A new study from RSAC found that 76 percent of CISOs’ budgets increased between 2024 and 2025, with only 12 percent seeing a decline. Their top areas of investment for 2025-2026 are identity and data protection.
The report also looked at the stress of the CISO role. Among Fortune 1000 businesses, 60 percent report that their mental or physical health has been affected by being a CISO. Cybersecurity team members are in the same boat with a 2024 study finding that 78 percent of respondents were at serious risk of burnout.
Personal liability for security breaches is also a major worry, particularly for CISOs of smaller companies. Nearly 50 percent of them report that they’re not indemnified.
The findings also show that turnover among cybersecurity teams has been low, with 67 percent saying they’ve seen less than five percent turnover as of Q2. However, RSAC believes that this reflects a soft jobs market rather than high levels of satisfaction. Salaries remain the biggest challenge to retaining security staff, with dissatisfaction with benefits and a lack of training opportunities also figuring prominently.
Some leading players in the cybersecurity sector weighed in on the findings.
Heath Renfrow, Co-Founder and CISO at Fenix24
"The CISOs workload is accelerating because the attack surface is expanding faster than teams, budgets and tooling maturity. Cloud sprawl, SaaS proliferation, identity-driven attacks, and 24/7 ransomware pressure have turned the role into a constant crisis-management loop.
"To cope, CISOs must shift from “owning” everything to governing outcomes—reducing operational drag through automation, outsourcing commodity functions, and focusing internal talent on the few capabilities that actually differentiate security resilience. Any CISO who tries to personally quarterback every domain will fail. The CISO who architects a scalable operating model will survive.
"Mental health strain in cybersecurity is worsening, and CISOs are carrying the heaviest emotional load in the industry. They are expected to prevent the unpreventable, respond flawlessly under global scrutiny, and never show fatigue.
"While empathy and emotional intelligence are now essential leadership traits, CISOs cannot become full-time therapists. Boards and CEOs must begin treating cyber burnout as a strategic risk, not a personal failing. In 2026 and beyond, I believe we’ll see formal wellness support built into security programs, including mandatory downtime post-incident, rotation-based on-call models, and executive mental-health resources. The CISO protects the organization—someone must be accountable for protecting the CISO.
"The skills gap is widening, but the experience gap is the real problem. We don’t lack people—we lack pathways to turn potential into capability. CISOs must stop recruiting unicorn résumés and instead adopt a 'talent factory' mindset.
"In 2026, the most successful programs will hire for aptitude and resilience, then invest heavily in on-the-job training and structured mentorship. Pair this with selective outsourcing for niche or 24/7 functions, and CISOs can build a sustainable talent engine instead of constantly fighting attrition."
Diana Kelley, CISO at Noma Security
"As CISOs plan for 2026, the latest RSAC research findings are a strong proof point that Identity and Access Management (IAM) remains at the heart of enterprise defense, with nearly 25 percent of respondents indicating it will be their top area for increased investment next year.
"In the past few years the scope and scale of the identity landscape has shifted considerably as Non-Human Identities (NHI) have exploded. The imminent advent of autonomous AI agents that can “reason” and act through connected tools, will accelerate that growth. So it’s really encouraging to see IAM investment prioritized on this list as companies continue maturing their identity programs to create a strong base of support for next generation of NHI and agentic AI identity."
Shane Barney, CISO at Keeper Security
"Security budgets may finally be starting to match the scale of the threat landscape, and identity and data protection remain at the center of those investments. Attackers no longer need to breach technical defenses when stolen credentials can provide direct entry into critical systems.
"Identity now represents the true front line of defense. Without full visibility into who has access, when access is used and what activity occurs, organizations are already operating at a disadvantage.
"Data protection begins with controlling identity. When credentials are compromised, the attacker’s ultimate goal is the information that defines business value. Privileged access management restores control by limiting user actions, verifying every request and maintaining detailed activity records that strengthen accountability. This is not a compliance exercise but a fundamental component of risk management that enables faster containment and recovery when incidents occur.
"The growing complexity of enterprise systems continues to challenge even the most mature security programs. Every application, integration and vendor expands the attack surface and adds another layer of access to oversee. Simplification is not about reducing capability but improving clarity. When identity and access are managed through a single pane of glass, decision-making becomes faster and responses more precise."
Dana Simberkoff, Chief Risk, Privacy and Information Security Officer at AvePoint
"In today’s digital workplace, cybersecurity is no longer just a C-suite concern. As organizations’ data environments become increasingly complex to manage and govern, it only takes one person to mistakenly access and share confidential data with an external software tool or bad actor. Ultimately, this supports why proper access control policies are so critical for organizations to prioritize.
"Cybersecurity must become an organization-wide and cultural priority and it starts at the C-level. When the top executives in your organization understands and endorses the value of upskilling colleagues on how to know and spot new cyberthreats, that sends a strong message through the organization.
"Organizations should focus on building a comprehensive approach that includes strong data protection and backup, data governance, zero trust architecture, and regular risk assessments. It's critical to cultivate a security-aware culture through ongoing employee training and to have a well-tested incident response plan. Ultimately, the goal is to create a proactive, risk-based security posture that not only qualifies for better insurance terms, but significantly reduces the likelihood of successful attacks."
Gareth Lindahl-Wise, CISO at Ontinue
"Many CISOs are being asked to participate in more strategic business activities – which for many can be a steep and intensive learning curve. In reality, many of the existing responsibilities of a CISO are insufficiently optimized to a point where they don’t require constant attention. A CISO must work at these to create the space to take on additional responsibilities.
"External, internal and personal expectations are all increasing which is likely to load more tension on a CISOs mental wellbeing. Their career path may not have equipped them for managing larger, often distributed teams.
"CISOs should be seeking this sort of development – either from their organizations or personally. In terms of looking out for the mental health of the CISO, well, a good boss is always a great place to start! As both a mentor and mentee myself, I see the benefits of having somewhere else to turn to discuss challenging situations.
"I would strongly encourage CISOs to have mentors both inside and outside of their business. The experience of mentors is a goldmine waiting to be tapped in to.
"Personal liability for compliance failures is likely to be a concern for the CISOs who haven’t adjusted to what it means. It should drive much more transparency – from the CISO to the board and vice versa. For many years CISOs have sat on issues which they either think won’t get resolved or that management doesn’t want to hear about. Personal accountability should drive those situations in to the open, to the benefit of all in the end."
Emma Werth, VP, Underwriting & Reinsurance at Cowbell
"Today’s modern CISO must communicate and collaborate with every team within the organization. Cybersecurity impacts every employee, so ensuring everyone is properly following all protocol and every department has controls in place is absolutely critical.
"There's a significant difference between deployment or implementation and optimization, or what I’d call proper deployment. We see this as a critical issue in loss experience. Policyholders may have implemented some MFA, but not everywhere, and not for the crucial software, which may be the most effective in preventing loss.
"Another issue is that patching is done within a strong cadence, however, that doesn't prevent CVEs from penetrating a network outside of that patching cadence and causing damage. Additional key controls include ensuring all employees complete cybersecurity awareness training and a frequent backup of data that is offline and tested."
