How CISOs Can Thrive Amidst Geopolitical and Economic Uncertainty

Amid escalating geopolitical conflicts, economic uncertainty, and ongoing tariff chaos, chief information security officers (CISOs) are operating in a prolonged state of uncertainty where cyberattacks have become a new component of armed conflict, expanding the attack surface just as organizations are struggling to secure AI and critical infrastructure. Security leaders are also facing budget constraints due to macroeconomic concerns and AI’s influence on tech spending. To manage, leaders must optimize spending, commit to structured change management, and strengthen enterprise risk management. Our latest Forrester report, Security Leaders: How To Thrive Through Volatility in 2026, provides actionable insights for CISOs to navigate these turbulent times. Here are a few of the key lessons and what they mean for you.

Optimize Costs Without Compromising Security

  • Prioritize initiatives related to securing agentic AI. AI security is not a niche control. It’s a business risk tied to and resulting from every AI tool and interaction in an organization. Treating it as a line item in the security budget guarantees forced trade-offs that weaken already stretched core defenses. Boards and CFOs expect AI to drive growth and/or cut costs, so the cost of securing it belongs in the same enterprise AI investment bucket. This reframing protects security leaders from robbing critical programs to fund AI controls and forces accountability where the risk originates. Map every AI initiative to its business owner and quantify the risk it adds. Build a cost model that ties controls to the AI lifecycle from data hygiene through model integrity. Use real examples where underfunded controls stalled projects or triggered new security costs to make the case.
  • Rationalize your security controls and use platforms where you need them. In our Top Recommendations For Your Security Program, 2026, we cover the concept of rationalizing your security controls to reduce — or eliminate — “expense in depth.” Deciphering requirements, current policies, existing controls, overlaps, and redundancies feels like a Herculean task. But it’s necessary at this moment. The only way to deal with the volatility your organization will encounter is to get ahead of it by simplifying your control stack while also potentially reducing costs by identifying unnecessary duplicate spend. Use popular control frameworks like the NIST Cybersecurity Framework, CIS Critical Security Controls, and Forrester’s Information Security Maturity Model (FISMM) to align controls to standard outcomes. Prioritize using continuous control monitoring. Move beyond attempting to manage controls and compliance via spreadsheets and shift to governance, risk, and compliance (GRC) platforms

Master Change Leadership

  • Be a visible change leader and steadying force. Leaders must provide stability, confidence, and clarity. This is a tall order, as leaders are often not trained to lead through difficult change, and trust in leadership is often low during times of flux and financial hardship. At the same time, periods of sustained disruption can strengthen confidence in leadership when executives embody clarity, consistency, and empathy. That’s because effective change leaders become their best selves in the face of genuine challenges, following a cadence of activities that includes clarifying vision, resolving uncertainty, identifying barriers, releasing resources, listening and responding, and celebrating successes. If you’re the leader of a new or reorganized team, focus your first 90 days on four key areas to establish a strong foundation for your success: the capabilities, culture, career, and communication of the people who report to you.
  • Balance your focus on process and people. Security leaders make the mistake of over-rotating on process and, worse, technology during change. But organizational change also requires changes in human behavior. Security leaders must build a companywide security culture and instill positive attitudes, cognitions, norms, and responsibilities for cybersecurity. This means they must influence and engage stakeholders across the organization from whom they will need advocacy, support, and behavior change. They also have to build a security champions network, leverage leadership communication and storytelling to maintain cohesion and drive support for the change, select the right technologies to measure and manage human risk, and break down long-held silos with their technology peers.

Double Down On Enterprise Risk Management

  • Ecosystem risks from your partners’ new demands. Ecosystem risks will dominate your agenda as we enter this volatile time. In retaliation for US and Israeli attacks, Iran attacked two data centers in UAE and one in Bahrain, impacting banking, payments, and other enterprise software across the region. Your organization only has partial control over how third parties manage their security, adhere to regulations, or the maturity of their risk management practices, but those ecosystem partners will hold you fully responsible for any missteps. Your ability to navigate heightened protectionism in the geographies in which your company operates, issues related to digital sovereignty during the race for AI dominance, the explosion of regulatory frameworks, and increasing threats, will require your organization to dynamically adapt and accept overhead. Your ability to document these requirements, apply the appropriate levels of oversight, link them to the resilience of your continued operations, and juggle a complex vendor landscape will be the cornerstones of success.
  • External risks from geopolitically motivated attacks. External forces, or what Forrester refers to as systemic risks, such as economic uncertainty, geopolitical tensions, and speed of innovation, are often overlooked but are tremendously consequential. During times of scarcity and unpredictability, geopolitical tensions increase as leaders seek to gain some degree of assurance. We see that playing out in real time in 2026. Geopolitically motivated threats and threat actors — whether directly state sponsored, state affiliated, or state permitted — will increase as political leaders use operations in cyberspace to collect intelligence, conduct espionage, or in the most overt of scenarios, degrade or disrupt operations when they deem it necessary. In March 2026, Iranian-linked hacktivist organization Handala claimed it attacked medical technology firm Stryker, taking the company completely offline. Use The Forrester Model To Defend Against Nation-State Threats as a framework to understand your exposure and combat these threats as they intensify.

Conclusion

Navigating economic ang geopolitical volatility requires flexibility, strategic spending, and a strong focus on risk management. The actionable advice in our report enables CISOs to help their organizations thrive amidst these uncertain times. For a deeper dive into these strategies, Forrester clients can read our full report, Security Leaders: How To Thrive Through Volatility in 2026.

Related Links