2026 Cybersecurity & Technology Risk Survey: The CISO’s evolving role

How security leaders are navigating AI-driven threats, cyber resilience, identity risk, and the pressure to enable innovation safely.

Download PDF

The CISO role is being redefined in real time. As digital platforms, AI, and third-party ecosystems accelerate the pace of change, security leaders are increasingly expected to enable speed while carrying accountability for enterprise-level risk.

Based on a survey of 310 security leaders at US organizations with $1B+ in revenue, this year’s findings highlight a clear tension: Leaders want to move faster with emerging technology—especially generative AI—while also facing rising attacks, growing complexity, and persistent gaps in foundational controls. In fact, 74 percent of leaders report a slight increase in cyberattacks and another 9 percent report a significant increase.

How leaders are defending against AI-driven cyber threats while adopting AI for detection and response

Why IT complexity and fragmented security tools keep many organizations reactive

How leaders are reframing cybersecurity ROI for boards and executive leaders

How cybersecurity talent shortages and the rise of nonhuman identities are reshaping priorities

Practical actions CISOs can take to strengthen cyber resilience while enabling innovation

See how security leaders are responding to rising cyberattacks, AI-driven threats, fragmented security architectures, identity risk, talent constraints, and the pressure to prove resilience to the board

Download the report

Many companies still perceive the CISO as a business blocker. When CISOs aren’t seen as collaborative partners who enable innovation safely, they risk losing their seat at the table, literally and figuratively. Projects move forward without them—in the shadows, and the organization becomes less secure, the exact opposite of the CISO’s mission.

Michael Isensee

Partner, US Leader, Cybersecurity & Technology Risk, KPMG LLP

Six signals shaping cyber risk in 2026

The survey highlights several signals that show where cyber risk, AI adoption, talent pressure, and resilience planning are converging for security leaders.

The findings point to a widening execution gap for security leaders. Cyberattacks are rising, AI adoption is accelerating, and many organizations are still working through the operating model changes needed to prove resilience at scale. For CISOs, the issue is not simply whether the organization is investing in cybersecurity. It is whether those investments are improving detection, response, governance, identity security, and business confidence.

Key findings include:

83% of organizations reported an increase in cyberattacks over the past 12 months, with phishing, denial-of-service, and ransomware among the most common attack types.
Only 24% have fully integrated AI into cybersecurity, even as AI-powered attacks are expected to become a leading threat.
55% are leveraging managed services providers for cyber threat intelligence, reflecting the need to scale expertise and monitoring.
Nearly 70% dedicate more than 11% of their cybersecurity budget to AI-related initiatives.
74% anticipate cybersecurity team headcount growth of more than 11%.
Only 27% are actively implementing post-quantum cryptography solutions.

How CISOs are managing AI-driven cyber threats and defensive AI

Security leaders are facing a defining contradiction: AI is accelerating the threat landscape while also becoming a core defense capability. This creates a new mandate for CISOs—to govern adoption tightly enough to maintain trust without slowing the business.

Many organizations are moving beyond AI experimentation, but “full integration” remains limited. The most persistent barrier is trust: confidence that AI outputs are accurate, reliable, and explainable. The opportunity is to focus less on abstract potential and more on pragmatic, high-value use cases—especially those that reduce complexity in the IT environment. Adoption remains uneven: Only 24 percent of organizations say AI is fully integrated into their cybersecurity programs, while 53 percent report partial implementation in specific areas.

The survey also shows which emerging technologies security leaders view as having the greatest threat impact: GenAI/agentic AI, IoT, cloud computing, operational technology, and quantum computing.

A key practical application for AI in security is not just threat detection but identifying and reducing complexity within the IT environment itself—because complexity is the enemy of security.

Matthew P. Miller

Principal, Cybersecurity & Technology Risk, KPMG LLP

How unified security architecture helps CISOs move from reactive to predictive cyber defense

Even with rising cybersecurity investment, many organizations remain stuck in a reactive posture—buying more tools without achieving clarity. Our findings point to two structural blockers that consistently hold programs back: IT complexity and fragmented security systems.

The path forward is less about adding point solutions and more about simplifying and connecting what already exists. Unifying telemetry, inventories, and workflows can help create a clearer enterprise view of risk—enabling faster detection, more consistent controls, and better use of automation and AI.

Security leaders expect AI to improve fraud protection, predictive threat analytics, threat detection and response, and anomaly identification.

Strong cyber MSPs go beyond merely gathering information and developing baselines. They automate at scale with advanced technology to thoroughly assess the environment, determine the appropriate rules to apply, and investigate anomalies.

