Technology may be changing rapidly but one thing remains constant: It’s not an easy time to be a CSO. The role continues to evolve with security leaders taking on even more responsibilities, and 76% reporting that understanding which security solutions best fit their company has grown more complex, according to CSO’s 2025 Security Priorities Study.
Further, 57% of respondents report their organization has struggled to find the root cause of security incidents they experienced in the past year.
These days, security leaders find themselves tasked with a range of high-level responsibilities, including cyber strategy and policy development, risk management, and managing the risks of AI-enabled technology. Moreover, 67% of security leaders say their responsibilities require them to address security issues outside their country or region.
Holding them back are perennial problems: employee awareness training; lack of budget; retaining qualified employees; process complexity; and, increasingly, the ability to address the risks presented by disruptive technologies such as AI.
Protecting data continues to be a key priority
According to CSO’s survey, security leaders have several key areas of focus, including strengthening protection of confidential and sensitive data (48%), securing cloud data and systems (45%), and simplifying IT security infrastructure (39%).
CSO
Zach Lewis, CIO and CISO of University of Health Sciences & Pharmacy in St. Louis, says consolidating tools and using what they have more fully are his main priorities going into next year. “We’re moving more in the direction of platforms instead of best of breed to try and find some cost savings and simplify the tech stack,’’ Lewis says.
Additionally, the university’s data governance journey continues. “We have managed to classify and categorize our data,’’ he says. “Now we are locking that data into our retention period policy and cleaning up duplicate data.”
AI plans vary
AI continues to penetrate deeper into the enterprise, including the security operations center. Seventy-three percent of security decision-makers are more likely this year to consider a security solution that uses AI, up from 59% in 2024, and 58% plan to increase spending on AI-enabled security technology, according to the CSO survey.
Keavy Murphy, vice president of security at Net Health, is giving considerable thought to AI’s impact and how the organization is going to navigate the technology heading into 2026.
“This year, it became abundantly clear that AI isn’t going anywhere. In fact, it’s becoming more integral than ever, even in industries like healthcare that have historically been considered laggards,’’ Murphy says. In a recent survey of healthcare leaders Net Health participated in, 93% of respondents indicated their organizations are prioritizing AI adoption for clinical decision support in the next 12 to 24 months, she says.
The same survey revealed that confidence in AI is still forming, and adoption will depend on whether these tools demonstrate sufficient ROI, ease of use, and regulatory safety, Murphy notes. While she is “in full support of this level of AI adoption,” Murphy acknowledges that this “might be an unusual take from a cybersecurity expert, since many of us are wary of advanced technologies that might open us up to threat.’’
Murphy reasons that since “there’s no question that bad actors will be using AI and the most advanced software possible in their attacks,’’ organizations that are susceptible to these attacks, like hospitals or private practices, must respond with equally sophisticated tools.
“I think AI is an incredible innovation that can help healthcare organizations streamline so many of their day-to-day operations like documentation, administrative tasks, and more,’’ she explains. “It’s only right that we take advantage of it for cybersecurity purposes, as well.”
AI is already party of cyber risk planning at Aflac, says Tim Callahan, global CISO, who expects its usage will only increase in 2026. Already, his team is leveraging AI and machine learning for threat detection and response as well as malware identification.
“Additionally, AI is also helping us automate repetitive tasks, triage alerts, and prioritize vulnerabilities, but never at the expense of a hands-on approach where expert evaluation and intelligence is critical,’’ Callahan stresses. “As the world’s adversaries launch more sophisticated AI-driven attacks, it is critical that we use these technologies to not only keep pace but stay ahead.”
He says leadership is carefully evaluating AI’s role at Aflac and within the cybersecurity teams, “especially as regulatory frameworks adapt to new technologies.”
Lewis of University of Health Sciences & Pharmacy is not as gung-ho on AI, saying it will not play a significant role in his cyber risk planning. While things like phishing emails, video deepfakes, voice fakes, and fake images are a concern, “foundationally, a lot of things still hold,’’ he says. “I’m not pouring a ton of funding into that; just reinforcing those … security stack pieces that I already have in place and making sure that users are aware and that our systems are tuned properly.”
Concern over AI-enabled attacks rises
Like Net Health’s Murphy, security buyers are concerned about AI-enabled cyberattacks.
Specifically, 38% of respondents expressed worry about AI-enabled ransomware, while security leaders also cited attackers leveraging AI to facilitate attack automation (35%) and an adversary’s use of AI to hunt for vulnerabilities in their enterprise (33%) as other top AI-related concerns.
