Security spending continues to edge upward across large organizations, though the changes remain gradual and tightly managed. The 2026 RH-ISAC CISO Benchmark reflects a steady environment where budgets expand in small steps, even as AI becomes a routine part of security operations.
Budget growth stays measured
Spending levels increased during 2025 across both IT and security. Average IT spend as a share of revenue rose to 3.9% from 3.2% the year before. Security spend followed a similar path, reaching 0.75% of revenue, up from 0.57%. Security’s share of the IT budget moved slightly to 5.8%.
Planning for 2026 continues along the same track. More than half of respondents expect their security budgets to increase, with most of those increases falling in the 1% to 10% range. A third expect budgets to hold steady, and a smaller group expects reductions.
Business conditions continue to influence these decisions. Company growth, routine annual adjustments, and ongoing digital transformation continue to support budget increases. At the same time, cost control efforts and broader economic pressure remain the main reasons budgets move downward.
Spending remains focused on core areas
Security budgets continue to concentrate on a few main categories. Staffing and compensation account for the largest share, followed closely by software delivered off-premises. Outsourcing and project work make up smaller portions, with hardware and training representing a limited share of overall spend.
Training allocations follow a similar trend, with conferences and events receiving the largest portion, followed by technical training courses. Learning platforms, certifications, and internal workshops make up the rest.
This distribution points to a steady investment in personnel and operational tooling, with limited expansion into new spending categories.
AI becomes a primary pressure point
AI stands out as the most frequently cited source of friction for security leaders. It ranks above supply chain risk, vulnerability management, and ransomware in day-to-day challenges.
That shift appears alongside a broader set of priorities for the coming year. Vulnerability management and zero trust architecture remain at the top of initiative lists. At the same time, AI is moving into planning discussions, appearing within broader initiative categories tied to operational improvement.
Organizations continue to balance these priorities with structural constraints. Tension between cybersecurity and IT priorities remains the most commonly cited challenge, followed closely by budget limitations. The speed of business of business requirements adds another layer of pressure on security programs.
AI use expands across security functions
Security teams are already applying AI across several operational areas. Threat detection and analysis represent the most common use, followed by reporting and incident response automation. Smaller portions of teams use AI for fraud detection and vulnerability management.
Governance structures are taking shape alongside these deployments. Most organizations report having implemented or partially implemented AI policies, with only a small minority indicating no policy in place.
Concerns tied to AI remain consistent across organizations. Data leakage through public tools leads the list, followed by insider misuse and gaps in governance. Questions around output accuracy and model integrity also appear across responses.
Investment shifts without major budget expansion
AI-related initiatives are drawing increased investment attention, with most organizations expecting either moderate or significant increases in this area. Even so, these changes do not always translate into larger overall budgets.
A large share of organizations report no meaningful impact on total security spending. Others indicate that AI initiatives are funded through reallocating existing resources. Only a smaller group expects overall security budgets to increase as a direct result of AI efforts.
This keeps overall spending growth aligned with earlier trends, even as new priorities emerge.
Staffing growth remains gradual
Hiring plans follow the same incremental approach seen in budgets. About a third of organizations plan to expand full-time cybersecurity staff in 2026, with most describing those increases as gradual. At the same time, some expect reductions in contractor roles.
The broader role of the CISO continues to expand across areas such as risk management, compliance, and coordination with business units. These responsibilities add complexity without a corresponding surge in staffing.
Security programs continue to evolve through steady adjustments in funding, staffing, and priorities. AI introduces new demands across operations, though organizations continue to manage those demands within budgets that change slowly from one year to the next.