Chris Crevits

Principal, Cyber Managed Services, KPMG LLP

How CISOs can prove cyber resilience and cybersecurity ROI to the board

CISOs can no longer rely on technical expertise alone. They’re increasingly expected to connect cybersecurity to business outcomes—productivity, customer trust, IP protection, revenue, and operational continuity.

Despite rising investment, 42 percent of leaders say they struggle to clearly demonstrate the return on cybersecurity investments to executive leadership and boards. Moving the conversation from “activities” to “outcomes” is a critical shift—especially for boards that need a clear risk narrative tied to enterprise priorities.

The strongest programs are converging on a common language for risk and resilience, paired with focused metrics that communicate progress over time—not point-in-time snapshots.

Security leaders are using incident volume, vulnerability remediation rate, and mean time to detect as core measures of cybersecurity program effectiveness.

How cybersecurity talent gaps and nonhuman identities are reshaping cyber risk

People remain central to cybersecurity performance—both as defenders and as sources of vulnerability. Organizations continue to cite two persistent challenges: a shortage of qualified cybersecurity professionals and insider risk/employee awareness gaps.

To keep pace, leaders are combining multiple levers:

Targeted headcount growth
Automation and AI to reduce manual workload
External support models to expand capability and scale

At the same time, the definition of “identity” is changing. Nonhuman identities—service accounts, API keys, tokens, machine credentials, and autonomous agents—now represent a massive and fast-growing attack surface. Unlike humans, these identities often lack consistent lifecycle governance, ownership, and monitoring, making them attractive targets.

To close persistent skills gaps and manage expanding attack surfaces—particularly around nonhuman identities—organizations are increasingly adopting hybrid operating models. These models combine internal teams with managed security services to extend coverage, improve consistency, and support advanced capabilities such as continuous monitoring, identity governance, and automated response.

We’ve got an entire universe of machine-based identities that doesn’t follow controlled provisioning processes as humans do. And it’s growing exponentially with the adoption of generative AI, making it harder to track, manage, and trust.

Mick McGarry

Principal, GRC Technology, KPMG LLP

The old paradigms of cybersecurity are no longer sufficient. The modern CISO is being asked to protect an expanding digital frontier while enabling the business to move quickly and confidently.

The takeaway from this year’s survey is clear: advanced technology can’t compensate for weak fundamentals. Resilience depends on getting the basics right—data protection, identity governance, and disciplined operating processes—while building the architectural foundations to scale automation and AI safely.

Action steps CISOs can take now:

Establish a formal AI security and governance program with clear guardrails and “human-in-the-loop” controls for critical decisions
Strengthen foundational controls for data protection, privacy, and identity governance
Unify security data and architecture to reduce tool sprawl and improve signal-to-decision speed
Govern nonhuman identities with provisioning, monitoring, and lifecycle controls
Plan for scale—today and tomorrow: Build multi‑year roadmaps that address emerging threats such as quantum computing, while also evaluating managed services to accelerate modernization, reduce operational burden, and sustain resilience at scale.

Explore the data behind how security leaders are managing AI-driven threats, rising cyberattacks, identity risk, talent constraints, managed services adoption, and the pressure to prove cyber resilience.

Complete the form to download the report

Questions CISOs are asking about AI, cyber resilience, and technology risk

What is the 2026 Cybersecurity and Technology Risk Survey?

The 2026 Cybersecurity and Technology Risk Survey is KPMG research based on a survey of 310 security leaders at U.S. organizations with $1B+ in revenue, focused on cyber risk preparedness, emerging threats, business impact, cybersecurity challenges, mitigation strategies, budget priorities, and partner ecosystems.

What are the top cybersecurity threats for CISOs in 2026?

Security leaders expect AI-powered attacks to become the top cyber threat over the next two to three years, followed by sophisticated phishing, malware, and social engineering.

How are CISOs using AI in cybersecurity?

Only 24 percent of organizations say AI is fully integrated into cybersecurity, while 53 percent report partial integration. AI is expected to improve fraud prevention, predictive threat analytics, anomaly identification, and threat detection.

Why is cyber resilience important for boards?

Boards increasingly expect CISOs to connect cybersecurity to business outcomes such as productivity, customer trust, revenue, operational continuity, and measurable risk reduction.

Why do nonhuman identities matter in cybersecurity?

Nonhuman identities such as service accounts, API keys, tokens, machine credentials, and autonomous agents can create unmanaged access pathways if they lack provisioning, monitoring, ownership, and lifecycle controls.