larger CISO communities, as  an advisor and as a vCISO, across a number of industries.

One of the stark differences I’ve experienced between CISOs and vCISOs, is the need to context switch. A vCISO or MSP/MSSP, has to jugge clients, tasks and security roadmaps, not to mention running their internal business. But that juggling, professionally known as “context switching”, impacts productivity. I’ve even seen cases where it cost a provider their business sustainability and impacted future growth.

I’m not here to spread FUD, but rather to bring ideas and solutions. Below are tools, tips and technologies that I’ve used or seen others using effectively. Meaning, they have been proven to help overcome context switching for vCISOs. They drive efficiency, help provide better security and compliance services and create opportunities for scaling. Try them yourself and let me know if they helped you as well.

 

What is Context Switching? Brief Reminder

A context switch is when a computer’s operating system changes from executing one task to another. To do so, the computer saves the state of the current task and loads the new one, so that the CPU can execute it. While this is a key feature of modern operating systems, it also has a negative impact on system performance.

Similarly, when humans go through the mental process of shifting focus from one task, topic, or activity to another, it also affects performance. We have to reorient our attention, recall details about the new task and re-engage with it. This could result in reduced productivity, increased errors and stress and fatigue.

 

Context Switch is Draining

When humans switch tasks:

  1. Our brains must drop the current task and pick up where we left off on the new one, creating a cognitive load.
  2. Some of our focus may remain tied to the previous task, slowing down performance on the new one.
  3. It takes time to re-familiarize ourselves with the new task or context.

According to Gloria Mark, Professor in the Department of Informatics at the University of California, Irvine, it can take 23 minutes to refocus after a task switch. If you’re juggling multiple priorities, this adds up, resulting in fewer deliverables within the same time frame.

 

The Challenge of Context Switching for vCISOs

The diverse, dynamic and technological nature of security and compliance responsibilities makes context switching particularly challenging for vCISOs. For each client, vCISOs have to deal with unique:

  • Tech stacks and product roadmaps
  • Security technologies, tools and frameworks
  • Risk tolerances
  • Security maturity levels
  • Threats and vulnerabilities
  • Compliance regulations (if you’re working in different industries)
  • Security plans
  • Stakeholders: IT, executives, auditors
  • Strategic business priorities
  • Culture

Plus, just like any external consultant, vCISOs work with multiple organizations, requiring the ability to hop between different clients, tasks and details.

This means that vCISOs need to be able to manage multiple concurrent security and compliance priorities. For example, incident response planning for one client, compliance reporting for another and strategic discussions with C-level executives for a third. All while adapting them to each organization’s risk appetite, business strategy, regulatory requirements, IT architecture and culture. They also need the ability to govern the use of multiple tools across different environments.

From a strategic point of view, vCISOs need to uphold each client’s security posture and planning. This includes knowing the details of existing gaps, creating and managing the plan to overcome them and overseeing the progress.

Just as importantly, vCISOs need to be able to adapt their communication, tone and technical depth style for each stakeholder in each company. This might mean interacting with dozens of people in a professional context on a weekly basis.

Finally, the cybersecurity field is evolving quickly, with new threats and vulnerabilities emerging daily. vCISOs need to be able to translate the impact of these risks to each client’s ecosystem, as well as the new tools and technologies evolving to address them.

While these are all complexities in-house CISOs face as well, their focus is on one company. This means one CEO, one risk assessment to address, one architecture, one business culture and one security posture to improve. They hold the complete company picture and are immersed in it. vCISOs, on the other hand, deal with multiple such perspectives, and sometimes only have a limited view into the inner workings of the company.

 

The Impact of Context Switching on Your Business

Context switching is not only an inconvenience. Rather, it has a significant twofold impact. First, there’s the security impact. Frequent context switching increases the likelihood of inconsistencies and errors, such as applying incorrect policies or overlooking specific client requirements. These can result in misconfigurations, not patching on time, leaving vulnerabilities and more. On a more strategic level, mental fatigue can reduce the ability to make the right security decisions that will bolster clients’ security posture.

But even more importantly, the business impact of context switching impedes your ability as a vCISO to maintain and grow your business. If clients perceive that your attention is divided and that communication is inconsistent, or they sense recurring errors, they may feel their security is not a priority. This can damage relationships and confidence in your ability to protect their organization. You could lose them as a client, as well as the referrals they bring recommending you to others.

