Gartner forecasts global cybersecurity spending will reach $240 billion in 2026, a 12.5% jump from 2025’s $213 billion. Wiz’s 2026 CISO Budget Benchmark, drawn from more than 300 security leaders, found that 85% of organizations grew their cybersecurity budgets in 2025 and nearly nine in ten plan to grow them again. Yet more than half of those same leaders say their organizations still aren’t investing enough to manage risk effectively. The money is moving. Whether it’s being spent well is a different question.
That gap — between rising spend and rising doubt — is the budgeting problem of 2026. Boards have stopped asking whether to fund security and started asking what they get for the money. CFOs want dollar-denominated risk reduction, not slide decks full of red squares on heat maps. Regulators in the EU, the US Department of War, and a growing roster of state authorities are writing the costs of non-compliance directly into law. A risk-informed budget is no longer a maturity goal; it’s the only kind of budget that survives the room.
This guide breaks down what’s actually worth funding in 2026: the spending patterns that match the threat environment, the regulatory commitments you can’t defer, the categories where money is wasted, and the framework for justifying it all in language a CFO will sign.
How 2026 Budgets Are Actually Distributed
The headline shift from prior years is that software has overtaken hardware and outsourced services as the largest category of enterprise security spend. Forrester’s 2026 Budget Planning Guide puts software at roughly 40% of enterprise security budgets, with hardware compressed to about 15% as organizations move to software-defined controls and integrated platforms. Personnel — internal staff plus contractors — still accounts for around 51% of total spend across the IANS and NuHarbor benchmarks, though the Wiz 2026 CISO Budget Benchmark tracks personnel slightly lower at roughly a quarter of total spend depending on how cloud and platform costs are attributed.
The other thing worth noting is how uneven growth is by region. Forrester’s data shows 22% of Asia-Pacific organizations expect budget increases above 10%, more than double North America’s 9%. In Europe, 81% of organizations expect some level of increase, driven heavily by NIS2 and DORA compliance pressure. North American budgets are growing more conservatively, and the RH-ISAC 2026 CISO Benchmark reported in April found that security spend at large US enterprises rose to just 0.75% of revenue, up from 0.57%, with security taking 5.8% of the IT budget — a steady, gradual climb rather than the double-digit reallocation some vendors imply.
The implication for any individual budget: industry averages are useful as sanity checks, not as targets. A financial services firm spending 0.8–1.0% of revenue on security and a healthcare organization spending 0.3–0.5% are telling you about peer ranges, not about what your specific risk profile demands.
Quantifying Risk Before You Quantify Spend
Every credible 2026 budget recommendation converges on the same starting point: you cannot defend spend until you can express risk in dollars. The FAIR (Factor Analysis of Information Risk) model has become the de facto standard for this, recognized by The Open Group as O-RT and O-RA and now mapped against the NIST Cybersecurity Framework. FAIR decomposes a risk scenario into Threat Event Frequency, Vulnerability, Primary Loss Magnitude, and Secondary Loss Magnitude, then rolls them up into an Annualized Loss Expectancy (ALE) — a single financial figure your CFO recognizes.
The practical move is small. Pick three to five top scenarios — ransomware on production, third-party breach via a critical vendor, business email compromise, OT outage, insider data exfiltration — and run a FAIR analysis on each. The Protiviti and FAIR Institute working examples published in early 2026 show how this translates: “identity and backup investments have the biggest effect on reducing this risk, so we should allocate up to 60% of additional new funding there.” That’s the sentence boards approve. “We need more EDR” is not.
This matters even more because budget rationales have to survive a different kind of scrutiny in 2026. The SEC’s incident disclosure rules require material breaches to be reported within four business days. NIS2 and DORA shorten incident reporting in some categories to as little as 24 hours for an early warning. Boards now face personal liability under both regimes. When a director asks “are we spending enough on X?” — they want a defensible number, not an emotional appeal. FAIR-style ALE delivers that number. Heat maps don’t.
