Voice of Security: 2026 Report

Execs are paying attention, with the vast majority of respondents (87%) reporting that board-level attention to cybersecurity has increased over the past year. This is especially notable in the US, where almost half (48%) say board-level attention has increased significantly.

Increased board-level attention reflects a rapidly intensifying risk environment. Almost three-quarters of respondents (73%) believe a significant cybersecurity incident is likely in the next 12 months, with 52% of US-based respondents believing it’s highly likely.

Increased attention doesn’t automatically translate to alignment, however. Many teams still struggle to connect security priorities to broader business objectives, with 52% rating it as highly challenging.

Senior decision-makers point to barriers like competing business versus risk goals, difficulty communicating value, limited visibility into risk or impact, resource constraints, and shifting business priorities. Worryingly, more than one in four (28%) security leaders feel like leadership sees security as a blocker.

What are the biggest barriers preventing stronger alignment between security and business leadership, according to senior security leaders?

Practitioners say they’re held back from aligning with broader business goals by frequent priority changes and slow or rigid processes. They also point to burnout and too much manual work as obstacles.

What are the biggest challenges that make it harder for their team's work to align with wider business goals, according to practitioners?

Lean security teams are expected to focus on a wide range of issues, with priorities spread equally across multiple infosec domains. The flat distribution of senior security leader priorities for 2026 reinforces this tension.

What are senior security leaders’ top priorities for 2026?

Juggling multiple equally important demands, rather than executing a narrow roadmap, also makes it harder for security teams to prove impact. Currently, security performance is evaluated through a mix of budget management, compliance outcomes, training effectiveness, and incident-related measurements.

Top metrics tracked to measure the performance of their security program 

Leaders say:

Practitioners say:

These KPIs paint a picture of a function that’s expected to do it all. Security teams must deliver operational assurance and business accountability, respond to existing threats and proactively mitigate emerging ones, and stay ahead of evolving regulatory requirements – all while keeping costs low and without burning out their small teams.

Security is already playing a strategic role, but a lack of visibility and communication can cause its impact to go overlooked. To further strengthen their influence, teams must connect their KPIs more clearly to business objectives (such as business resilience and operational efficiency) to emphasize the value they bring and solidify their seat at the strategy table.

Both leaders and practitioners feel positive about the impact of AI, highlighting its effectiveness across key capabilities such as threat detection, identity and access monitoring, compliance and policy writing, and ticket triage and workflow automation.

In addition to the huge benefits and opportunities it brings, AI is also a core part of the 2026 risk landscape. Three of the top five cybersecurity challenges security leaders expect to face this year explicitly center on AI. Data leakage through AI copilots and agents takes the number-one spot, closely followed by shadow AI and prompt injection attacks. Interestingly, the data reveals that internal AI use cases are considered a bigger risk than external attackers.

Even the remaining two challenges (third-party risks and evolving regulations) are being reshaped by AI. These aren’t new problem areas, but AI introduces new layers of complexity. Security teams need visibility into how third parties use and manage AI, and must ensure their own AI practices align with rapidly emerging regulations across industries and markets.

It’s clear that AI isn’t a fringe threat vector. It cuts across data protection, governance, and day-to-day operations. Once again, there’s no clear individual challenge that leaders must prepare for. Instead, they need to be ready for a broad mix of AI-driven pressure points landing at once.

That’s why AI governance is quickly becoming a core competency for modern security teams – particularly when many AI risks are coming from within. AI governance sets the policies, controls, and workflows to keep AI adoption safe, compliant, and predictable throughout the organization. It reduces risks of non-compliance, data leakage, and shadow AI, enabling teams to securely and confidently leverage AI and unlock its effectiveness.

To do this, teams are pairing AI adoption with guardrails and policies. Larger organizations are more likely to have a formal AI policy or framework already, while SMEs are less likely but working to catch up.

Currently, 45% of respondents overall are “very confident” that AI outputs are subject to human-in-the-loop checks or other guardrails before being used in security decisions or actions. This rises to 65% for teams with formalized, active AI policies in place, highlighting the impact of a strong framework on essential governance touchpoints and critical decision-making.

Likewise, teams without these policies in place simply don’t have the same confidence levels, suggesting they may be at risk of using unverified outputs for business decisions.

Despite their importance, governance and compliance are still seen as blockers. Over a third of respondents (35%) cite it as the top barrier to effective automation, ahead of budget constraints and resource limitations. This could signal that governance maturity is lagging behind enthusiasm for AI adoption.

