Thank you to everyone who participated in this year’s survey on the key security themes and leadership dynamics shaping 2026. As in years past, we were impressed by both the depth of engagement and the candor of responses. This year’s data reflects a security function that continues to professionalize, even as the threat landscape accelerates and expectations of security leadership expand.
What Changed and What Stayed the Same
Compared to last year’s survey, several shifts stand out. Preparedness for AI and generative AI risk continues to improve, but concern has increasingly shifted toward adversarial use of AI rather than internal experimentation. Optimism in the CISO role remains strong, reinforcing last year’s rebound in sentiment, even as scope and accountability continue to grow. Security budgets are still trending upward, though with greater discipline and fewer expectations of outsized increases. Compensation is also settling into a steady range, with more limited volatility on a year to year basis.
At the same time, much remains consistent. Board-level engagement is now firmly established as a core part of the role, across F500, public, and private companies. Talent remains the most critical constraint, despite continued investment in automation. Recruiting priorities continue to cluster around foundational capabilities such as data security, identity, and incident response.
Below, we outline the key themes that emerged from the 2026 results.
Theme One: AI Risk, Adoption, and the Growing Gap Between Defense and Offense
AI remains the most visible and consequential topic in this year’s survey. Most respondents (~81%) now describe their organizations as “somewhat prepared” or “prepared” for the security and regulatory risks posed by AI and generative AI, with more than double (11% compared to 5% last year) indicating they feel very prepared. Only a small minority of less than 3% reports being unprepared, suggesting that awareness has translated into action for most organizations.
How AI is being used within security programs, however, remains pragmatic. Respondents most commonly cited productivity improvements, automation of existing workflows, and incremental enhancements delivered through AI-enabled features in current tools. Use cases such as code scanning, workflow automation, and data enrichment are common, while large-scale, standalone AI security initiatives remain relatively rare.
Where sentiment has shifted most meaningfully is in how respondents describe external risk. AI-driven attacks, agentic AI, misuse of AI tools, and the increasing speed, volume, and scale of adversarial activity were frequently cited as the industry’s biggest threats. Together, these responses point to a growing gap between the pace of offensive AI adoption and the maturity of defensive capabilities.
Recruiter’s Perspective: The AI conversation has moved from theory to execution. Security leaders are increasingly expected to articulate not only how AI is being used internally, but how their organizations are preparing for AI-enabled attacks. The most effective leaders are embedding AI into detection, response, and governance workflows rather than treating it as a standalone initiative. The most effective companies are following the CISO’s advice in these initiatives.
Theme Two: Optimism in the CISO Role, Alongside Expanding Scope and Accountability
Sentiment around the future of cybersecurity leadership remains overwhelmingly positive. A clear majority of respondents identify as very optimistic about the future of the role, with only a small minority expressing pessimism. This continues the positive momentum observed in 2025, when pessimism declined meaningfully year over year.
This optimism exists alongside the continued expansion of the CISO role’s scope. Quarterly board reporting is now the dominant cadence, with some respondents engaging even more frequently. Direct board interaction has become table stakes for the role, reinforcing the CISO’s position as a business leader rather than a purely technical operator.
The expansion of remit is equally clear. Respondents most often identified IT, data, and privacy or trust functions as natural extensions of the CISO’s responsibilities, with product, engineering, and AI also appearing regularly. In practice, many leaders now operate across multiple domains, reflecting the increasingly cross-functional nature of security leadership.
Recruiter’s Perspective: Compared to prior years, CISOs are universally more eager to step into broader mandates, provided expectations and protections are clearly defined. In many cases, this is a natural progression of the AI movement and the broader implications across functions. Additionally, conversations around indemnification and D&O insurance remain common, but they are increasingly viewed as standard components of senior security roles rather than exceptional requirements.
Theme Three: Investment Trends Reflect Growth, With Greater Discipline
Most respondents expect security budgets to increase in 2026, with the largest groups anticipating growth of over 10%. Single-digit increases are also common, while a smaller subset (~14%) foresees declining budgets. Only a small percentage expect dramatic expansion.
Where the investment is directed provides additional context. On the people-side, security talent and team expansion remain the top priority, followed by training and selective use of managed or outsourced services. On the technology side, AI and automation platforms lead, with cloud security, data security, and core security tooling close behind.
Together, these priorities suggest that leaders are balancing continued investment with sharper focus, using automation and services to extend the impact of teams rather than replace them.
Theme Four: Recruiting Priorities Continue to Center on Core Risk Areas
Recruiting priorities in 2026 remain concentrated around a small set of foundational capabilities. Data security and security operations are cited most frequently, followed by identity and access management, security engineering and architecture, and application or product security.
While these priorities mirror those seen in 2025, the connection to AI-related risk is more explicit this year. Identity, data protection, and operational resilience are increasingly viewed as prerequisites for defending against AI-enabled threats, rather than as separate or secondary concerns.
Recruiter’s Perspective: The most in-demand roles remain those closest to business risk, which aligns exactly with the evolution of the CISOs role in the c-suite. We are seeing sustained demand for leaders and senior talent who can own data security programs end� to-end, scale security operations without linear headcount growth, and modernize identity and access controls across increasingly complex environments.
Notably, many organizations are prioritizing candidates with strong engineering foundations who can translate strategy into durable systems, rather than specialists focused on a single tool or domain. This reflects a broader shift away from point solutions and toward building security capabilities that can adapt as AI-driven threats continue to evolve.
Theme Five: Compensation, Reporting Lines, and Work Models Continue to Normalize
Compensation trends in 2026 continue the prior year’s pattern. Most respondents report incremental increases over the past two years, with twice as many executives sharing they saw an increase of 10%-15% in 2026 and fewer (less than ⅓ compared to responses in 2025) experiencing flat or declining compensation. Expectations for the next three years remain largely positive, with a bias toward increases in line with broader economic and industry trends.
Reporting structures remain varied but stable. CEOs and CIOs continue to be the most common reporting lines, with direct line CEO reporting increasing by 10% over last year. CTO and CPO (Product) reporting structures also increased, a sign of alignment with technical functions resulting from AI initiatives.
Recruiter’s Perspective: Compensation and reporting structures are becoming more standardized as boards gain comfort evaluating security leadership alongside other executive roles. While variability remains, particularly by company stage and sector, expectations are gradually aligning. It has been encouraging to see the trend of direct reporting to the CEO continue to grow over the years of this survey.
Looking Ahead
Viewed alongside our 2025 results, the 2026 survey reinforces a picture of steady maturation. AI risk is becoming more tangible, the CISO role is more clearly defined, and investment decisions are increasingly intentional. At the same time, the fundamentals – talent, identity, data protection, and operational excellence – remain unchanged as the core pillars of effective security leadership.
We appreciate the time and insight shared by this year’s participants and look forward to continuing the conversation as these themes evolve.
