| SecurityWeek’s Cyber Insights 2026 examines expert opinions on the expected evolution of more than a dozen areas of cybersecurity interest over the next 12 months. We spoke to hundreds of individual experts to gain their expert opinions. Here we examine the CISO Outlook for 2026, with the purpose of evaluating what is happening now and preparing leaders for what lies ahead in 2026 and beyond. |
The only constant in life is change, and the role of the CISO is constantly changing, constantly expanding and constantly becoming more complex.
We’re going to examine how the negative effects of this constant change might affect CISOs in 2026 and beyond.
The changing role and expanding workload
The responsibility of the CISO is ever increasing, and this won’t slow down in the coming years.
Paul Kivikink, VP of product management and technology partnerships, at DataBee, explains the starting point: “Traditionally, CISOs came up through the technical ranks, deeply rooted in cybersecurity operations. But as cyber risk has become a board-level concern, the CISO is now expected to speak the language of business, connecting security investments to revenue protection, regulatory compliance, and enterprise resilience.”
The modern CISO needs to be a technical expert and a business guru able to seamlessly transition between the two. “CISOs must communicate with both camps: the technical teams that help them prevent, understand and learn from attacks; and the business stakeholders who control budgets and need to understand the organization’s risk exposure,” explains Marie Wilcox, VP of market strategy at Binalyze.
But the detail involved in both personas is evolving rapidly. Business is moving faster and becoming more aggressive; and it takes risks to stay ahead of the competition. Technology advances ever more rapidly, introducing more security risks that the CISO must understand and balance against business priorities.
It is becoming increasingly difficult for one person to handle this expanding workload.
“In 2026, the transition from CISO to CSO will accelerate, reflecting a broader mandate that unites all aspects of security under one leadership role,” suggests Raghu Nandakumara, VP of Industry Strategy at Illumio. “This shift will largely be driven by the convergence of IT and OT systems, and will occur most rapidly in sectors such as energy, utilities, and manufacturing, where separating physical and cyber security is no longer viable – and the consequences of attacks are severe.”
Will the absolute head of security have a CISO reporting to that position? If so, should the CIO and CTO also do so? Should there be a separate chief privacy officer (CPO), and perhaps a chief AI officer (CAIO), and a business information security office (BISO) all reporting to the CSO?
Jason Martin, co-founder and co-CEO at Permiso also believes the current workload is too great for a single person. “The solution emerging by 2026? Split the role or create additional specialized positions. Organizations will create a chief identity security officer reporting to the CISO. This removes one major workload from the CISO and improves outcomes.” The current CISO will be a de facto CSO with a different CISO role reporting.
It may be that we are heading in such a direction simply because the current and increasing workload on the current CISO is unsustainable. But these are all just labels, and not so very different from the primary structure that exists today: there is a head of security (the CISO) with a number of team leaders in different specialist areas.
The devil is in the detail of how and why the CISO workload is increasing and will continue to increase. “The onslaught of AI-enabled threats, the changing regulatory landscape, the accountability of a breach and recovery and the demand to adopt AI and other transformative technologies for innovation and growth would keep any CISO awake at night,” comments Sheetal Mehta, head of cyber security at NTT Data.
“In cybersecurity, we love to talk about resilience and innovation. But here’s an unpopular truth: the modern CISO is being set up to fail,” warns Jonathan Maresky, head of product marketing at CyberProof.
“Today’s CISOs are navigating an impossibly complex threat landscape, pressured by boards to secure exponentially growing attack surfaces with shrinking budgets and overburdened teams. Every new technology adopted – from AI to cloud-native apps – introduces new risks. Developers are racing to meet release deadlines. AI tools are rolled out enterprise-wide with little consideration for security guardrails. Meanwhile, CISOs are held accountable not only for breaches, but for vulnerabilities they never had the resources to address.”
We’re going to look at some of the component parts of the CISO role that leads Maresky to such a conclusion: the new demands introduced by AI against the background of a continuing skills gap; the relationship between expanding and more forceful regulations and the possibility of personal liability; and the combined effect of all this stress on mental illness and burnout.
