A whopping 99% of security leaders plan to increase their cybersecurity budgets over the next two to three years, signaling that cybersecurity has become a critical business imperative, according to a KPMG Cybersecurity Survey released earlier this month.KPMG’s survey, which polled more than 300 C-suite and senior security leaders, found that the projected spending increases come at a time when 83% of organizations report a rise in cyberattacks, which include everything from phishing and ransomware to more advanced AI-powered social-engineering schemes.”The data doesn’t just point to steady growth, it signals a potential boom,” said Michael Isensee, cybersecurity and tech risk leader, KPMG LLP. “We’re seeing a major market pivot where cybersecurity is now a fundamental driver of business strategy.”Leaders are moving beyond reactive defense and are actively investing to build a security posture that can withstand future shocks, especially from AI and other emerging technologies,” continued Isensee. “This isn’t just about spending more, it’s about strategic investment in resilience.”Security pros in the trenches are less sure about the boom KPMG predicted.“I don’t expect most CISOs to significantly grow their teams in 2026,” said Ram Varadarajan, chief executive officer at Acalvio. “Not because risk is shrinking, but because headcount no longer scales against the threat. The constraint isn’t budget or intent. It’s speed. When attacks unfold at machine pace, adding more humans doesn’t materially change outcomes. Teams will stay relatively flat while the nature of the work shifts.”Seth Spergel, managing partner at Merlin Ventures, added that budgets are tight — and CISOs know that. The degree of impact varies by CISO, said Spergel, but we see AI already impacting CISOs hiring decisions and their plans for upcoming budget.Spergel added that security — much like every market segment — has seen a big impact from AI-infused software products, and CISOs expect — and are expected — to gain efficiencies from the next generation of software.“In some cases, an uncertain economy means reducing lower-value roles,” said Spergel. “But, generally speaking, there is still so much to do that few CISOs will willingly give up staff. We see the growth opportunity around a hybrid model of talented cybersecurity practitioners being extended by AI capabilities. There are still very sensitive tasks and decisions that organizations cannot fully trust to AI, but we can now bring those human operators much more complete data very quickly with the help of these AI tools.”
Sustained budget growth: With 99% of companies planning to increase cyber budgets in the next few years, KPMG reported that the vast majority (54%) are planning for significant increases of 6% to 10% as they brace for future threats. Even so, leaders still face hurdles in securing additional funding, with 52% citing competing priorities for budget allocation which include data security and privacy, IAM, and cloud security. This signals a need for leaders to focus on managing this spend more strategically — turning to AI, unified security platforms, and managed services to create efficiencies, reduce overhead, and ensure every additional dollar strengthens their overall defense posture.
The AI arms race: While 38% of leaders see AI-powered attacks as a major challenge in the next two to three years, 70% of organizations are already dedicating more than 10% of their budgets to AI-related cyber initiatives. KPMG also reported that AI will have the greatest impact in proactively identifying and stopping threats with fraud prevention (57%), predictive analytics (56%) and enhanced detection (53%).
A war for AI talent: The boom has created fierce competition for skilled tech professionals. Fifty-three percent of leaders cite a lack of qualified candidates as a high-impact challenge, forcing them to increase compensation (49%), boost internal training (49%), and rely more on external partners (25%), including MSSPs, to fill critical gaps.
Strategic investment beyond IT: Cybersecurity investment has increasingly centered on the controls that protect access and trust across the enterprise. The survey shows that 42% of leaders are making identity and access management a top budget priority over the next two to three years, closely following data security and privacy and cloud security. This reflects a growing recognition that as organizations scale cloud and AI, stronger identity governance and access controls are critical to protecting sensitive data and systems and to building a more resilient security posture.
Are we really headed for the next boom?
Leading indicators from the KPMG survey that point to a cybersecurity boom include:
Security professionals expect tight budgets
Despite all the upbeat projections from KPMG, security pros in the trenches who responded to SC Media still expected some very tight budgets, at least for the year ahead.Diana Kelley, chief information security officer at Noma Security, said most CISOs she’s in contact with expect to hold team size roughly steady, with only marginal, as-needed growth. Kelley said it’s not because risk has declined, but because boards are pushing for cost efficiencies driven by automation and tighter alignment to business outcomes.“As is often the case, security teams are being asked to do more with the same number of people,” said Kelley. “Where I do see headcount growth is in cloud security and identity, while traditional SOC expansion is flattening. Economic uncertainty is driving many CISOs to expect flat to modestly higher budgets, alongside increased expectations from CFOs and boards to demonstrate measurable risk reduction. The pressure is not simply to spend less — but prove value.”Robb Reck, chief information, trust, and security officer at Pax8, said the uncertain economy has driven tighter evaluations of ROI on any security spend. Risk reduction remains the top priority, but Reck said CISOs are done with vendor promises — they want proof.“Companies that can point to real customers achieving measurable results will win existing budget from current vendors who are not capturing the performance improvements from AI and automation,” said Reck. “AI isn’t replacing cybersecurity professionals in 2026 — it’s augmenting them. However, CISOs may still be hesitant to hire. Many companies are slowing hiring while they wait to see how AI agents will actually perform. Security professionals who treat AI as something that will amplify their work rather than threaten it are the ones landing roles.”
link