Security leaders entered 2026 with little expectation that uncertainty will ease … ever. Economic pressure, geopolitical instability, accelerating artificial intelligence adoption, and renewed technology consolidation have turned volatility into a structural condition rather than a temporary disruption. This is life now, and CISOs are being asked to move faster, support aggressive AI initiatives, and protect trust, all while budgets, headcount, and pressure for assurance tightens.

Our latest report, Top Recommendations For Your Security Program, 2026, provides our team’s prioritized advice for security leaders navigating this reality. Rather than assuming stability will return, this year’s recommendations focus on building programs that can flex, rebalance, and endure as conditions change.

We’ve highlighted four of our 12 recommendations below to highlight just some of what CISOs will face this year and, more importantly, what they should do about it. Our recommendations for 2026 fall into four themes:

  1. Changing budget dynamics
  2. AI-driven disruption
  3. Shifting security technology power
  4. Intensifying geopolitical risk

We design this annual guidance to help CISOs, CIOs, and technology leaders and their teams align security strategy with business priorities in an environment that refuses to stabilize.

Deal With Changing Budgets: Treat AI Security As A Business Cost, Not A CISO Tax

Budget predictability is gone. Inflation, trade friction, and executive enthusiasm for AI are forcing CISOs to make tradeoffs faster and more frequently than traditional planning cycles allow. Treating security as a fixed cost center leaves programs exposed when priorities shift midyear.

Our recommendation: Shift AI security costs out of the security budget.

AI security is not a niche control set. It’s a business risk that scales with AI adoption across marketing, operations, and product teams. Funding AI security solely from the security budget guarantees tradeoffs that weaken core defenses. CISOs should push to embed AI security costs directly into enterprise AI investments, aligning funding with risk ownership and protecting foundational security programs.

Deal With AI Disruption: Put AI Governance At The Center Of Risk

AI governance has moved far beyond an ethics or compliance exercise. AI systems evolve continuously, regulations remain fragmented, and failures escalate quickly into trust, regulatory, or executive crises. What makes AI risk especially difficult is that many organizations still lack basic visibility into where AI is used, what data it touches, and who owns the risk.

Our recommendation: Identify, assess, and socialize AI risk.

You cannot govern what you cannot inventory or explain. CISOs should prioritize visibility into AI systems, embed AI risk management into existing governance processes, and communicate AI risk in business terms. Treat AI governance as a shared leadership responsibility to ensure that accountability keeps pace with AI adoption.

Deal With Changing Tech: Pressure Vendors And Plan For Their Failure

Technology consolidation has returned, but the market looks different in 2026. Power is concentrating among vendors that control data, identity, cloud platforms, and AI control surfaces. While consolidation can simplify operations, it also introduces concentration risk that many organizations underestimate.

Our recommendation: Protect your organization from security tech failures.

Recent vendor outages, delayed breach notifications, and supply chain compromises have shown how quickly provider failures become customer crises. CISOs must stop assuming resilience comes automatically with scale. Build resilience by avoiding overreliance on single platforms, demanding stronger vendor accountability, and planning for scenarios where security tooling itself is unavailable or compromised.

Deal With Changing Geopolitics: Rehearse For Disruption, Not Stability

Geopolitics is no longer background noise. Data sovereignty requirements, state-aligned cyber activity, and the collapse of distance between global events and enterprise operations have made geopolitics a direct input into security strategy and continuity planning.

Our recommendation: Run high-impact geopolitical scenario planning.

CISOs should rehearse scenarios tied to real business dependencies such as regional cloud isolation, supplier compromise, or service shutdown decisions. The goal is not to predict the next disruption perfectly, but to ensure that when it arrives, decision-making is deliberate rather than reactive.

For a deeper dive into these insights and the full set of recommendations, Forrester clients can read the full report, Top Recommendations For Your Security Program, 2026, and join our webinar on Wednesday, April 8. Forrester clients can also schedule an inquiry or guidance session to discuss how these recommendations apply to their organization.