The Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) and IANS have released the CISO Benchmark 2026 report, a document highlighting a structural shift in cybersecurity leaders’ priorities. The study, based on insights from over 200 Chief Information Security Officers (CISOs), indicates that artificial intelligence (AI) has become the primary source of pressure, surpassing traditional threats like ransomware and phishing for the first time, in the context of budgets that are only growing incrementally.
Artificial intelligence is identified by 71% of respondents as a major concern, generating risks related to data leaks, improper use by employees, and governance deficiencies. Although AI is increasingly integrated into operations for threat detection and reporting, security leaders emphasize that it amplifies the complexity of the existing risk landscape without replacing old threats. Regarding financial resources, security budgets saw a modest increase in 2025, from 0.57% to 0.75% of revenue, while total IT spending rose from 3.2% to 3.9%. For 2026, 54% of CISOs estimate budget increases, but nearly 90% anticipate that specific investments in AI security will be funded through the reallocation of existing funds.
In terms of human resources, security teams will remain largely stable in 2026, with organizations prioritizing efficiency through the use of AI instead of staff expansion. Only 35% of leaders plan to increase the number of full-time employees, while external contractor roles could be reduced, especially in large companies. At the same time, the CISO role continues to evolve, with 70% of them taking on new responsibilities in AI governance, product security, and business risk management. However, the execution of initiatives remains hindered by structural barriers, such as competing IT priorities and budget constraints.
Frequently Asked Questions
What is the main challenge for CISOs in 2026?
Artificial intelligence has become the primary source of pressure for security leaders, surpassing traditional threats like ransomware and phishing for the first time.
How will new AI security initiatives be funded?
Nearly 90% of CISOs anticipate that specific investments in AI security will be covered by reallocating funds from existing budgets, rather than through massive additional funding.
Will cybersecurity teams expand in the coming year?
Not significantly. Organizations are prioritizing efficiency through the use of AI instead of staff expansion, with only 35% of leaders planning to increase the number of full-time employees.