As we saw in the previous section, improving AI and governance policies are key priorities for security leaders and teams in 2026. Without these systems in place, however, teams will likely find it difficult to make progress and utilize AI to its full potential.

With AI firmly at the center of security work, security leaders and practitioners must champion governance as an enabler, not a blocker. A strong governance foundation, including clear policies and guardrails, empowers teams to scale AI safely and effectively, supporting business agility, responsiveness, and innovation while protecting against threats.

This would be equivalent to roughly 3.5 hours in an 8-hour workday, if distributed daily. For a small but significant number of teams (14%), this rises to 60% to 80%. This means many teams are spending a huge percentage of their valuable time on tasks that could be taken off their hands – and out of their backlog – by AI and automation.

Three-quarters (76%) of security professionals say they experience emotional exhaustion, reduced motivation, or mental fatigue frequently or occasionally. Heavy workloads are the biggest culprit, followed by constant pressure, repetitive tasks, and limited resources.

We also see that the more tools a team uses, the higher the likelihood of burnout. Almost half (47%) of all teams that use between 75 and 99 security tools daily say they frequently experience burnout, compared to the overall average of 26%.

Senior leaders recognize the negative impact of manual work on their teams. They rank modern tools and automation that reduce manual workloads as the top way to retain talent, even above competitive compensation packages and regular recognition.

Removing repetitive tasks helps to restore a good work-life balance, which practitioners cite as the most important factor impacting their decision to stay in their role.

What are the main causes of burnout in your team?

But it's not just a morale issue. Manual work creates more risk, from the compounding effects of human errors to reduced capacity that leaves teams unable to scale their response fast enough when threats arise. When used correctly, AI and automation can address these challenges, reducing heavy workloads and helping teams orchestrate workflows to free up time for high-impact, high-stakes work without requiring additional headcount. But it’s clear that while AI is present in most organizations, many teams aren’t yet using it to reshape their operational foundations.

This isn’t due to a lack of interest or resistance to automation. In fact, only 19% of respondents say the ROI or business case for automation is unclear. The real blockers are foundational. Security and compliance concerns, limited resources, and technical challenges (such as integration gaps, legacy systems, and staff training) make it difficult to implement new ways of working, even when teams are optimistic about the potential.

What are the main barriers to effective automation in your environment?

This could explain why AI adoption hasn’t yet translated into meaningful reductions in manual work. When workflows are fragmented, processes depend on manual handoffs, and teams must constantly switch between disconnected tools and outdated systems, adding AI doesn’t fix the problem. It just slots into the same broken structure, becoming another tool to manage instead of a force multiplier.

The signal is clear. AI alone is not enough. The potential to improve workloads is enormous, with massive time savings and morale improvements just within reach. But it can’t solve underlying operational issues on its own.

To reduce workloads, eliminate repetitive muckwork, and create sustainable capacity, teams must rethink the foundation of how work gets done. This is where intelligent workflows come in.

Intelligent workflows gives teams the visibility, guardrails, and security required to scale their resources effectively and reliably. Only then can they break out of the cycle of rising workloads and turn AI from isolated wins into real impact.

Sentiment is overwhelmingly positive, with 86% of respondents expressing optimism that AI will create new opportunities in the job market. Of these, almost half (48% of leaders and 45% of practitioners) describe themselves as very optimistic.

Exposure to AI further increases this confidence. More than half (52%) of teams that already use AI, automation, and workflow tools in their daily work say they’re very optimistic. Significantly, two-thirds of respondents (66%) with a formalized and active AI policy or framework are very optimistic.

This data suggests that the more experience teams have with AI and the more mature their adoption is, the more confidence they have that it will positively transform the job market. This may be because they’re already seeing the benefits and impact of AI, automation, and orchestration in their everyday work.

Teams currently feeling the effects of manual work and frequently experiencing burnout also express higher-than-average levels of optimism, suggesting they’re aware of the weaknesses in their current processes and recognize how AI could make their roles less repetitive and more strategic going forward.

% of respondents who are very optimistic that AI will create new opportunities in the security job market

However, some regions are more positive than others. The US, Australia and New Zealand, and the UK report the most optimism about the AI job market, while Europe remains more measured.

This trend may reflect differences in these geographies’ regulatory approaches to AI. For example, the EU’s AI Act outlines a rigorous framework for how businesses use and report on AI, which could contribute to more measured expectations in those countries. It’s worth noting, however, that even in these more cautious regions, overall optimism is still high, with only 3% of respondents globally saying they’re “unoptimistic”.