A reasonable reading of the 2026 evidence — Wiz, Forrester, RH-ISAC, IANS, Protiviti — is that the single highest-leverage non-technical investment a security team can make this year is implementing a cyber risk quantification (CRQ) capability. It changes every other budget conversation that follows.
What to Actually Fund: The 2026 Priority Stack
Below is what the consolidated benchmark data and threat reporting suggest deserves real money in 2026. The order matters: items earlier in the list typically deliver more risk reduction per dollar because they shrink the attack surface or compress detection-to-response time. Items later are necessary, but they tend to optimize an already-functioning program.
Identity, Identity, Identity
Attackers no longer break in; they log in. The Wiz benchmark, the Glilot Capital 2026 CISO survey, and the Protiviti analysis all converge on identity as the highest-yield category. That includes phishing-resistant MFA (FIDO2/WebAuthn), privileged access management, identity threat detection and response (ITDR), and — increasingly — governance for non-human identities (NHIs): service accounts, API keys, machine identities, and the explosion of agentic AI workload identities. NHIs now outnumber human identities in most enterprises by an order of magnitude, and most go ungoverned.
Concrete budget items that earn their place: an enterprise IGA platform with NHI lifecycle support, a PAM upgrade if your current solution predates cloud workloads, ITDR coverage tied into your detection stack, and project funding for retiring shared service accounts.
Cloud Security and the Visibility Problem
Wiz reports that 88% of CISOs plan to increase cloud security focus over the next two years. The pain isn’t lack of tools — it’s that 58% of organizations now run more than 25 security tools and large enterprises often run 50 or more. Cloud security spending in 2026 should fund consolidation, not expansion. A unified CNAPP (Cloud-Native Application Protection Platform) that covers posture, workload protection, identity entitlements, and runtime detection is replacing the four or five point tools that did each piece separately.
Funding the consolidation cleanly means funding the decommissioning. Forward-thinking CISOs are now adding tool retirement as an explicit budget line — money allocated to the work of unwinding contracts, migrating data, and decommissioning agents. Without that line item, sprawl wins.
Detection, Response, and the 48-Minute Problem
Cross-sector incident data referenced in the Elisity 2026 benchmark indicates attackers achieve lateral movement in roughly 48 minutes after initial compromise — about 22% faster than 2023. That number drives a specific budget allocation: 15–20% of the security budget on detection and response, including SIEM modernization or replacement, MDR services if you can’t staff a 24/7 SOC, and EDR coverage on every endpoint that can run an agent.
The 2026 wrinkle is what’s happening to SIEMs. Costs have ballooned, vendors have consolidated, and AI-native detection platforms are encroaching on traditional log-and-correlate architectures. If your SIEM contract renews in 2026, that’s a budget moment, not a renewal — model the alternatives.
Microsegmentation and Zero Trust Architecture
Zero trust remains the top-cited 2026 initiative in the RH-ISAC survey, and microsegmentation is where most of the actual money goes. The Elisity benchmark cites 15–20% of the budget for microsegmentation work in regulated environments, with implementation costs ranging from $500K to $4M depending on scale. The risk-reduction case is straightforward: even when initial compromise succeeds, segmentation breaks the chain to crown-jewel systems.
AI Governance and AI-Specific Defenses
AI is now both a budget line and a board topic. Wiz reports 99% of CISOs agree AI will transform cloud security; just over half say that transformation is happening now. In 2026, AI security spend splits into two distinct buckets, and they shouldn’t be confused with each other.
The first bucket is defending against AI-enabled attacks: smarter phishing, deepfake-driven social engineering, AI-accelerated reconnaissance, automated exploit chaining. This funds enhanced email security, voice/video verification controls, and the continuous control validation that detects when defenses degrade against novel techniques.
The second bucket is securing your organization’s own AI deployments: prompt injection defense, model output filtering, training data poisoning protection, agentic AI identity governance, and policy enforcement at the LLM gateway. The OWASP Top 10 for LLMs and emerging frameworks like MITRE ATLAS are the right reference surface here. This bucket grows fastest in organizations that have moved AI from pilots to production.
