Hello. This is Alex Bakker with what’s important in the IT and business services industry this week.
If someone forwarded you this briefing, consider subscribing here.
What You Need to Know
An oft-used metaphor is that cybersecurity is an arms race – as fast as enterprise security organizations develop new security measures, cybercriminals deploy new technologies to beat them. Enterprises struggle to respond quickly enough, which is why cybersecurity budgets continue to rise even when broader IT spending is flat.
The biggest challenge is that attackers can be on the bleeding edge of technology adoption in a way that legacy-estate-encumbered enterprises cannot. In fact, ISG’s 2026 Cybersecurity Buyer Behavior study shows the myriad ways enterprises struggle to move as fast as the market: the lack of AI/ML skills, the burden of infrastructure complexity, the need to balance AI innovation with security and risk controls, and the reality of legacy equipment and applications. Meanwhile, cyber criminals don’t exactly need to worry about governance, procurement or the costs of legacy technology modernization. The advent of AI has made this disparity even more pronounced.
Three years ago, enterprises already had this on their radar. When asked to look ahead at their biggest threats for the next two years, 56% answered that AI and machine learning (ML) threats would be their top challenge. Throughout the AI pilot stage, CISOs at most enterprises were expecting their adversaries to adopt AI tools to hurt them faster than they could react.
Data Watch
Now, three years later, that expectation remains at the top of the list. Half of all enterprises expect new AI threats to be their greatest challenge over the next two years. And beyond just AI threats, AI-related risks are overrepresented among their challenges: data leakage through AI tools, AI-generated phishing, malicious internal AI use, and even attacks on the AI models themselves. In the era of Anthropic’s Mythos model, it is easy to imagine how AI creates new threat vectors; CISOs are already anticipating a reality in which dependence on AI itself becomes a vector.
Of those enterprises that participated in our study, 74% report that they have increased their AI-related cyber spending in the last 12 months and that AI-related security costs are now above 11% of their total security budget. Three years ago, we concluded that CISOs were worried AI would be their enemy before it was their friend. It’s fair to say that now it’s both.
About the author
