Expertise could also be altering quickly however one factor stays fixed: It’s not a simple time to be a CSO. The position continues to evolve with security leaders taking over much more duties, and 76% reporting that understanding which security options greatest match their firm has grown extra advanced, in accordance with CSO’s 2025 Safety Priorities Examine.
Additional, 57% of respondents report their group has struggled to seek out the foundation reason behind security incidents they skilled prior to now yr.
Lately, security leaders discover themselves tasked with a spread of high-level duties, together with cyber technique and coverage growth, threat administration, and managing the dangers of AI-enabled know-how. Furthermore, 67% of security leaders say their duties require them to deal with security points outdoors their nation or area.
Holding them again are perennial issues: worker consciousness coaching; lack of price range; retaining certified staff; course of complexity; and, more and more, the flexibility to deal with the dangers introduced by disruptive applied sciences comparable to AI.
Defending information continues to be a key precedence
Based on CSO’s survey, security leaders have a number of key areas of focus, together with strengthening safety of confidential and delicate information (48%), securing cloud information and techniques (45%), and simplifying IT security infrastructure (39%).
CSO
Zach Lewis, CIO and CISO of College of Well being Sciences & Pharmacy in St. Louis, says consolidating instruments and utilizing what they’ve extra totally are his essential priorities going into subsequent yr. “We’re shifting extra within the path of platforms as a substitute of better of breed to try to discover some value financial savings and simplify the tech stack,’’ Lewis says.
Moreover, the college’s information governance journey continues. “We now have managed to categorise and categorize our information,’’ he says. “Now we’re locking that information into our retention interval coverage and cleansing up duplicate information.”
AI plans range
AI continues to penetrate deeper into the enterprise, together with the security operations middle. Seventy-three p.c of security decision-makers are extra possible this yr to think about a security resolution that makes use of AI, up from 59% in 2024, and 58% plan to extend spending on AI-enabled security know-how, in accordance with the CSO survey.
Keavy Murphy, vice chairman of security at Web Well being, is giving appreciable thought to AI’s affect and the way the group goes to navigate the know-how heading into 2026.
“This yr, it turned abundantly clear that AI isn’t going anyplace. In actual fact, it’s turning into extra integral than ever, even in industries like healthcare which have traditionally been thought of laggards,’’ Murphy says. In a current survey of healthcare leaders Web Well being participated in, 93% of respondents indicated their organizations are prioritizing AI adoption for scientific determination assist within the subsequent 12 to 24 months, she says.
The identical survey revealed that confidence in AI continues to be forming, and adoption will rely upon whether or not these instruments show ample ROI, ease of use, and regulatory security, Murphy notes. Whereas she is “in full assist of this degree of AI adoption,” Murphy acknowledges that this “may be an uncommon take from a cybersecurity knowledgeable, since many people are cautious of superior applied sciences that may open us as much as risk.’’
Murphy causes that since “there’s no query that unhealthy actors will probably be utilizing AI and probably the most superior software program potential of their assaults,’’ organizations which are vulnerable to those assaults, like hospitals or non-public practices, should reply with equally refined instruments.
“I believe AI is an unimaginable innovation that may assist healthcare organizations streamline so a lot of their day-to-day operations like documentation, administrative duties, and extra,’’ she explains. “It’s solely proper that we reap the benefits of it for cybersecurity functions, as effectively.”
AI is already social gathering of cyber threat planning at Aflac, says Tim Callahan, international CISO, who expects its utilization will solely enhance in 2026. Already, his staff is leveraging AI and machine studying for risk detection and response in addition to malware identification.
“Moreover, AI can be serving to us automate repetitive duties, triage alerts, and prioritize vulnerabilities, however by no means on the expense of a hands-on method the place knowledgeable analysis and intelligence is crucial,’’ Callahan stresses. “Because the world’s adversaries launch extra refined AI-driven assaults, it’s crucial that we use these applied sciences to not solely hold tempo however keep forward.”
He says management is rigorously evaluating AI’s position at Aflac and throughout the cybersecurity groups, “particularly as regulatory frameworks adapt to new applied sciences.”
Lewis of College of Well being Sciences & Pharmacy is just not as gung-ho on AI, saying it won’t play a big position in his cyber threat planning. Whereas issues like phishing emails, video deepfakes, voice fakes, and faux photographs are a priority, “foundationally, lots of issues nonetheless maintain,’’ he says. “I’m not pouring a ton of funding into that; simply reinforcing these … security stack items that I have already got in place and ensuring that customers are conscious and that our techniques are tuned correctly.”
Concern over AI-enabled assaults rises
Like Web Well being’s Murphy, security consumers are involved about AI-enabled cyberattacks.
Particularly, 38% of respondents expressed fear about AI-enabled ransomware, whereas security leaders additionally cited attackers leveraging AI to facilitate assault automation (35%) and an adversary’s use of AI to hunt for vulnerabilities of their enterprise (33%) as different high AI-related issues.
