Because of things like market pressures and financial issues, and also because of the rise of AI, CISOs are becoming more flexible in how they look at security and plan their strategies. This is to deal with and stay ahead of faster-growing risks and problems.
The main goal of cybersecurity hasn’t changed: it’s to protect the organization from all the dangers in the digital world.
However, what counts as a danger is changing, and so are the technologies used by both attackers and defenders in cybersecurity. The way security leaders carry out their mission is also changing. Threats are getting bigger and more complex. Attacks are happening more quickly. AI is changing everything. Market pressures and financial challenges are getting worse.
CISOs are feeling this pressure. Bitsight Trace did a survey of 1,000 cybersecurity and cyber risk leaders for its State of Cyber Risk and Exposure 2025 report. They found that 90% of respondents said managing cyber risks is harder now than it was five years ago. The biggest reasons for this increased difficulty, according to the respondents, are the rapid growth of AI and the expanding attack surface.
But cyber leaders say these are just two of the factors affecting security. Here, they talk about five main trends that are changing IT security strategies today.
1. Financial pressures putting the squeeze on security budgets
Macroeconomic uncertainties have put pressure on the C-suite to keep costs in check. That pressure extends to the security function, with CEOs and CFOs expecting CISOs to do more with less, says Lou Steinberg, founder and managing Partner at CTM Insights, a cybersecurity research lab and incubator.
“We’ve hit a point of funding fatigue with information security. Budgets have gone up and to the right forever, and now they’re flat and sometimes down,” Steinberg says. “That’s new to many CISOs, so they have to answer questions about efficiencies that they have not had to in the past.”
The 2025 Budget Benchmark Report from IANS Security and Artico Search found that average annual security budget growth dropped to 4%, a sharp decline from 8% in 2024 and the lowest growth rate in five years. It also found that only 47% of the 587 surveyed CISOs reported an increase in their security budgets in 2025, down significantly from 62% in 2024 and 78% in 2022. More than half (54%) reported flat or shrinking budgets.
Similarly, the 2025 Global Cybersecurity Leadership Insights Study from professional services firm EY found that cybersecurity budgets have fallen from 1.1% to 0.6% of annual revenue over the past two years.
Steinberg said CISOs in response are simplifying their tech stack, shedding bespoke and point-in-time solutions for off-the-shelf options that offer the same controls but are easier to manage and have a lower total cost of ownership. They’re identifying more areas to automate to generate efficiencies, and they’re outsourcing more to reduce talent costs.
2. AI-enabled attacks emerging to amplify business risks
CISOs now see AI-powered cyberattacks as their biggest worry, with 80% of them mentioning this in a survey by Boston Consulting Group. This is different from a year ago when AI-powered attacks were only the fourth biggest concern for CISOs. Attackers are using generative AI to create more advanced, focused, and successful social engineering tactics.
According to the BCG survey, 62% of CISOs consider this a major concern or a serious threat. “Companies have seen a big increase in automated attacks powered by generative AI. These attacks are easier for hackers to carry out and can be very good at tricking employees, partners, or customers,” BCG said when they shared the survey results.
Because of this, CISOs are investing more in areas they think can help defend against these kinds of attacks, especially threat intelligence, application security, and AI-based security tools, according to BCG.
Security leaders are preparing for even stronger AI-driven attacks. Kris Lovejoy, the global security and resiliency practice leader at Kyndryl, expects that by 2027, companies will face completely autonomous, AI-powered cyberattacks.
These predictions are pushing CISOs to quickly adopt AI tools for detecting, responding to, recovering from, and building resilience against cyber threats, says Wolfgang Goerlich, a faculty member at IANS Research and a CISO in the public sector.
3. Agentic AI rising to redefine security fundamentals
CISOs are working to protect their organization’s AI projects. They are changing rules and using tools to keep the data used by AI safe, as well as the AI systems themselves. This work is still in progress, but now CISOs need to start thinking about how to protect their organizations from the risks that come with agentic AI.
According to Team8’s 2025 CISO Village Survey, 37% of CISOs say securing AI agents is one of their biggest worries. Steinberg points out that agentic AI will require CISOs to change how they handle both authentication and authorization. “Right now, most agents are in their own safe areas, so CISOs trust them without checking,” Steinberg says. “But soon, we may have agents from outside interacting with our organization. CISOs will need to check that these agents are who they claim to be and that they have the right to do what they’re doing. We’ll have to ask, ‘Are you allowed to perform this task?’”
For example, Steinberg says agentic AI could let a traveler book a flight with just a simple message. The traveler might start by asking for a flight that fits their needs, like the departure and arrival airports, the day, and preferred airline. The AI agent would then handle the search, booking, and payment on its own.
In this future, the airline will need a way to confirm that the agent had permission to book the flight on the traveler’s behalf — something that’s hard to do without a person involved, Steinberg notes.
“We need a way to make sure a real person with a real identity wants the agent to do something specific. Otherwise, how can the company be sure the process is trustworthy?” Steinberg says, adding that agentic AI means the end of using authentication as a stand-in for authorization.
Steinberg says there aren’t any real answers to this problem yet, even though researchers and tech companies are trying to improve existing authorization systems with better authentication methods.
“But until there is a real solution, we’ll keep using the walled garden approach: I’ll only trust what I own,” he says.
“This will be limiting when business leaders want to move fast. It could mean the security team ends up being the one that says no and is slow to act.”
4. Speed of change shifting security postures and practices
Speed is also a big factor in how companies are handling security. According to CISOs, they’re moving faster now than ever before, and they think they’ll need to move even quicker in the future to keep up with both attackers and the business itself.
The CISO Perspectives Report 2025, from Cobalt, a security company, found that 60% of security leaders believe attackers are changing too fast for security to stay truly strong.
Another report, the 2025 CISO Benchmark Report: Securing the Digital Foundation for Reinvention, from Accenture and the Retail & Hospitality ISAC, found that 45% of CISOs named “speed of business requirements” as a challenge when trying to build a secure digital system from the start.
Phil Swain, CISO and vice president of information security at Extreme Networks, explains, “It’s about how fast things are changing and keeping up with that change. CISOs are here to support the business, and security is part of what helps the business grow. As businesses become more flexible and innovative, that same energy is pushing security to change and adapt more quickly too.”
5. Vendor landscape raising questions about viability, resiliency, and trust
The security technology industry saw a lot of mergers and acquisitions in 2025. According to a report by Kroll, a company that offers financial and risk advice, the number of deals in the first quarter of 2025 was similar to the record deal volume seen in 2024. This shows that the activity of buying and selling companies remains high. Strategic buyers and investors are combining their skills in important areas like cloud security, managing exposure, identity, and security operations. The goal is to adapt to changing needs of businesses and take advantage of opportunities that come from using multiple platforms.
However, Goerlich says this trend might not always be good for CISOs, which are the people in charge of cybersecurity.
He explains, “When we think about resilience, we have to think about how resilient our software and service providers are. This is pushing us to look more closely at the vendor market. We’re paying more attention to whether our vendors are stable, if they might be bought, and if they’ll still be around. Because when a vendor gets acquired, costs can go up a lot, and their plans can be put on hold. I had a vendor that got bought, and their development plans stopped. As a result, they fell behind, and I ended up with a weak spot in my security program. I had to change my approach, even though I wasn’t planning on it.”
Goerlich now spends more time keeping an eye on the vendor market and staying updated on investment trends and M&A news.
This helps him protect his security program from unexpected changes in the future.
