CISOs Grapple with AI Demands Within Flat Budgets

The 2026 RH‑ISAC CISO Benchmark shows that large enterprises are still nudging security spend upward, but only at a measured pace. Average IT investment now represents 3.9 % of revenue, while dedicated security budgets have risen to 0.75 % from 0.57 % a year earlier. More than half of respondents anticipate a 1‑10 % increase in 2026, with a third expecting flat spending. This cautious expansion reflects lingering cost‑control pressures and a broader economic backdrop that discourages aggressive capital outlays, even as digital transformation continues.

Artificial intelligence has emerged as the most frequently reported pain point for security leaders, eclipsing traditional concerns such as supply‑chain risk and ransomware. Teams are deploying AI for threat detection, incident‑response automation, and reporting, while nascent use cases appear in fraud detection and vulnerability management. Yet governance gaps, data leakage from public models, and doubts over output accuracy persist, prompting many organizations to draft or partially implement AI policies. Investment in AI‑related projects is growing, but most firms are financing these efforts by reshuffling existing budgets rather than expanding overall spend.

Staffing trends mirror the budget story: hiring remains incremental, with roughly one‑third of firms planning modest headcount gains and some trimming contractor roles. The CISO role continues to broaden, encompassing risk, compliance, and cross‑business coordination, adding complexity without a proportional surge in personnel. As AI tools become embedded in daily operations, CISOs must balance the promise of automation against limited fiscal flexibility. The prevailing outlook suggests a steady, if unspectacular, evolution of cybersecurity programs, where strategic reallocation and disciplined governance will dictate success more than raw spending increases.