At CloudFest 2026, Cybersecurity & Compliance felt less like a specialist track and more like the operating condition for everything else. Security is no longer only about blocking threats, and compliance is no longer only about satisfying regulators. Together, they are becoming the architecture of trust: the reason platforms keep operating and providers keep selling.
Trust is now infrastructure
David Cattler, founder of Ironhelm Works, drew on his experience at NATO, inside the U.S. government, and now advising globally connected enterprises, for his keynote address Trust Is Now Infrastructure: Governing Cloud and AI Under Pressure: “Trust is becoming an infrastructure layer of its own. And it’s no longer optional.”
For Cloud, hosting, SaaS, and AI providers, trust is no longer assumed because a brand is known or a service has uptime. It is tested through data control, auditability, transparency, resilience, and explainability. Compliance therefore stops being a late-stage legal review and becomes a design constraint: can this system prove that it is governed, recoverable, and safe under stress?
That is why sovereignty popped up so often as a business theme, not just a political one. In Building Sovereign, Trusted Cloud: A Full-Stack Blueprint for Service Providers with Peter Groth, VP and GM at HPE, sovereignty was framed less as a burden and more as an opportunity for differentiated offerings. Customers, he said, want clarity about where their data lives and who controls the stack.
A recent Wired Italia piece makes the same point from an infrastructure angle: data centers are no longer just technical facilities, but part of the global contest over data, platforms, and digital value chains.
From reactive online security to exposure management
Another major learning was that reactive security is no longer fast enough. In Break the Reactive Cycle: How MSPs Help the Mid-Market Go Proactive, Suvi Silvanto, Director, Product Marketing at WithSecure, said: “Reactive approaches can’t keep up. Threats evolve faster than strategies.” The answer was a radical change in perspective: “Every company should put those attacker lenses on.”
That means looking at customer environments as the bad guys would: exposed services, weak identities, misconfigurations, exploitable paths, unmanaged assets, and the sequence that turns opportunity into impact. Be ruthless.
This connected nicely with The Race Against Time: Closing the Weaponization Gap with TotalCloud and the Risk Operations Center, by Ivan Milenkovic, VP of Cyber Risk Technology at Qualys. The old model assumed organizations could list and patch everything. But that breaks when exploitation accelerates across Cloud, AI, identities, APIs, SaaS, and third parties. The real lesson was some vulnerabilities are much more dangerous than others: “the right 1% matters a lot.” Customers need a prioritization and action plan that reduces that existential risk.
The same shift was reinforced in the most recent MSP Community Intelligence Webinar: Spotlight on Security and Compliance. Dr. Brooke Edge of Open Eye and Zoë Rose of Canon EMEA showed the audience how all those CloudFest 2026 conversations are backed up by hard MSP-industry evidence: cybersecurity is now the second-highest business priority for MSPs, selected by 34% of respondents, while 41% reported increased client demand for security services and 29% said they are planning to expand Compliance-as-a-Service. The live polling made the point even sharper: 84% of participants said cybersecurity is their top priority, yet only 40% identified NIS2 as the biggest security challenge, suggesting that compliance pressure is broader than any single regulation. So we see that security and compliance are no longer optional add-ons or occasional upsells. They are becoming embedded expectations, commercial opportunities, and core parts of how MSPs define value. As Zoë put it, MSPs need to define what clients actually want from the client’s own perspective, then continuously measure and validate it.
The board does not want counts, it wants risk
The compliance conversation also became much more financial. In Stop Counting, Start Measuring: How to Calculate the Metrics That Matter to the Board, again with Milenkovic, the critique was that many cyber metrics describe activity instead of risk. “We patched 50,000 vulnerabilities” may sound impressive, but it does not answer the board’s real question: are we exposed to unacceptable loss?
The sharpest line was: “The only language of risk is money.” That does not make cybersecurity reductive. It means security leaders must connect technical exposure to business consequence: potential loss, value at risk, recovery cost, regulatory exposure, and whether risk is rising or falling. Compliance provides obligations. Cybersecurity provides controls. Risk management provides prioritization. Not more dashboards. Better decisions.
The everyday attack surface is getting serious
CloudFest 2026 made clear that ordinary parts of the internet remain among the most dangerous. Email, websites, certificates, CMS plugins, DNS, SaaS data, and customer portals are where trust is experienced every day, and where attackers still find scale.
In Check Point’s session on next-generation email security for Microsoft 365, the starting point was blunt: “Email is still the #1 attack vector.” Business email compromise is no longer just about malicious attachments. Modern attacks use pressure, tone, relationships, brand mimicry, and social context, so detection has to become more behavioral and automated.
Website security carried the same message. SiteLock’s session described quiet compromise, reinfection, malware-as-a-service, AI-assisted attacks, and CMS ecosystems where vulnerabilities scale quickly. “The Threat Is Growing. And It’s Getting Quieter.” captured the issue well: compromised websites can become infrastructure for attacking other people—turning your site into an extra in a zombie movie. Patchstack’s session on hacked websites pushed this further: many attacks are application-layer problems.
The DDoS session This Website Should Be Down—But It Isn’t with Paul Sultana, Technical Specialist for Sales Department at Wedos, made a related point: the belief that a business is “too small to be attacked” is no longer credible. Smaller targets are still targets, and Layer 7 attacks can be cheap and damaging.
Certificates, crypto, and the countdown to automation
Digital trust is also being reshaped by certificate lifetimes and quantum risk. In Racing Against the Clock on Digital Trust: Shorter Certificates, Bigger Quantum Risks, Peter Roybal, Director of Product Management at Sectigo, made the pressure concrete. Shorter TLS certificate lifespans mean more renewals, validation events, human error, and far less tolerance for spreadsheet-based certificate management. The phrase “47-day TLS means 12x more work” explains why manual processes do not scale.
But the larger issue is crypto agility. The warning around “harvest now, decrypt later” reframes post-quantum readiness as a present-day risk. Attackers can collect encrypted data today and wait for future capabilities to decrypt it. This connects with SaaS data protection and confidential computing: protecting data at rest and in transit is no longer enough. The next frontier is data in use, independent SaaS workload protection, and stronger isolation, recovery, and control.
Cybersecurity and compliance are becoming the product
What became clear at CloudFest 2026 is that cybersecurity and compliance are no longer support functions. They are becoming part of the product, the business model, and the customer promise. For service providers, this creates pressure, but also opportunity: managed services, premium tiers, sovereign cloud offerings, automated trust services, and board-level reporting.
The winners will not be the companies that make cybersecurity sound easy. The winners will be the companies that make it operational: designing for trust from the beginning; reducing exposure instead of counting alerts; speaking to boards in the language of risk; treating certificates, email, websites, SaaS data, and DDoS protection as core infrastructure; and building compliance into systems rather than attaching it later as evidence.
At CloudFest 2026, cybersecurity and compliance looked less like brakes and more like permission to keep moving… indeed, to speed up. In a world where trust is tested, systems are attacked, certificates expire faster, regulators ask harder questions, and customers expect proof, resilience is no longer a technical feature: it IS your offering!
Since it was impossible to see every important session at CloudFest (there was just so much going on), we’re putting many of the key talks and panels on our YouTube channel: we invite you to connect the dots yourself.
CLOUDFEST ON YOUTUBE