 

Proven Tips for Overcoming Context Switch

Reducing context switching is crucial if you want to maintain productivity, ensure strong security outcomes and build your company. Here are some practical tips you can follow:

1. Prioritize Tasks Based on Risk and Impact

As a general rule, start with what brings value and impact. Evaluate tasks and incidents based on their security implications and urgency. You can use a risk register to help prioritize them and support your decision-making. Address high-risk tasks (e.g., active threats) before routine activities. Answer C-level queries before tactical questions. Create reports to show posture and ongoing progress before moving on to the next security pillar (unless it’s an active threat).

2. Batch Similar Activities

One of the challenges of mental shifting is refocusing on different types of tasks. Deep work like learning about a new compliance framework requires different cognitive skills than answering emails. Perform similar tasks in dedicated blocks of time to reduce mental shifts. For example, review all client security dashboards during a morning session, then focus on client communications in the afternoon.

3. Adopt Effective Communication Practices

Almost cracking a new client strategy but then being interrupted by an alert for a client meeting is the ultimate professional anti-climax. Go asynchronously. Encourage clients to provide updates or requests in writing, allowing you to respond during planned intervals. Meetings still matter, so schedule regular (e.g., weekly or bi-weekly) check-ins to address that need while reducing ad hoc meetings and interruptions.

4. Document Everything

Replicability and standardization reduce friction. Keep detailed playbooks and set processes for common scenarios like incident response, compliance audits, or vendor assessments, as well as detailed notes for each client. These can help streamline processes while also enabling you to share them with other team members, so they can perform them instead of you, reducing your cognitive load.

5. Delegate and Build Teams

Build small, specialized teams for each client to handle routine security tasks. Delegate operational tasks to team members or external vendors, allowing you to focus on strategic priorities.

6. Use a vCISO Platform

A vCISO platform is an automated platform that provides and generates everything required to provide vCISO services at scale. This includes risk and compliance assessments, security gap analysis, tailored policies, strategic remediation plans with prioritized tasks, tools for ongoing task management and risk management, security progress tracking and customer-facing reports.

As such, a vCISO platform acts as the central cybersecurity and compliance management hub and is the one source of truth for the vCISO, for each client individually and for all clients together.

Due to these capabilities, a vCISO platform allows vCISOs to easily create and manage multiple clients. They can track security and risk postures, monitor compliance and security framework complacency, prioritize and manage tasks, allocate resources and generate reports that quickly show the value of their vCISO services. All, from a single dashboard for all clients.

These capabilities take away most of the challenges of vCISO context switching:

  • Priorities and current security and compliance statuses for each client are clearly presented and managed. vCISOs are always updated on the latest mapping, gap, task status or progress, without the delay that accompanies retrieving the information.
  • This also makes it easy for vCISOs and teams to understand what to work on next. Rather than having to remind yourself about important gaps to address or what was the next task discussed with the client, the information is readily available.
  • Switching between clients also becomes easier. Comprehensive visibility into all clients from a single dashboard eliminates the need to switch between tools used to manage each client separately. 
  • A single dashboard of all clients and their current gaps and task management status makes it easy to prioritize clients and see which one to address next.
  • Communication with stakeholders is also simple and streamlined, since reports are easily generated and any question can be answered in just a few clicks.
  • Unlike a spreadsheet or emails, automations and standardizations eliminate the need to manually update client accounts or employees, alleviating one more task to (context) switch to.
  • Finally, a high quality of work is ensured through the security and compliance tasks the platform takes care of, like generating policies.

Plus, the vCISO platform provides additional advantages the help overcome some of the inherent challenges of context switching:

  • Anyone on the team can quickly use the platform, enabling easy delegation of tasks and the workload.
  • Enhanced productivity due to automations and standardizations when performing security and compliance tasks increases productivity and grows revenue.
  • Seeing the full picture of clients’ security gaps helps vCISOs upsell their services that can address them, to further grow their business.

Context switching drains productivity and focus, especially for vCISOs juggling multiple clients, frameworks and stakeholders. Follow these actionable strategies to relieve the toll on your performance and to grow your business. Learn more about how a vCISO platform can help you as well.

Accelerate Your Cybersecurity Services with Cynomi vCISO Platform