Continuous Threat Exposure Management
Continuous Threat Exposure Management (CTEM) has displaced annual penetration testing as the dominant 2026 funding pattern for offensive validation. CTEM combines attack surface management, continuous breach and attack simulation, and prioritized exposure remediation — the goal is knowing weekly, not yearly, which exposures are actually exploitable. Budget for the platform, the integration work, and the remediation capacity to close what it finds. A CTEM tool whose findings nobody fixes is a slower, more expensive penetration test.
Resilience: Backups, BCM, DR
Ransomware payment averages reportedly reached $2–3 million in 2025. The most defensible spend against that exposure is immutable, isolated, frequently tested backups — plus the business continuity and disaster recovery work that turns a backup into an actual recovery. The mgm insights review of NIS2 and DORA implementation found BCM and DR are the two most consistently neglected control areas in otherwise well-run programs. Budget for the testing, not just the technology.
The Compliance Bill Comes Due
Several regulatory deadlines convert from “future planning” to “this year’s budget” in 2026, and missing them is increasingly expensive. The compliance line item is no longer a few audits — it’s a sustained operating cost.
CMMC 2.0 Phase 1 took effect November 10, 2025, and Phase 2 — mandatory third-party C3PAO assessments for Level 2 contractors handling Controlled Unclassified Information — begins November 10, 2026. A Redspin survey cited by DefenseScoop found only 1% of Defense Industrial Base contractors are fully prepared. Certification costs run from $200K to $2M depending on scope. Defense contractors that haven’t budgeted this for 2026 are choosing to lose contracts.
NIS2 transposition deadlines have largely passed, though several Member States — Germany among them — published implementation laws late and registration is still incomplete. The compliance window for covered entities runs through October 2026. Penalties top out at €10 million or 2% of global turnover. DORA has applied since January 17, 2025, and supervisory expectations around governance, third-party risk, and resilience testing are continuing to firm up through 2026.
The newest regulatory pressure point is post-quantum cryptography. The European Commission published COM(2026) 13 final on January 20, 2026, proposing to amend NIS2 with an explicit PQC requirement. The EU’s coordinated PQC roadmap calls for Member States to “start transitioning” by end of 2026 and for critical infrastructure to be transitioned by end of 2030. Cryptographic inventory and migration planning are no longer optional 2027 problems — they’re 2026 budget items, especially for organizations with long-lived signing keys, PKI dependencies, or hardware security modules that may not support post-quantum algorithms in firmware.
What to Cut, Defer, or Renegotiate
Equally important to what gets funded is what doesn’t. Wiz’s benchmark and the CyberSaint analysis converge on a clear list of low-yield 2026 spend.
Duplicate tools across overlapping platforms. GRC, SIEM, IR, TPRM, and “automation” vendors increasingly do the same things. Nearly half of CISOs say cloud complexity and tool sprawl actively hold back their security programs. The right move is a tool rationalization audit before any 2026 procurement: every tool justifies its retention in writing or it goes.
Annual pen tests as a primary validation strategy. Point-in-time testing has lost credibility against an attack surface that changes weekly. Continuous validation through CTEM or BAS platforms produces better evidence at lower marginal cost. Annual tests still have a role for compliance attestation and red-team engagements, but they shouldn’t be the spine of your assurance program.
Standalone awareness training platforms. The market has consolidated into broader human risk management platforms that combine simulation, training, and behavior analytics. If you’re paying separately for a phishing simulator, a video training library, and a reporting tool, you’re paying for integration overhead.
Hardware refresh cycles for appliances being replaced by software. If your firewall, web gateway, or DLP appliance reaches end-of-life in 2026, the replacement question isn’t “what’s the next box” but “what’s the SaaS equivalent and what does the migration cost.” Forrester’s hardware contraction to ~15% of spend reflects this exact decision being made across the industry.
