The 2026 European awards cement Steve Durbin and the ISF at the forefront of cybersecurity

Honours from The European spanning leadership, innovation, governance and education have reinforced Steve Durbin’s reputation as one of cybersecurity’s foremost figures and highlighted the Information Security Forum’s global influence

The Information Security Forum and its chief executive, Steve Durbin, have received a series of major honours from The European recognising leadership, innovation, governance and education in cybersecurity, further cementing both the organisation’s standing and Durbin’s own reputation as among the most respected voices in the field.

The awards include The European’s Cybersecurity Education & Workforce Development Award and Global Cybersecurity Leadership & Innovation Award 2026 for the ISF, alongside the CEO Global Impact Award for Advancing Cyber Governance and a Lifetime Achievement in Cybersecurity Advocacy award for Durbin. Together, they reflect the scale of the ISF’s influence and the extent to which Durbin’s work has helped shape thinking around cyber risk, resilience and leadership at the highest level.

The recognition comes at a time when cybersecurity carries growing weight in business, government and public life, as organisations contend with a more demanding threat environment shaped by AI, supply-chain exposure, regulatory pressure, hostile state activity and increasing dependence on digital infrastructure. For boards and senior leaders, cyber risk now brings operational, financial and reputational consequences that sit close to the heart of strategic decision-making.

Speaking to John E. Kaye, Durbin reflects on the significance of the awards, the areas in which he believes innovation is most urgently needed, and the governance, communication and workforce challenges that still demand greater attention across the sector.

What does winning the Global Cybersecurity Leadership & Innovation Award 2026 say about the ISF’s role in shaping global cybersecurity strategy, and where do you see the greatest need for innovation over the next 12 months?

Recognition like this belongs to the entire ISF team and our member community because this work is very much a collective endeavour. What I think it does signal is that the world is increasingly looking to organisations like ours to help make sense of a threat landscape that is more complex and more consequential than it has ever been. Cybersecurity is very much a boardroom, government and geopolitical issue, and increasingly a societal one.

Where is innovation most urgently needed over the next twelve months? I keep coming back to the intersection of AI and trust. Not the hype, but the hard work of deploying AI responsibly, governing it effectively, and ensuring it doesn’t become the very vulnerability we were trying to defend against. We also need to see genuine innovation in how organisations measure and communicate cyber risk to the board. Too many executives are still flying blind, relying on technical metrics that mean nothing to a business leader trying to make an informed decision.

The cybersecurity skills gap is a global challenge. How is the ISF helping organisations build the workforce they need? What progress have you seen in shifting mindsets around cyber education?

The skills gap is real, it is persistent, and I want to be honest, it will not be solved by training alone. We have spent too long framing this as a pipeline problem, as though we simply need to push more people through a technical curriculum. What we actually need is a much broader rethinking of who belongs in cybersecurity, what skills matter, and how organisations create environments where those people want to stay.

What gives me genuine optimism is the shift away from the idea that cyber belongs to a narrow technical elite, towards recognising that human factors, communication, judgement, culture, matter at least as much as technical competency. Most breaches, after all, are not the result of inadequate controls. They are the result of human behaviour. Addressing that requires educators, business leaders, and the security community to continue to work much more closely together. The ISF’s role is to facilitate that, to help members learn from each other, build practical capability, and take what works back into their organisations.

Your work has been recognised for advancing cyber governance worldwide. What impact are you most proud of, and which areas of governance — in your view — still require urgent strengthening?

I will be candid: the impact I care most about is not the frameworks we have produced, but whether those frameworks have actually changed behaviour inside organisations. When a CISO tells me ISF products and services helped them to have a different conversation with their board, one that resulted in genuine investment and meaningful change, that is what matters to me.

Shifting the governance conversation from compliance checkbox to genuine risk management is slow work, but I believe we have moved the needle.

That said, I remain deeply concerned about the gulf between governance in policy and governance in practice. We have regulations, frameworks and board-level acknowledgement that cyber is a strategic risk. What we do not yet have, in nearly enough organisations, is a board that is truly equipped to challenge and oversee the cybersecurity function the way they would a financial audit. Closing that gap and bringing the same rigour to supply chain governance remains important. The weakest link is rarely inside the organisation’s own perimeter.

A lifetime achievement award often implies a closing chapter — what drives you forward and are there specific areas of cybersecurity advocacy that feel unfinished to you?

I appreciate the sentiment, but I would gently push back on the framing. The day I feel this work is finished is the day I should probably step back. And we are nowhere near that day.

What drives me forward is a combination of urgency and, I have to say, genuine curiosity. Two things feel genuinely unfinished to me. The first is communicating risk in a way that empowers leaders rather than overwhelming them — we have not yet cracked that. The second is the convergence of geopolitics and cyber. We are in a world where cyber capability is a tool of statecraft, where critical infrastructure is a legitimate target, and where the line between crime and conflict has blurred almost beyond recognition.

Helping organisations understand what that means for them practically, not theoretically, will keep all of us occupied for some time to come.

These awards span leadership, innovation, governance and education. Taken together, what do they reveal about the ISF’s direction of travel and the challenges members are being prepared for?

Leadership, innovation, governance, education – those four themes collectively depict an organisation that is trying to help its members navigate a world in which cybersecurity has become inseparable from business strategy. That is a fundamentally different proposition from where the ISF started, and I think it reflects where how the challenge has evolved.

The direction of travel is towards integration. Security that is embedded in decision-making at every level of an organisation, not bolted on as an afterthought. Governance that is genuinely functional rather than performative. A workforce that is diverse, curious, and continuously learning. Leaders who understand both the risk and the opportunity. These are not abstract ideals, they are the practical requirements for any organisation that wants to remain resilient in the years ahead. The awards are, in a sense, a recognition that these conversations are now happening more seriously and more widely than they were even five years ago.

Geopolitical tension, AI disruption, and the risks to infrastructure have created a challenging environment for businesses. What should they prioritise to stay resilient in the face of emerging cyber threats?

I always come back to a few foundational principles, because in my experience, organisations that struggle in a crisis are rarely those that lacked sophisticated technology. They are the ones that neglected the basics.

First: assume something will go wrong. The day is gone when you can rely on your defences holding. Boards need to be planning for the moment those defences fail and that starts with a very simple question: how long can this organisation operate without its critical systems? The answer to that question should drive your resilience strategy more than almost anything else.

Second: do not treat compliance as a proxy for security. I have said many times that good compliance does not equal good security, but good security almost always equals good compliance. Organisations that chase regulatory requirements tend to find themselves perpetually behind. Those that build security maturity find that compliance largely takes care of itself.

Third: take supply chain risk seriously. We have seen, time and again, that the most damaging incidents are those that arrive through a trusted third party. Your suppliers’ vulnerabilities are your vulnerabilities. This is not a theoretical risk, it is a present and recurring reality.

And finally: invest in your people. Technology is important, but the human dimension of security, culture, awareness, judgement, is where the real leverage is. No amount of tooling will protect an organisation whose people are unprepared for the threats they face.

READ MORE: ‘UK exposed by cyber omission in Spring Statement as threats intensify, ISF chief warns‘. Ministers are being urged to divert funding to strengthen cyber resilience after the Spring Statement made no reference to the threat, as tensions in the Middle East and risks linked to Iran prompt fresh warnings to UK organisations.

Do you have news to share or expertise to contribute? The European welcomes insights from business leaders and sector specialists. Get in touch with our editorial team to find out more.