Security Spending Is Rising — But the Gap Is Widening
The 2026 RH-ISAC CISO Benchmark, published in April 2025, confirms what most security leaders already sense: budgets are moving in the right direction, but not at the pace the threat landscape demands. Average IT spend as a share of revenue climbed from 3.2% to 3.9% across large organisations in 2025. Security budgets followed that upward trajectory, though increases remained incremental and tightly managed. On paper, this looks like progress. In practice, it describes a sector where spending decisions are cautious and the gap between what is needed and what is funded stays stubbornly wide. The security teams absorbing this funding are simultaneously being asked to operationalise AI, manage supply chain risk, maintain compliance posture, and respond to threats that are themselves increasingly AI-assisted. That is a substantial ask on a modest budget increase.
How Has AI Changed What CISOs Actually Need to Buy?
AI has moved from experimental to operational inside enterprise security programmes faster than most anticipated. The RH-ISAC benchmark reflects a reality where AI is now a routine part of security operations — not a pilot programme sitting outside the core budget, but a dependency embedded into detection, triage, and response workflows. This creates a specific budgetary problem. AI-assisted security tools carry licensing and integration costs that legacy platforms did not. The headcount required to govern and tune AI systems adds to personnel budgets. And the attack surface that AI expands — through shadow AI use, LLM integrations, and third-party AI services introduced by suppliers — generates new risk categories that organisations are only beginning to account for financially. The result is a situation where CISOs are funding AI adoption from budgets that grew by less than a percentage point of revenue. Something has to give. In most organisations, what gives is either depth of coverage or speed of response — neither of which is an acceptable trade-off.
Why Flat Budgets Force Harder Prioritisation Decisions
When budgets grow gradually, security leaders face a prioritisation problem that is harder than it appears. The instinct is to protect existing tooling and add AI capability on top. The practical outcome is often a sprawling stack where costs compound, integrations break, and the security team spends more time managing tools than investigating threats. The RH-ISAC data points to a measured environment where organisations are not dramatically expanding their programmes — they are making incremental additions. For many, this means AI investment displaces spend that would have gone into other areas: threat intelligence, red team exercises, third-party risk assessments, or staff training. These are not optional extras. They are the components that turn a technically capable security programme into one that actually reduces risk. There is also a consolidation opportunity that many organisations are not yet taking. Running separate point solutions for endpoint protection, email security, cloud access controls, and data loss prevention at different licensing rates is expensive. Platforms that unify these layers — such as Coro for UK-based organisations — reduce per-seat costs and administrative overhead, which frees budget to go elsewhere. That kind of efficiency is not glamorous, but it is how flat budgets stretch further.
What AI-Assisted Threats Are Actually Doing to Enterprise Risk
The challenge is not just that security teams are adopting AI. It is that threat actors adopted it first, and at scale. Phishing campaigns now generate personalised lures at volume, with grammatical quality and contextual accuracy that previously required significant attacker effort. Business email compromise attempts are harder to distinguish from legitimate correspondence. Reconnaissance is faster and more thorough. Against this backdrop, a budget increase of less than one percentage point of revenue does not represent meaningful headroom. Organisations that relied on signature-based detection or rule-based email filtering in 2023 are operating those same tools against a qualitatively different threat in 2026. Attack surface exposure compounds this further. As organisations adopt cloud services, AI platforms, and remote working infrastructure, their external footprint grows. Many still lack continuous visibility into what is exposed and what is exploitable. A one-off penetration test conducted annually captures a snapshot. It does not reflect the asset changes, misconfigurations, and new exposures that accumulate between tests. Continuous attack surface management — the kind that Hadrian delivers — is no longer a premium capability reserved for large enterprises. It is a baseline requirement for any organisation serious about understanding its real risk position. More on Hadrian at /products/hadrian.
Where Supply Chain Risk Sits in a Budget Under Pressure
One area that consistently loses ground when budgets tighten is third-party and supply chain risk management. It is often treated as a compliance overhead rather than an operational security control, which makes it an easy target when spending decisions get difficult. This framing is wrong, and the consequences are measurable. A significant proportion of enterprise breaches trace back to a supplier, a SaaS platform, or a third-party integration — not a direct attack on the organisation itself. When budget pressure forces security teams to reduce third-party assessments to annual questionnaires, the gap between perceived and actual supply chain risk grows quietly. The RH-ISAC benchmark does not call this out specifically, but the budget dynamics it describes create exactly the conditions where supply chain exposure accumulates undetected. Organisations managing this risk properly are using continuous monitoring rather than point-in-time assessments. Panorays automates third-party security ratings and flags deteriorating supplier postures before they become your problem — a practical capability that fits inside constrained budgets rather than demanding additional headcount. See /products/panorays for detail on how this works in practice.