Cyber insurance as a replacement for controls. Premiums are climbing, coverage is narrowing, and most policies now require evidence of specific controls — MFA, EDR, immutable backups, IR tabletops — before they’ll write the policy. Insurance should sit on top of a credible control program, not substitute for one.
Building the Business Case the CFO Will Sign
The most effective 2026 budget submissions follow a three-step structure that’s now standard advice across IBM’s Cost of a Data Breach analyses and CRQ practitioner guidance. First, quantify exposure in financial terms using industry breach cost data — IBM’s most recent figure for the global average breach cost is $4.88 million, with healthcare breaches averaging closer to $10 million. Second, model the cost-avoidance from each proposed investment using ROI benchmarks specific to the control. Third, compare your spend to peer benchmarks — security as a percentage of revenue, security as a percentage of IT spend, mean time to detect, mean time to respond.
A worked example: “Our peer group experiences ransomware events at roughly one per 18 months. Industry data places our likely loss per event at $6.08M. A $1.2M investment in identity hardening, immutable backups, and MDR is modeled to reduce expected loss per event by $2.22M. Payback period is approximately 7 months over the assumed event frequency.”
That’s the sentence that gets approved. Note what it doesn’t say: it doesn’t reference vendors, it doesn’t reference techniques, and it doesn’t reference compliance frameworks except as supporting evidence. CFOs and boards approve risk-reduction math. They tolerate technical detail; they don’t decide on it.
Frequently Asked Questions
What percentage of IT spend should go to cybersecurity in 2026?
IANS data places the cross-industry average at 13.2% of IT budget, up from 8.6% in 2020. Financial services and regulated industries cluster higher; education and small-budget public sector cluster lower. The Elisity 2026 benchmark recommends 10–15% of IT spend for organizations above $2B in revenue, with manufacturing and healthcare at the upper end. These are reference ranges, not targets — your number should fall out of FAIR-modeled risk, not the other way around.
Should we increase headcount or invest in automation?
Both, but the question is becoming false. The Wiz benchmark shows personnel as the largest single line item; the same survey shows efficiency tools and analyst-augmenting AI as the fastest-growing category. The 2026 pattern is fewer net new hires, more spend on platforms that let existing analysts cover more surface — agentic SOC tools, automated triage, posture management. Hiring purely to staff manual work is the lowest-yield form of personnel spend.
How do we justify cybersecurity ROI when nothing bad happened?
This is the counterfactual problem, and it’s why FAIR exists. You cannot point at a breach that didn’t occur, but you can model expected loss without the control, expected loss with it, and the difference. Combine that with operational metrics — MTTD, MTTR, compliance findings closed, exposed assets reduced — and you have a yield narrative. The Safe Security framing of “security yield: risk reduction per incremental dollar” is a useful way to anchor it.
What’s the single most overlooked 2026 budget item?
Tool decommissioning and integration debt. Every benchmark in 2026 — Wiz, Forrester, CyberSaint, RH-ISAC — flags tool sprawl as a primary friction point, but very few budgets allocate explicit dollars to retiring overlapping tools. Treat decommissioning as a project with its own line item. The savings fund the consolidation.
A Final Note on Where 2026 Is Different
A budget is a thesis about the future. The 2026 thesis emerging from the consolidated benchmark data is that organizations no longer win by spending more — they win by spending in ways they can defend in financial terms. The CISOs who can walk into a board room and say “this $X reduces our annualized loss expectancy by $Y, here’s the math, here’s the peer comparison, and here’s what we’re cutting to fund it” are the ones who walk out with budget intact. The ones who can’t are the ones being asked, with increasing impatience, why their spend keeps growing while their breach risk doesn’t visibly shrink.
Build the CRQ capability first. Fund identity, cloud consolidation, and detection compression next. Don’t defer the regulatory deadlines. Cut the duplicates. Then go to the board with numbers, not adjectives.
