Cybersecurity is breaking. If you talk to anyone running a security team right now, they won't tell you about some shiny new AI defense. They'll tell you they are exhausted, outpaced, and drowning in complexity. We have more tools than ever. Yet, the job is harder.
A recent ISSA International and Omdia survey highlights the strain: 68% of cybersecurity professionals consider their job more difficult than it was just two years ago. The culprits aren't mystery exploits. Instead, 55% of respondents point to an increase in complexity and workload, while 52% say the threat environment has become completely overwhelming.
It's not just a feeling. The data backs it up. In KPMG's 2026 Cybersecurity & Technology Risk Survey, which surveyed 310 leaders at enterprises pulling in over $1B in revenue, 83% reported an increase in cyberattacks over the trailing 12 months. Phishing is a constant threat, DDoS attacks are scaling up, and ransomware continues to chew through infrastructure. The old playbook of patching on Tuesdays and hoping for the best is dead.
We're facing a classic scale problem. The surface area we have to defend grows exponentially, but the teams doing the defending grow linearly, if at all. Security operations center (SOC) analysts are staring at dashboards that look like slot machines, throwing alerts faster than human eyes can parse. We built a machine that generates noise, and now we're surprised that people are burning out. It's a systemic design failure, not a talent failure.
Shadow AI and the Flight of the Full-Time CISO
Corporate employees want productivity. They don't want to wait for security approval. This friction is driving Melinda Marks, an analyst at Omdia, to emphasize a massive threat: shadow AI adoption. Employees are enabling AI tools—copying proprietary code into ChatGPT, uploading customer data to random summarizers, or deploying AI agents—without ever notifying the security team. These visibility gaps mean CISOs are defending a perimeter they can't even map.
The threat from these tools isn't theoretical. Darktrace's 'State of AI Cybersecurity 2026' report, which surveyed over 1,500 security leaders, revealed that 73% of organizations are already feeling a significant impact from AI-powered threats. Security leaders aren't just worried about external hackers either. A massive 92% of respondents expressed concern about AI agents operating across their own workforce. They worry about what happens when these autonomous helpers start requesting API access or moving data.
On top of that, 44% of leaders say they are extremely or very concerned about third-party LLM security, including everyday platforms like Copilot and ChatGPT. The anxiety breaks down into two main buckets: sensitive data exposure (61%) and regulatory compliance violations (56%).
In response, many CISOs are choosing to opt out of the corporate treadmill entirely. The stress, combined with the impossible expectations of boards, has triggered a quiet exodus. Full-time CISOs dropped from 76% of security teams in 2024 to just 63% in 2026. At the same time, fractional CISOs jumped from 6% to 15%.
Shawn Murray, former ISSA president and now a fractional CISO himself, notes that CISOs are actively leaving full-time roles to consult independently. Why take on the absolute liability of a single enterprise—where a breach could end in personal prosecution—when you can distribute your expertise across multiple firms as an advisor? It's a rational economic choice. You get to help companies, control your hours, and avoid being the single neck to wring when things break. For a deeper look at how AI's dual threat of complexity and the CISO capability gap is reshaping the profession, see our analysis on AI's Dual Threat: Complexity and the CISO Capability Gap.
The Security Stack Integration Gap
Security teams have a tools problem. We keep buying point products to plug individual holes, creating an unmanageable Frankenstein architecture. The KPMG survey notes that only 24% of enterprises have fully integrated AI into their cybersecurity operations. The rest are stuck with partial implementations (53%). The result is a disjointed dashboard landscape where tools don't talk to each other, data sits in silos, and alerts fall through the cracks. It's a classic case of buying the technology but failing the integration.
We know that complexity is the enemy of security. When you have twenty different security portals, your engineers spend more time managing configurations than hunting threats. The industry is seeing a quiet revolution in executive endurance, which security researchers have cataloged in their deep dive on CISO resilience in the AI era. Security leaders must push for a unified architecture that handles telemetry in one place rather than chasing every new AI startup that promises a silver bullet.