Looking forward, AI literacy and prompt engineering top the list of new skills deemed most important for security professionals as we enter 2026, closely followed by cloud and infrastructure security. The next generation of security professionals must also be skilled at security automation and threat intelligence, with data governance and ethics rounding out the top five.

Which new skills do you think will be the most important for security professionals by 2026?

Together, this skillset paints a clear picture of where security roles are headed. AI-driven, cloud-native, and compliance-first security will become the norm. Intelligent workflows mean that automation will handle repetitive tasks and data-intensive work, AI will provide explainable insights, and human analysts will focus on judgment and governance.

Teams are in a good position to reskill or hire for AI-related roles with 81% reporting that they’re mostly or very prepared.

Once again, teams with a formal AI policy in place have an advantage. Over half (59%) say they’re “very prepared” to reskill or hire for these roles, possibly because they’re more familiar with the requirements for candidates. Teams without these frameworks in place (or at least underway) are at risk of falling behind, with only 48% believing they’re prepared to fill these roles.

Percentage of respondents who say their team is prepared to reskill or hire for AI-related roles, by AI policy status:

When it comes to retaining top security talent, leaders and practitioners are relatively aligned – with one notable exception. As we saw in the previous section, practitioners rate a good work-life balance above all else. This is closely followed by fair compensation and flexible working options, with value-based factors (such as having an impact, positive team relationships, and opportunities to learn and grow) also ranking highly.

Senior decision-makers say reducing manual work via modern tools and automation is the most effective way to keep their employees happy, which maps neatly to practitioners’ desire for a good work-life balance. But while leaders believe career growth opportunities and clear promotion paths are the second-best way to retain talent, practitioners are far less motivated by advancement than leaders realize, revealing a clear perception gap.

What actions are most effective for retaining security talent?

Leaders say:

Practitioners say:

In fact, practitioners are more interested in having an impact (33%) than in clear career progression (29%). This is true across all lengths of service, even for early career professionals with only 1–3 years in security, risk, or process roles.

Overall, security professionals feel energized by the career possibilities AI is creating. For practitioners, AI feeds into their core priorities and long-term goals: it cuts out time-consuming, low-value tasks and enables them to focus on fulfilling, meaningful work that inspires them.

To keep top talent engaged and future-ready, leaders and organizations must invest in emerging skills, listen to what practitioners really want, and give teams the tools and workflows they need to win back time for impactful work.

Lack of integration remains a top challenge, particularly for companies with between 1,000 and 4,999 employees. This has significant effects. As we’ve already seen, integration gaps between tools is a major blocker to effective automation, especially for organizations with between 500 and 4,999 employees where it’s ranked as the second-biggest barrier.

What challenges do your current tools create?

In 2026, businesses are leaning into interoperability. Some 62% of organizations are using or considering the OpenAI API or plugin framework for security work, while 44% are using or considering Model Context Protocol (MCP).

This suggests that teams are thinking strategically about AI adoption and moving beyond isolated AI pilots toward embedded, operational AI workflows.

MCP is gaining traction because it gives AI a standardized way to interact with tools and systems. While MCP accelerates the operationalization of AI, the inherent concerns around access control, auditability, and governance still exist. An intelligent workflow platform helps teams tightly scope tool actions, enforce deterministic checks around LLM behavior, and include human review where needed, all while integrating cleanly with the systems you already use. It gives you a safer, more controlled foundation to orchestrate AI.

Rather than consolidating their tools, most respondents (73%) expect their security tech stack to expand in the coming year – particularly organizations that use over 50 tools. Even large tech stacks are only continuing to grow, highlighting the need for vendor-agnostic platforms that flexibly adapt to teams’ tools rather than locking them into specific systems or ways of working.

If done poorly, however, these additional tools risk increasing pressure on already stretched teams and workflows. We’ve already seen how simply bolting on additional tools to existing workflows can contribute to burnout, adding to manual workloads and increasing context switching for practitioners.

Teams see strong potential for these connected, automated workflows to boost productivity, accelerate response times, and improve data accuracy. Respondents also expect them to strengthen compliance and facilitate faster decision-making, better visibility, and smoother collaboration.

What benefits would you expect from more connected, automated workflows?

An intelligent workflow platform gives security teams the foundation to build, adapt, and scale their processes. The right platform unites automation, AI, and integrations so work can move seamlessly across systems and people in a secure, reliable way.

As workloads rise, AI adoption increases, and tech stacks expand, intelligent workflows will be the differentiator that enables security teams to orchestrate their work across even the most complex processes and systems without introducing risk.