Top 3 Priorities for CISOs in 2026

In 2026, Chief Information Security Officers (CISOs) are confronting a landscape defined by extraordinary complexity and risk. The cybersecurity environment is evolving at an unprecedented pace, fueled by the rapid adoption of artificial intelligence, the emergence of new attack vectors, and heightened regulatory pressures. 

At the same time, shifting economic conditions are adding another layer of uncertainty for CISOs and their organizations, with macroeconomic volatility posing significant challenges to achieving strategic objectives this year. In this environment, CISOs must provide strategic leadership, build organizational resilience, and guide their teams through ongoing uncertainty and change.

According to the Gartner eBook, 2026 Priorities for Cybersecurity Leaders, security leaders need to focus on leading with influence, resilience and agility, which Gartner defines as “the ability to rapidly reprioritize the roadmaps and investments inherent in the cybersecurity strategy and program.”  

Against this backdrop, our annual Leadership Perspective Survey asks CISOs to identify their top security and enterprise priorities, as well as the objectives and challenges to achieving them. More than 1,600 CISOs across our communities report that enabling and protecting AI, managing cybersecurity risk and optimizing security tools are their top three initiatives in 2026. Here, we take a closer look at what CISOs are saying about these three critical priorities.
 

Top Functional Priorities for CISOs 

In 2026, “Enabling and Protecting AI” emerged as the top priority for CISOs. Newly introduced as a survey option this year, this focus area rapidly became the leading concern for security leaders. CISOs are simultaneously ensuring the secure integration of AI technologies within their organizations, harnessing AI to strengthen risk mitigation efforts, and defending against the growing landscape of AI-driven threats. 

CISO priorities have undergone notable changes this year. AI surged to the top of the list after not appearing in the top five previously. Last year’s leading focus area, “Cyber Resilience,” has been redefined and split into two separate areas: “Assess and Manage Cyber Risk,” now ranked second in importance, and “Increase Organizational Resilience,” which occupies the fifth spot. These refined survey options reflect the dynamic nature of the CISO role, as leaders shift their attention from day-to-day operational issues toward strengthening and optimizing their organizations’ overall security posture. 

In addition, “Optimizing Security Tools & Services” and “Securing Applications & Data” have grown in importance for CISOs this year. Rather than continually adding new tools, CISOs are now focused on maximizing the effectiveness of their existing security investments. At the same time, protecting data has taken on greater urgency, driven by the rapid advancement of AI initiatives and the increasing complexity of regulatory requirements. 

Here, we examine the top three priorities for CISOs in greater detail, highlighting the key opportunities and challenges they face. 
 

Addressing the Dual Challenge of Protecting and Harnessing AI 

The topic of AI has dual focus areas for CISOs: securing the use of AI and embracing AI for security purposes. To enable AI usage across their organizations, CISOs want to enable the business to move quickly without security becoming a barrier, requiring them to prioritize risk assessment and establish strong governance and guardrails around AI adoption. 

However, as one CISO said, “From a security standpoint, AI presents both significant opportunity and significant risk.” While AI offers the ability to enhance detection, response, and resilience, adversaries are leveraging the same technologies to launch more sophisticated attacks. With AI now deeply embedded across the security ecosystem, maintaining parity with threat actors is essential. 

One CISO referred to this phenomenon as “an ongoing cyber arms race” between defenders and threat actors. Another security leader said simply: “The threat actors are using [AI]; you need to use it, too.” One CISO summed up their challenges with AI enablement and security this way: “We've been driven to enable the business, but haven't done as much self reflection on our internal cyber use of AI.”

Some CISOs are focused on agentic AI, with organizations deploying multiple agents and seeing success, including time savings and improvements in areas like vulnerability management and cyber risk classification. While integrating agentic AI has become a priority for some CISOs, others report concerns about security, particularly around agent access to sensitive systems, the need for robust guardrails, and the lack of identity and access management controls for AI agents. 

