Where Is Cyber Security Heading? Key Takeaways From The 2026 Global Corporate Survey

In an era defined by AI, cyber security has become the least forgiving domain for CISOs and technical risk leads. Converging pressures from strict data security regulations, more sophisticated threat vectors and diminishing cybersecurity skills are stretching the CISO mandate thin, prompting firms to re-evaluate their cybersecurity priorities, pressures and preparedness. To better understand these pressures, Verdantix surveyed 102 senior cybersecurity and IT risk leaders across 25 countries and 10 industries for its first CISO global corporate survey. Our findings show that:

• Cyber security is no longer an IT issue – it’s an organizational issue.

  As threats increasingly target core business operations, the CISO role has expanded into one of enterprise-wide operational resilience. Deepfakes, phishing and malicious links are no longer confined to email inboxes – they're surfacing across business tools and platforms in finance, HR and operations alike. Firms can no longer manager cyber risk separately from enterprise risk. Adding to this complexity is the skills gap: organizations are limiting cyber hiring budgets and the speed of new attacks is outpacing human training cycles. In response, budgets in 2026 are tilting heavily towards technology investment to automate the threat monitoring human teams can no longer keep pace with.

• Data loss and breaches remain the most material threats for CISOs.

  Two forces emerged as key drivers of data loss and breaches: expanding third-party networks and increasingly autonomous AI-driven attacks. Low visibility into vendor data security practices is making supply chains a significant vulnerability, while increasingly sophisticated AI is accelerating the problem. Autonomous attack methods are bypassing traditional defences faster than most security teams can adapt, prompting firms to develop AI capabilities. Anthropic’s Claude Mythos Preview, for example, is designed specifically to detect threats and vulnerabilities. CISOs now find themselves in the unknown territory of deploying AI to fight AI, and protecting data has become the most challenging objective.

• Board involvement matters – but so does knowing when to step back.
  More than half of survey respondents adopt a balanced approach to board involvement, as boards engage actively in risk discussions and incidents, but do not lead strategy. That balance matters: firms reported feeling less confident in their ability to manage a major cyber incident without external escalation when boards became too involved and took over strategy. While this might seem counterintuitive, it points to an important distinction – board oversight improves preparedness, but board interference can undermine it. The line between the two is thinner than most organizations realize.

For a deeper dive into how CISO priorities are shifting, what their key challenges are and where investment is heading in 2026, read the full report: Global Corporate Survey 2026: CISO Priorities, Pressures And Preparedness.