AI issues
AI will be the single biggest cause of increased workload and increased pressure for the CISO from 2026 onward. It will increasingly pervade the entire business, starting from the way business and security apps are now being developed in-house.
Martin Reynolds, field CTO at Harness, explains. “Reliance on AI-generated or ‘vibe’ coding will continue to create high-stakes risks. Research shows up to 45% of AI-generated code contains vulnerabilities, with issues ranging from hallucinated dependencies to language-specific failures. Large organizations that lean heavily on AI without robust guardrails face inevitable breaches.”
This in turn places greater emphasis on the technical persona of the CISO. “We’ve spent the last few years pretending the CISO could be a business role. That era is over,” comments James Wickett, CEO at DryRun Security. “In 2026, every company will be producing code, AI-assisted, automated, or otherwise. If CISOs don’t understand how that code works, what risks it introduces, and how AI systems make decisions, they’re flying blind.”
AI is turning anybody who can ask a question (make a prompt) into a programmer – but not everyone has the discipline of a trained programmer – the business haste to implement agentic AI solutions into business operations can lead to insecure automation.
But CISOs can no longer ignore or avoid AI. Pierre Mouallem, CISO at Delinea explains that through 2025 security leaders were very cautious adopters of AI. “In 2026, we’ll see that wariness fade… CISOs now recognize rapid support of emerging technologies is essential not just for security, but for business competitiveness,” he comments.
“That being said,” he continues, “it’s important to note that this evolution comes with pressure. As CISOs move from limiting AI to operationalizing it, they inherit an entirely new layer of responsibility: every AI agent, automation script, and workflow becomes a new identity to govern and secure.”
“Take this scenario: an AI tool in the Security Operations Center missed a critical lateral movement attack that allowed a threat actor to tamper with confidential earnings data, causing the company to file a financial misstatement with the SEC,” suggests Patricia Titus, field CISO at Abnormal AI.
“Regulators will inevitably look at the CISO’s governance and rigor around the deployment of that automation. This evolving risk, compounded by AI’s demonstrated ability to act with human-like deception, will make robust AI governance, policy development and human oversight urgent prerequisites to manage enterprise risk and mitigate personal legal exposure.” (See more on the liability issue below.)
Diana Kelley, CISO at Noma Security, adds, “In 2026 and beyond, AI failures are poised to blur the line between technical and business risk in ways we haven’t seen before. When an AI system confidently fabricates information or a chat agent insults a customer, organizations will need CISOs who understand both the technical failure mode and the potential business catastrophe it triggers.”
But it isn’t just in-house AI that the CISO must secure – attackers are harnessing their own power of AI to automate the entire process of hacking, from far more sophisticated phishing attacks through detection of zero day flaws and the automated generation of malware to suit – all delivered at scale and speed.
The result will be a massive and continuous onslaught of cyberattacks from criminal gangs and state actors. The only hope that CISOs have of matching this onslaught is an increased use of in-house defensive agentic AI – which will in turn increase the onus on protecting that in-house AI across a massively expanded threat surface created by both adversarial and defensive AI. It is the epitome of a vicious cycle.
Despite this, AI is not all bad news. The facility with which a well-designed agentic SOC system can reduce the time taken to triage alerts can have a dual beneficial effect on the SOC team. Firstly, it can take the load and reduce the stress, and secondly, it can allow the team to concentrate on more important long term security issues – it can transform staff from exhausted tactical responders into effective strategic thinkers.
But perhaps the biggest change ushered in by the new Age of AI could change our entire attitude to the way we do security operations. “The most significant shift I’m seeing isn’t CISOs asking ‘How do we add AI to our stack?’ – it’s them asking ‘Does the way we’ve architected security operations for the past decade still make sense?’” says Lior Div, CEO and co-founder at 7AI.
He continues, “In 2026, CISOs will start dismantling security architectures designed around human limitations. Agentic AI is enabling investigation and response directly at the data source, reducing reliance on traditional SIEM, SOAR, or MDR overhead that once seemed essential. This shift will push leaders to ask what work truly requires human expertise versus what AI already does better, faster, and cheaper. The result will be the first generation of security operations built for AI-first performance, not human workaround.”