In addition to agentic AI, CISOs are focused on establishing effective data governance to balance the push for GenAI-driven efficiency with the need to mitigate emerging risks. As new forms of data exposure come to light, organizations are prioritizing robust governance frameworks to control how AI interacts with sensitive or regulated information. This includes reinforcing policies, oversight, and education to ensure the workforce understands the risks of GenAI.

Achieving responsible AI adoption requires strong guardrails around data use, risk management, and regulatory compliance, as well as significant upskilling and cultural change. As AI governance and security become the next major frontier, CISOs are moving from theory to practice, working to keep pace with rapid technological change, while enabling business innovation and protecting against data loss. 

The following outlines CISOs’ goals and challenges in enabling and securing AI. While most security leaders want to mitigate risks, their main challenge is the quickly changing landscape.

To gain a more nuanced understanding of CISO priorities and challenges, we hold hundreds of follow-up conversations after the survey. Here are some highlights of those discussions on AI:

One key takeaway: AI is becoming a force multiplier for both defenders and attackers.

AI value creation is a challenge. In most organizations it is still too early to have tangible ROI.

Organizations that succeed will be those that pair advanced technology with strong governance, clear accountability and a security-first culture across the enterprise.

Strengthening Cyber Risk Management

CISOs remain highly focused on assessing and managing risk, with cyber resilience continuing to be a top priority. As organizations undergo rapid digitalization and connect more products each year, CISOs must navigate the tension between driving innovation and ensuring strong organizational resilience. As one CISO noted, “The world wants to do things quicker, but this puts pressure on us. We have to find the line between resilience and innovation.”

To keep pace, CISOs are moving beyond annual scenario planning toward more dynamic, continuously updated business continuity plans. They understand that resilience strategies need to evolve with emerging threats, placing greater emphasis on data governance, data retention, and operational efficiency. CISOs also report they are aligning with frameworks like NIST and new HIPAA regulations. 

In addition to cyber resilience, CISOs are focused on governance, with efforts underway to expand the use of existing tools while enhancing control effectiveness, strengthen data and application governance, and improve overall security posture. One CISO shared they are “enhancing coordination across the organization, particularly with Legal and Compliance, to ensure alignment on privacy and cybersecurity initiatives.”

Many organizations are maturing their cyber risk programs, often navigating the challenges of rapid growth and evolving company culture. While frameworks like NIST provide a foundation, there is a clear need for standardized AI security frameworks. CISOs also say they are prioritizing consistent risk quantification to demonstrate financial impact and meet evolving regulatory expectations, such as NIS2 and CRA. There is strong interest in understanding how authorities interpret new regulations and in operationalizing frameworks that support board-level reporting and acu-risk indicators. Overall, CISOs’ comments reflect a growing emphasis on compliance and risk management within organizations. 

This year, CISOs’ primary goal in this area is mitigating risks, while their challenge to achieving it is all of their competing security priorities.

Here is a sample of what CISOs shared about their risk management strategies after the survey:

Cyber resilience continues to be top of mind – assuring the availability of our products and services.

The most important thing is to try to be not just aware, but in control. It's not about blocking usage, but giving usage in a controlled way.

There is a trend toward reporting cybersecurity metrics to the CEO or legal department, rather than the CIO, reflecting a shift toward compliance and risk management.

Optimizing Security Tools and Services

This year, CISOs continue to focus on optimizing their existing security tools and services rather than adding new ones. Many security leaders report feeling overwhelmed by the sheer number of solutions in place, with one CISO saying, “The products we bring in to help solve issues are never ‘set it and forget it.’ We are constantly updating, upgrading, changing, adding and adapting to new features.” 

Security leaders recognize that many tools are underutilized and are prioritizing rationalization, integration, and modernization to improve efficiency, effectiveness, and operational outcomes. One executive shared that they “know we have a lot of tools and services that aren't being used to their fullest extent.” Other CISOs said, “Our current set of tooling is all over the place,” and “We have tools we are paying too much for and using 20-30% of the capability.”  