What Should CISOs Actually Prioritise in 2026?
Given the data from the RH-ISAC benchmark and the broader threat picture, there are three areas where security leaders operating on measured budgets should concentrate their decisions. First, visibility before tooling. Organisations that do not have a clear picture of their external attack surface, their data flows, and their third-party dependencies cannot make good spending decisions. Money spent on detection tools is less effective when the baseline is unknown. Establish visibility first. Second, consolidate where possible. A unified security platform covering endpoint, email, and cloud security at a single per-seat cost typically outperforms a set of disconnected point solutions on both coverage and cost. This is the operational case for platforms like Coro (/products/coro) in the UK market or ESET (/products/eset) for organisations across New Zealand and Australasia — not as an upsell, but as a budget efficiency that genuinely changes what security teams can do with fixed spend. Third, cover the data exfiltration gap. Ransomware has evolved. The encryption component of an attack is now secondary to data theft — attackers extract sensitive data before deploying ransomware and use that leverage to extract payment regardless of whether backups exist. Most endpoint protection platforms do not block active exfiltration at the network level. BlackFog specifically addresses this gap by blocking unauthorised data transfer in real time, which is the control that makes the difference when everything else has already failed. Check your current exposure at /data-exfiltration-risk.
- Establish visibility into your attack surface before adding more detection tooling
- Consolidate endpoint, email, and cloud security onto unified platforms to reduce per-seat costs
- Address the data exfiltration gap that traditional endpoint protection leaves open
- Replace annual third-party questionnaires with continuous supplier risk monitoring
- Ensure AI adoption within your security stack includes governance for the risks AI itself introduces
How to Protect Your Business When Budgets Are Under Pressure
The RH-ISAC data describes a sector-wide challenge, but the risk it represents is specific to each organisation's configuration. Flat or incremental budgets force trade-offs, and the organisations that make those trade-offs well are the ones with the clearest picture of where their actual exposure sits. For UK businesses operating endpoint, email, and cloud environments, Coro consolidates three separate security layers into one manageable platform, reducing licensing complexity and the administrative load that eats into security team capacity. For organisations across New Zealand and Australia, ESET delivers enterprise-grade endpoint protection designed for environments where local support and regional compliance requirements matter. Both reduce cost-per-coverage-unit compared to running separate tools. Where data exfiltration is the primary concern — and given the current ransomware model, it should be — BlackFog stops data leaving the network before it reaches the attacker's infrastructure. It operates independently of whether the initial intrusion was caught, which makes it a practical last line of defence when other controls have been bypassed. Run your current data exfiltration risk assessment in two minutes at /data-exfiltration-risk. For organisations uncertain about where their external attack surface is most exposed, Hadrian provides continuous, AI-driven reconnaissance of your perimeter — the same view an attacker would build, updated in real time rather than annually. And where third-party risk is an open question, Panorays replaces spreadsheet-based supplier assessments with continuous automated monitoring that flags deteriorating postures before they become incidents. If you want a direct conversation about where your current security programme has gaps and how to address them within your existing budget, talk to the Kyanite Blue team at /contact. There is no obligation — just a practical discussion about what your organisation actually needs.
Frequently Asked Questions
How much are enterprise organisations spending on security in 2025?
According to the 2026 RH-ISAC CISO Benchmark, average IT spend as a share of revenue rose to 3.9% in 2025, up from 3.2% the previous year. Security spend increased proportionally but remained tightly managed, with most organisations making incremental rather than significant budget additions.
How can security teams do more with a flat budget?
The most effective approach is platform consolidation. Running separate tools for endpoint, email, cloud, and data security generates compounding licensing and integration costs. Unified platforms reduce per-seat spend and administrative overhead, freeing budget for higher-priority controls like attack surface management and continuous third-party risk monitoring.
Why is AI making the CISO budget problem harder to solve?
AI has become a standard part of enterprise security operations, but it introduces its own costs: new licensing requirements, integration overhead, and an expanded attack surface from AI-connected third-party services. At the same time, threat actors are using AI to increase attack volume and quality. Budget increases that do not account for both sides of this equation leave organisations exposed.