According to the ISSA/Omdia data, 37% of teams are currently using AI for cybersecurity, and another 46% plan to adopt it. When they do, they are looking to automate specific pain points: automated security assessments, predictive risk analysis, and threat detection. In the broader market, generative AI is already present in 77% of security stacks, though we are still lagging on unsupervised machine learning (just 35%).
But there is a massive trust gap. Only 14% of organizations allow AI independent remediation without a human in the loop. We trust AI to find the needle, but we don't trust it to burn the haystack. We're terrified of false positives that shut down production databases or lock out legitimate users. So, we keep a human in the middle of every containment loop, which completely destroys the speed advantage AI was supposed to deliver. Teams are desperately trying to automate triage to avoid fatigue, a pattern explored in our study on escaping the triage trap.
Demystifying the ROI of Defending Nonhuman Identities
The attack surface isn't just expanding; it's changing state. We used to focus on securing human logins. Today, the real danger is nonhuman identities—service accounts, API credentials, certificates, and OAuth tokens. These machine credentials have grown exponentially as we automate workflows and connect SaaS tools. KPMG's research flags these nonhuman identities as a massive, poorly understood, and under-secured target. Hackers know that compromising an API key is far easier than phishing a C-level executive, and it grants much broader access without triggering MFA.
Securing these tools is expensive, and proving their value is incredibly painful. Nearly 70% of companies dedicate more than 11% of their entire cybersecurity budget to AI-related initiatives. Yet, 42% of security leaders struggle to demonstrate cybersecurity ROI to their boards. How do you prove the value of a breach that didn't happen? How do you justify spending millions to secure service accounts that business units didn't even realize existed?
Board members want simple metrics: revenue, speed, savings. Security doesn't fit neatly into those boxes. It is an insurance policy. CISOs are forced to present abstract risk reduction scores to boards who want to hear about product shipping schedules. This disconnect is another reason why CISOs feel set up to fail. They are given massive budgets to implement complex AI defenses but are left empty-handed when asked to prove that the investment made the company safer.
Headcount, Insurance, and the Scaling Fallacy
Despite the tools crisis and the shift to fractional roles, the demand for cybersecurity expertise is not shrinking. If anything, the market is starving for it. The KPMG report shows that 74% of risk leaders anticipate their security team headcount will grow by more than 11% in the near time. The work is there. The money is there. The talent, however, is not.
This talent crunch is hitting medium and smaller businesses the hardest. They don't have the budget for a full-time, high-level CISO, yet they face the exact same compliance and cyber insurance requirements as a Fortune 500 company. Insurance carriers are demanding rigorous verification of security controls before writing policies. This pressure forces smaller firms to hire fractional CISOs to advise them on basic hygiene.
Alex Hutton, CISO at Atlantic Union Bank, makes an important observation: 'It's hard to argue the job is getting easier.' But he doesn't see security positions being eliminated. The surge in fractional roles isn't a sign of headcount reduction; it's a cost-spreading mechanism. Smaller companies are pooling resources to rent a fraction of an expert's brain because they cannot afford the whole thing.
To manage the skills gap, organizations are shifting to hybrid models. Rather than building everything in-house, 85% of security leaders now prefer MSSPs (Managed Security Service Providers) for security operations center (SOC) services. This hybrid approach allows internal teams to focus on strategy and architecture, while outsourcing the 24/7 log monitoring to partners.
This is a massive shift, moving away from classic boundary controls to what many call the transition toward AI-native infrastructure. As AI makes the threat landscape faster and more complex, our defenses must become just as dynamic. The role of the CISO is no longer about building static walls. It's about engineering resilient systems that can bend without breaking. For more on how organizations are adapting their security strategies and talent models to handle increasing AI-driven risks, read our piece on CISO Resilience in the AI Era.