Cost minimization and the need to justify every investment are driving efforts to consolidate vendors, leverage managed service providers, and maximize the value of their current security stack. The financial reset in 2025 prompted a shift toward reducing operating expenses and evaluating whether to invest in existing platforms or partner with leading vendors. This approach has led to cost savings for some security leaders, along with improved employee morale, as teams do more with less and have fewer tools to manage. 

Rather than continually adding new products, CISOs are focused on optimizing and fully leveraging their current solutions. Determining the right operating model and aligning technology roadmaps remain key to maximizing value and efficiency. CISOs also anticipate that the rise of agentic AI will automate many processes and possibly make some toolsets unnecessary. Overall, CISO want to deliver value, with one executive summing it up this way: “Risk mitigation and measurable ROI are key decision drivers, as is business impact – not tool volume.”

The main objective for CISOs is to improve efficiencies with their tools, and their biggest challenge is competing priorities.

Here are some additional comments from CISOs on their priority of optimizing security tools: 

A security optimization strategy is preferable to simply adding more products.

Even those CISOs with a mature, well-staffed and well-tooled security program have a current focus on optimization.

We need to consider both tools and people and process perspectives. We have many tools and technologies; managing this stack internally is complex.

CISOs’ Top Enterprise Priorities 

Each year, our survey asks C-suite executives to identify their top enterprise-wide priorities, alongside their functional goals and objectives. In 2026, CISOs – like their CHRO and CDAO counterparts – rank driving growth as their top enterprise priority. Increasing operational efficiencies and productivity follows as their second highest priority. Notably, every C-level leader surveyed selected one of these two areas as their top priorities across the enterprise.

Cost optimization continues to be a key focus for CISOs, who ranked it as their third highest priority this year. In light of ongoing economic volatility and uncertainty, C-level executives are placing continued emphasis on efficiency and cost management, alongside their goal of driving growth. 

Rounding out the top five, CISOs identified increasing revenue and reducing risk – traditionally the leading priority for security leaders. These selections highlight how the CISO role is expanding beyond security to encompass broader business objectives. 

Below is an overview of the top enterprise initiatives for CISOs and their fellow C-suite peers.

The Outlook for CISOs

Cybersecurity leaders are navigating a threat landscape that is growing more complex due to accelerated AI adoption and new risks like deepfakes and frontier LLMs. As organizations embrace AI, CISOs play a pivotal role in enabling its responsible use, addressing emerging threats, and ensuring that cybersecurity remains aligned with overall business goals. Security leaders are balancing their support of AI-driven innovation with robust security, with one CISO describing this as “securely enabling your company to remain innovative and competitive.”

The surge of interest in AI has given security leaders a valuable opportunity to address longstanding foundational issues that previously lacked attention. By framing these challenges as prerequisites for AI innovation, CISOs have been able to advance initiatives and drive the business forward. While organizations focus on enabling AI responsibly, uncertainty around AI’s actual value persists, underscoring the importance of strong governance, risk management, and compliance frameworks.

While cyber resilience was the leading priority for CISOs in 2025, it remains central in 2026, with leaders refining their approaches by focusing on safeguarding and regularly testing critical infrastructure and key business functions. According to the Gartner eBook 2026 Priorities for Cybersecurity Leaders, “Security and risk management (SRM) leaders must optimize their programs for influence, resilience and agility.” CISOs report that they are “continuing to fine tune our strategy” to ensure organizational resilience.
 

CISOs across Gartner CISO Communities get together regularly with their peers to discuss and collaborate on their most critical priorities. To participate in events with your local Gartner CISO Community, apply to join here. If you are already a member, sign in to the app to register for your upcoming community gatherings.

Based on 1,600 CISO responses from Gartner C-level Communities’ proprietary Leadership Perspective Survey, May 2026.