CISOs stretch AI spending within flat budgets
Security leaders are adding AI to their operational toolkits without getting meaningful budget increases to support the shift. The 2026 RH-ISAC CISO Benchmark shows organizations investing more in AI initiatives while keeping overall security spending growth to roughly 1% to 10% annually.
This creates a practical problem for operations teams: AI demands are rising, but the money to fund them isn't.
Budget growth remains incremental
Security spending reached 0.75% of revenue in 2025, up from 0.57% the year before. IT budgets grew to 3.9% of revenue from 3.2%. More than half of organizations expect their security budgets to increase in 2026, but most increases fall in that narrow 1% to 10% range.
A third of organizations expect budgets to stay flat. Company growth and annual adjustments drive the increases. Cost control and economic pressure drive the cuts.
Staffing grows slowly despite expanding roles
About a third of organizations plan to hire more full-time cybersecurity staff in 2026, and those increases are gradual. Some expect to reduce contractor roles instead.
Meanwhile, CISOs are taking on more work. Risk management, compliance, and business unit coordination are expanding their responsibilities without corresponding staff additions.
Money stays concentrated on core operations
Staffing and compensation consume the largest share of security budgets. Software delivered off-premises comes second. Hardware, training, and outsourced work make up smaller portions.
This distribution hasn't shifted much. Organizations continue betting on personnel and operational tools rather than experimenting with new spending categories.
AI becomes the primary friction point
AI ranks above ransomware, supply chain risk, and vulnerability management as the top day-to-day challenge for security leaders. It's appearing in planning discussions tied to operational improvement, but funding isn't following.
Most organizations expect moderate or significant increases in AI-related spending. Yet a large share report no meaningful impact on total security budgets. Others are funding AI initiatives by reallocating existing resources.
Teams are already using AI operationally
Threat detection and analysis represent the most common AI applications. Reporting and incident response automation follow. Smaller teams use AI for fraud detection and vulnerability management.
Most organizations have implemented or partially implemented AI policies. Data leakage through public tools tops the list of concerns, followed by insider misuse and governance gaps.
The constraint for operations teams
Tension between cybersecurity and IT priorities remains the most commonly cited challenge, followed closely by budget limitations. The speed of business requirements adds another layer of pressure.
For operations professionals, this means managing AI deployments within tight financial constraints. An AI learning path for operations managers can help teams understand how to integrate AI tools without proportional budget increases. Understanding AI agents and automation becomes essential for finding efficiency gains within existing budgets.
Security programs continue evolving through steady adjustments in funding and staffing. AI introduces new operational demands, but organizations are managing those demands within budgets that change slowly year to year.
Your membership also unlocks:
