Source: gorodenkoff/iStock via Getty images.
A recent survey conducted by 451 Research from S&P Global Energy Horizons examines how information security budgets are changing this year; where security-directed spending is increasing and decreasing; the strategic priorities for CISOs in 2026 and their driving pain points; and which overall classes of security capabilities are viewed as important, relative to each other.
The Take
Information security leaders note their security budgets will increase 25% on average this year, with a median spending increase of 20%. This is only slightly higher than the 2025 average increase of 27%, indicating continued spending prioritization, notably in a handful of categories, including AI governance and cloud security. A little over half of those increasing spending (52%) are in the 1%-25% range, which is demonstrative of a maintenance level of spending at the low end to new project spending levels as you get closer to 25%. About 35% are increasing their budget more than 26%, firmly expanding their spending level in service of potentially growing their teams, acquiring or expanding new products, or a combination of both. Just 8% are standing pat with where they were in 2025, neither increasing nor decreasing spending, and 5% note a decrease in spending this year.
Summary of Findings
After noting a 25% increase in spending on information security for 2026, where is that expenditure applied? About 30% of information security respondents note that cloud security will see the greatest increase in spending — notable, as it was only last month that Google completed its $32 billion acquisition of Wiz, viewed as a major strategic bet on cloud security needs. That need resonates with information security leaders, as cloud security is again the top pain point in this survey, cited by 19% of survey respondents. Managed security services captures the next largest share of respondents who say it will be a top area of increased spending (16%), followed closely by new software-based security solutions and increased spend on ‘people,’ typically by hiring new security professionals. For the relatively small percentage of people decreasing spending (5% of the overall sample), the largest decreases are in people-related expenses and in expected spending on security-related hardware.
Looking at high-level categories of security tooling that benefit from increased spending, application security leads in respondents planning a significant increase in spending (28%). This is likely a corollary to both the increase in code generated via AI-enabled autocomplete and the emerging ability to write code quickly via prompts. New categories are emerging, from AI static application security testing to products that are frontier AI model-led methods to identifying vulnerabilities in code. Supply-chain security has become more complex, as model context protocols, models and even open-source libraries developed via AI-enabled coding need to be vetted. Software bills of materials now include AI bills of materials. Bot defense now includes handling bot subcategories representing AI agents acting on behalf of human users.
Improving application security is the second most-cited strategic initiative for 2026 (22%). Security information and event management/analytics comes in second at 24%, a key area where AI for security is leading to automation of common tasks within the security operations center (SOC). Integrating GenAI capabilities into security tooling is the fourth most-cited strategic initiative for security teams this year at 21%.
A rising tide lifts all boats; however, there is no category of security spending that is going down, and each reflects a healthy percentage of new project-level spend in 2026.
Pain points drive strategic priorities, but not always in the year they are most pronounced, as much depends on the availability of countermeasures — whether that be the skill sets of internal teams or the availability of vendor-based tooling in the marketplace. Beyond cloud security as a key pain point, the top security leader pain points this year include data privacy — notable in an era where GenAI chat interfaces are becoming more familiar to a greater number of users. These models consume large datasets and can infer information from seemingly disparate data points, making data leakage a top concern during usage. Phishing is the third most-cited pain point, similarly affected by AI, where social engineering attacks are enabled by GenAI capabilities to be more polished and targeted, and delivered via a greater variety of means. The challenges of securing GenAI is cited by 13% of respondents.
Beyond securing cloud and improving application security, another top strategic initiative in 2026 is improving vulnerability assessment and management. This may be a very prescient objective by security managers in the wake of the release of information around initiatives such as Anthropic’s Project Glasswing. Anthropic is working with leading information security vendors, hyperscaler cloud providers, major technology providers and a major bank to mitigate potential issues with frontier AI models, including Claude Mythos, being able to quickly identify and exploit vulnerabilities in code — including the ability to chain together exploits for greater impact. Lowering the bar to identifying and exploiting vulnerabilities or chains of vulnerabilities has the potential to impact critical infrastructure, especially in places where patch cycles are longer by necessity to perform the testing needed to avoid business disruption.
When asked to rate the relative importance of preventative security tooling, proactive measures such as threat hunting and responsive controls such as detection and response, organizations’ security leaders unsurprisingly see all three categories as important, and it reflects in the investments that they make. Preventative measures lead, with 72% of respondents citing them as very important, compared to 67% for proactive controls and 63% for responsive ones. There is a general desire to reduce the number of alerts a SOC is dealing with, as most security operations teams report they lack the investigative capacity to dig into the alerts they are receiving. Automated attacks have been an issue for several years now, and the idea that AI will enable a volumetric increase in sophisticated attacks is not welcome news to defenders — and may be driving this prioritization of fundamentals and preventative controls.
The Security Talent Gap is More Complicated Than You Think
Want insights on Infosec trends delivered to your inbox? Join the 451 Alliance.