CSO
Consequently, 41% are planning to leverage AI to detect threats, for anomaly detection, and to automate security responses. Different respondents cited plans to leverage AI for malware detection and real-time threat prediction (39%), in addition to DLP and bettering enterprise system visibility.
Additional, 40% anticipate to see AI enhancements as a part of their current security techniques — with out extra prices — whereas 32% are keen to pay a premium for AI-enabled security options that meet their particular security wants.
CSO
The advantages AI security tech supplies
A whopping 99% of respondents have already seen advantages from the AI-enabled security applied sciences, up from 72% in 2023.
Among the many advantages: quicker identification of unknown threats (44%), accelerated detection and response instances (42%), the flexibility to sift by way of massive quantities of information quicker(42%), diminished worker workloads because of automation (42%), and the flexibility of to be extra proactive (42%).
Device priorities for a shifting risk panorama
Safety leaders report a variety of instruments in manufacturing, together with options for authentication (36%), security consciousness and coaching (35%), incident response (34%), DLP (33%), and EDR (32%).
Instruments on their radar embrace security analytics (28%), enterprise security administration (27%), SIEM (26%), and information governance (26%).
CSO
Aflac’s Callahan says his group is prioritizing “extremely developed security instruments.’’ For instance, the corporate took a personalized method when implementing zero belief, together with entry detection and blocking, he says. “This method has helped us keep away from errors and pitfalls that might affect our enterprise,’’ Callahan says.
Subsequent yr, the plan is to implement instruments “that enhance visibility and supply higher automation and integration throughout our surroundings,” he provides.
The College of Well being Sciences & Pharmacy not too long ago added a brand new DLP software that’s nonetheless in stealth mode, which “comes again to the AI issues,’’ Lewis says.
He’s additionally planning to consolidate a few instruments targeted on e mail security and using Microsoft’s e mail gateway and different security items, for the reason that college is a Microsoft store. That may give him the flexibility to buy the DLP system, “which is essential, as our information is now going into extra AI techniques,” he says. “I need to ensure I’m maintaining a tally of that and ensuring delicate and proprietary information or analysis isn’t slipping away into these public LLMs.”
Budgets will stay comparatively unchanged
Some 55% of respondents mentioned their security budgets will stay the identical, whereas 43% report anticipating a rise, in accordance with the Safety Priorities survey.
Lewis anticipates degree funding subsequent yr, with a potential 1% enhance, which is par for the course in greater ed, he says. “I’ll make do with the instruments I’ve,’’ he says.
Any will increase to Callahan’s price range at Aflac “will probably be pushed by the necessity to spend money on superior applied sciences, techniques to deal with rising regulatory necessities, and the continued want for expertise growth,” he says.
Survey respondents reported the principle enterprise priorities driving security spending to be: rising cybersecurity protections (42%), rising operational effectivity (37%), accelerating AI-driven innovation and functions (31%), bettering profitability (30%), and remodeling current enterprise processes comparable to automation and integration (30%).
MSPs retain their worth because the security panorama grows extra advanced
One other discovering on this yr’s survey is that 90% of respondents plan to outsource security capabilities to a managed companies supplier (MSP) or different third-party supplier within the subsequent yr.
Aflac has been using managed security service suppliers (MSSPs) for years, notably to supply 24/7 protection, Callahan says.
“In 2026, we’ll proceed to develop our partnerships with third-party suppliers, although to not substitute our core staff, however moderately to reinforce our staff’s outputs round strategic initiatives,’’ he says. “Because the atmosphere grows extra advanced, we anticipate to see extra assist in areas comparable to vulnerability administration and compliance.”
Lewis echoes that, saying the college will proceed to make use of third-party suppliers to have 24/7 SOC protection. His MSSP can be dealing with SIEM, logging occasions, and EDR.
CSOs’ visibility is on the rise
As their duties enhance, security leaders are gaining the eye of their boards — 95% reported they interact with their board of administrators, up from 85% in 2023. Forty-eight p.c interact with their board a number of instances a month.
Moreover, 70% of respondents report that somebody on their group’s board of administrators has particular accountability or oversight for cybersecurity, up from 59% in 2024. Seventy-two p.c mentioned engagement with their board has helped enhance cybersecurity/security initiatives, up from 66% in 2024.
CSO
Lewis meets with the college’s board or audit committee nearly quarterly, and he thinks that’s satisfactory.
“I believe lots of CISOs actually assume they want a seat at desk,’’ which can be organization- or industry-specific, he says. However he believes security leaders must as a substitute work on having a greater relationship with their CEO.
CISOs needs to be “working to safe issues extra internally than essentially what’s occurred externally, and having that relationship with the chief staff [and] different useful leaders within the group,’’ he says. That, Lewis provides, is “arguably extra vital than essentially having a seat on the board desk.”
CSO’s Safety Priorities Report surveyed 641 respondents to achieve a greater understanding of the varied security initiatives organizations are targeted on now and within the coming yr. The analysis additionally checked out points that may demand probably the most time and strategic considering for IT and security groups. Respondents got here from North America (46%), APAC (36%), and EMEA (18%). The typical firm measurement is 14,494 staff.