CSO
Consequently, 41% are planning to leverage AI to detect threats, for anomaly detection, and to automate security responses. Other respondents cited plans to leverage AI for malware detection and real-time risk prediction (39%), as well as DLP and improving enterprise system visibility.
Further, 40% expect to see AI enhancements as part of their existing security systems — without additional charges — while 32% are willing to pay a premium for AI-enabled security solutions that meet their specific security needs.
CSO
The benefits AI security tech provides
A whopping 99% of respondents have already seen benefits from the AI-enabled security technologies, up from 72% in 2023.
Among the benefits: faster identification of unknown threats (44%), accelerated detection and response times (42%), the ability to sift through large amounts of data faster(42%), reduced employee workloads due to automation (42%), and the ability of to be more proactive (42%).
Tool priorities for a shifting threat landscape
Security leaders report a wide range of tools in production, including solutions for authentication (36%), security awareness and training (35%), incident response (34%), DLP (33%), and EDR (32%).
Tools on their radar include security analytics (28%), enterprise security management (27%), SIEM (26%), and data governance (26%).
CSO
Aflac’s Callahan says his organization is prioritizing “highly evolved security tools.’’ For example, the company took a customized approach when implementing zero trust, including access detection and blocking, he says. “This approach has helped us avoid mistakes and pitfalls that could impact our business,’’ Callahan says.
Next year, the plan is to implement tools “that increase visibility and provide better automation and integration across our environment,” he adds.
The University of Health Sciences & Pharmacy recently added a new DLP tool that is still in stealth mode, which “comes back to the AI concerns,’’ Lewis says.
He is also planning to consolidate a couple of tools focused on email security and utilizing Microsoft’s email gateway and other security pieces, since the university is a Microsoft shop. That will give him the ability to purchase the DLP system, “which is very important, as our data is now going into more AI systems,” he says. “I want to be sure I’m keeping an eye on that and making sure sensitive and proprietary data or research isn’t slipping away into these public LLMs.”
Budgets will remain relatively unchanged
Some 55% of respondents said their security budgets will remain the same, while 43% report expecting an increase, according to the Security Priorities survey.
Lewis anticipates level funding next year, with a possible 1% increase, which is par for the course in higher ed, he says. “I will make do with the tools I have,’’ he says.
Any increases to Callahan’s budget at Aflac “will be driven by the need to invest in advanced technologies, tactics to address emerging regulatory requirements, and the ongoing need for talent development,” he says.
Survey respondents reported the main business priorities driving security spending to be: increasing cybersecurity protections (42%), increasing operational efficiency (37%), accelerating AI-driven innovation and applications (31%), improving profitability (30%), and transforming existing business processes such as automation and integration (30%).
MSPs retain their value as the security landscape grows more complex
Another finding in this year’s survey is that 90% of respondents plan to outsource security functions to a managed services provider (MSP) or other third-party provider in the next year.
Aflac has been utilizing managed security service providers (MSSPs) for years, particularly to provide 24/7 coverage, Callahan says.
“In 2026, we will continue to expand our partnerships with third-party providers, though not to replace our core team, but rather to enhance our team’s outputs around strategic initiatives,’’ he says. “As the environment grows more complex, we expect to see additional support in areas such as vulnerability management and compliance.”
Lewis echoes that, saying the university will continue to use third-party providers to have 24/7 SOC coverage. His MSSP is also handling SIEM, logging events, and EDR.
CSOs’ visibility is on the rise
As their responsibilities increase, security leaders are gaining the attention of their boards — 95% reported they engage with their board of directors, up from 85% in 2023. Forty-eight percent engage with their board multiple times a month.
Additionally, 70% of respondents report that someone on their organization’s board of directors has specific responsibility or oversight for cybersecurity, up from 59% in 2024. Seventy-two percent said engagement with their board has helped improve cybersecurity/security initiatives, up from 66% in 2024.
CSO
Lewis meets with the university’s board or audit committee almost quarterly, and he thinks that’s adequate.
“I think a lot of CISOs really think they need a seat at table,’’ which may be organization- or industry-specific, he says. But he believes security leaders ought to instead work on having a better relationship with their CEO.
CISOs should be “working to secure things more internally than necessarily what’s happened externally, and having that relationship with the executive team [and] other functional leaders in the organization,’’ he says. That, Lewis adds, is “arguably more important than necessarily having a seat at the board table.”
CSO’s Security Priorities Report surveyed 641 respondents to gain a better understanding of the various security projects organizations are focused on now and in the coming year. The research also looked at issues that will demand the most time and strategic thinking for IT and security teams. Respondents came from North America (46%), APAC (36%), and EMEA (18%). The average company size is 14,494 employees.