The skills gap
AI now touches almost every aspect of a CISO’s role. This includes, for example, a long-standing difficulty: team recruitment from an insufficient pool of qualified labor – generally known as the skills or talent gap.
The skills gap in cybersecurity is severe and will probably always be so. It exists because security requirements change faster than education can train students. This is nothing new for the CISO; but the rapid emergence and proliferation of artificial intelligence is an extreme example – and the potential danger of unskilled staff handling AI issues is more than usually severe.
“The cybersecurity skills gap remains a significant challenge fueled by emerging technology requiring new expertise faster than the market can keep up,” explains Gary Brickhouse, SVP and CISO at GuidePoint Security. “While strategies such as outsourcing can ease some of the pressure, many CISOs are still struggling to attract and retain experienced practitioners.”
Simple math explains. “There is no talent market for ‘10+ years of identity security expertise’. That subject barely existed 10 years ago,” comments Permiso’s Martin. “CISOs recruiting based on credential requirements (CISSP, 10+ years, specific tool knowledge) will remain chronically understaffed.”
CISOs have always needed to adapt their recruitment methods. “The skills gap is still growing. There are not enough people with cloud, identity, and threat detection expertise to fill every role,” explains Chris Jacob, Field CISO at ThreatQuotient. “The best CISOs hire for potential and attitude rather than long resumes. Curiosity, problem solving, and grit often predict success better than years of experience. With structured training and mentorship, these hires develop quickly and become loyal, long-term contributors.”
Hire for potential, and train and mentor new staff in-house is the usual method for new hires – supplemented by the occasional ability to recruit from among people already experienced. But there is zero experience with AI, there is no in-house experience that can train new hires, and there is an immediate requirement for AI expertise.
“Organizations waiting for the ‘perfect candidate’ with exactly the right background will remain understaffed. By 2026, this becomes a competitive differentiator,” warns Martin.
The skills gap has always existed for CISOs. It is always there and probably always will be. It is magnified by AI since this gap is wider, and the subject threat is more extreme. Ironically, AI itself offers a chink of light. AI is good at handling boring, repetitive tasks. It could be used to release more time for existing staff. That time could be used to upskill existing security-experienced staff with AI training.
Nevertheless, the skills gap in general, and the AI gap in particular, will be a major problem throughout and probably beyond 2026. CISOs will cope because that is what they do. But how well they weather the storm will be important.
Regulations and personal liability concerns
Compliance with regulations has always been a problem area for CISOs since compliant does not mean secure. Too much emphasis on compliance could mean not enough emphasis on security.
Regulators, however, are increasing the pressure for compliance with stronger regulatory language and the ability to hold individuals – which in our case are the CISOs – personally and criminally liable for failures. This is increasing most but not all CISOs’ concern over their own personal liability.
Nevertheless, it is clear that personal liability is a legal possibility, and it behooves all CISOs to prepare themselves for that possibility in the future.
“In 2026, cybersecurity will enter a new era where the consequences of cyber risk no longer fall primarily on corporations but on individuals – CISOs, ‘affirming officials’, compliance leaders, and board members who now face personal fines, career-ending bans, and even criminal charges for failures that were historically institutional,” warns Justin Beals, CEO and founder at Strike Graph.
“With CMMC 2.0 requiring executives to personally certify the security posture of entire supply chains, NIS2 holding management bodies liable for ‘gross negligence’, DORA enabling individual penalties for ICT governance failures, and the SEC cementing precedent through cases like SolarWinds, regulators have quietly shifted the burden of cyber accountability onto the people signing the forms, not the organizations behind them.”
It is possible that the regulators will get what they want: better and more transparent cybersecurity. “It is likely to be a concern for the CISOs who haven’t adjusted to what it means. It should drive much more transparency – from the CISO to the board and vice versa. For many years CISOs have sat on issues which they either think won’t get resolved or that management doesn’t want to hear about. Personal accountability should drive those situations into the open, to the benefit of all in the end. The trick, of course, is navigating the potential political minefield to do that in the best way,” comments Gareth Lindahl-Wise, CISO at Ontinue.
