CISO Benchmark Report Finds AI Driving New Era of Cybersecurity Risk and Investment in Retail and Hospitality

The Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) and IANS today announced the release of the 2026 CISO Benchmark Report, providing a comprehensive look at how cybersecurity leaders across the retail and hospitality sectors are navigating economic pressure, evolving threats, and the rapid rise of artificial intelligence (AI).

The 8th edition of the Retail & Hospitality ISAC CISO Benchmark Report, produced in collaboration with IANS, features insights from more than 200 industry CISOs on budgets, staffing, and the impact of AI.

Based on insights from more than 200 Chief Information Security Officers (CISOs) who work in the retail and hospitality industry, the report reveals that while cybersecurity budgets and staffing remain relatively stable, AI has emerged as the most significant new challenge and opportunity facing security teams.

AI Becomes the Leading Source of Friction

This year, AI tops the list of friction points for CISOs, ahead of ransomware and phishing. Seventy-one percent of respondents identified AI as a primary concern, citing risks such as data leakage, insider misuse, and insufficient governance controls. At the same time, organizations are increasingly integrating AI into their security operations, particularly for threat detection, analysis, and reporting.

Despite these advances, CISOs emphasized that AI is compounding, not replacing, existing threats, adding complexity to an already demanding cybersecurity landscape.

Incremental Budget Growth Reflects Economic Reality

The report shows that cybersecurity budgets are growing modestly rather than undergoing a major transformation. In 2025, security spending increased from 0.57% to 0.75% of revenue, while IT spending rose from 3.2% to 3.9%. Looking ahead, 54% of CISOs expect budget increases in 2026, though most anticipate only incremental gains.

Notably, nearly 90% of CISOs expect spending on AI-related security initiatives to rise, often through reallocating existing budgets rather than adding new funds.

Staffing Remains Stable as Efficiency Takes Priority

Security team sizes are expected to remain largely unchanged in 2026, with organizations prioritizing efficiency over expansion. While 35% of CISOs plan to increase full-time staff, most expect to maintain current headcount and leverage AI to enhance productivity. Contractor roles may see reductions, particularly in larger enterprises.

Expanding Role of the CISO

The report highlights the continued evolution of the CISO role, with responsibilities expanding beyond traditional security functions into areas such as AI governance, product security, and business risk management. Seventy percent of CISOs reported that AI has been added to their scope of responsibility.

At the same time, structural challenges, such as competing IT priorities and budget constraints, remain the top barriers to executing security initiatives.

Download a copy of the report here.