However, “Personal liability for security related failures, including compliance, will remain a critical and escalating concern through 2026, fundamentally reshaping the CISO role,” says Noma’s Kelley.
“We’re entering a world where one bad day at work can end a career – or lead to criminal prosecution. In 2026, the biggest cyber risk won’t just be ransomware or supply-chain attacks – it will be the personal liability imposed on CISOs and executives by global regulatory regimes,” adds Beals.
In November 2025, the SEC dropped its litigation against SolarWinds and its CISO. Many hope that this may signal a reduction in the potential for personal liability. Indeed, a SolarWinds spokesperson said at the time, “We hope this resolution eases the concerns many CISOs have voiced about this case and the potential chilling effect it threatened to impose on their work.”
But don’t bank on it, warns Ilia Kolochenko, CEO at Immuniweb, and cybersecurity practice lead at Platt Law. He believes the SEC’s action was strategic, suggesting it is maintaining the precedent of legal action for future cases while avoiding the possibility of losing this specific case. “It would be imprudent to believe that the risk of personal liability for data breaches has now vanished,” he says.
Indeed, Kolochenko suggests the threat of liability goes beyond the regulators, with individual lawyers weaponizing the issue. “I recently witnessed several cases where CISOs and key cybersecurity professionals in their teams were personally threatened by creative lawyers after a data breach.”
These threats aren’t necessarily seeking criminal prosecution of the individuals, but are looking for information about the breached company, with CISOs cajoled into discussing problems such as insufficient budgets, understaffed teams, unrealistic goals, and lack of cybersecurity knowledge in management and the board of directors.
“For plaintiffs’ lawyers, such admissions are a treasure trove to either settle with the breached or misbehaved company for a record amount, or to get punitive damages in court when permitted by law, possibly making even more money… If you don’t have your personal lawyer and legal insurance in place,” he adds, “get them without delay.”
The increasing strain on mental health
These complicating factors may lead to an increase in another problem area for CISOs – general mental health issues, and more specifically, burnout. The incidence of burnout among CISOs and within their teams is growing. The likelihood is this will increase in 2026.
The primary cause of burnout is constant stress. The workload on the CISO will undoubtedly increase, and with it will be enhanced stress and almost certainly an increase in burnout at least through 2026.
“Stress levels are certainly on the rise due to the high stakes and constant pressure of the position,” comments Timothy Dickens, attorney at Blank Rome law firm.
“Stress levels across security teams are rising. The work is high pressure, always on, and mistakes can have major consequences,” says ThreatQuotient’s Jacob.
“Mental health strain is rising for CISOs and their teams. Security functions face continuous alerts, high-stakes decisions, post-incident fatigue, regulatory pressure, and often a blame-driven culture,” says Prasad T, field CISO APAC at Versa Networks.
There is little escape from this. Even current success can add to future stress. “The best outcome for any security program is that absolutely nothing happens. It can be really difficult to show that a control is necessary and working when the outcome is no attack,” adds Katy Winterborn, director of internal security at NCC Group.
Such success in a difficult economy could lead to tightened security budgets, and make it hard to get increased budget for the new threats the CISO sees, but the board does not understand.
“Strong leaders foster psychological safety, develop delegation skills, and use AI-driven automation to reduce alert fatigue and cognitive overload across their teams,” says George Gerchow, faculty at IANS Research and CSO at Bedrock Data. But who fosters psychological safety for the CISO?
“Budgeting for a team therapist would be ideal,” he adds, “but it’s unlikely if we can’t even secure enough budget for staffing and tools.”
All of the contributing factors (overwork, new AI threats, and serious personal liability worries) that have led to increased burnout in recent years are likely to worsen in 2026. If CISOs do not gain additional support from the CEO and the board of directors, 2026 could well prove the most difficult year ever.
Related: CISO Burnout – Epidemic, Endemic, or Simply Inevitable?
Related: The Wild West of Agentic AI – An Attack Surface CISOs Can’t Afford to Ignore
Related: How Development Teams Can Securely and Ethically Deploy AI Tools
Related: CISO Conversations
