Every year, the RH-ISAC CISO Benchmark Report offers a snapshot of where security leaders across retail and hospitality stand. The 2026 edition, produced in partnership with IANS and based on responses from 201 CISOs across the sector, arrives at a moment when the pressure on security organizations is unusually layered. Budgets are constrained, the threat landscape has not simplified, and AI has inserted itself into nearly every dimension of the job.
AI at the Top of the Friction List
AI ranks as the leading friction point among retail and hospitality CISOs, cited by 71% of respondents. That number deserves some unpacking, because it does not mean ransomware and phishing have moved off the radar. Ransomware dropped 35% in the rankings, but practitioners in the survey were clear that the decline reflects a shift in how CISOs categorize the threat, not a reduction in actual risk.
What AI represents is something different: a friction multiplier. It is expanding the attack surface, accelerating adversarial capabilities, and adding a new governance burden on top of an already full plate.
The governance picture has improved, but it remains incomplete. Only 3% of organizations have no AI policy in place. Even so, 74% of CISOs cite data leakage through public AI tools as a top concern, and fears around insider misuse, weak controls, and model reliability persist even among organizations with fully implemented frameworks.
Where AI Is Delivering
The survey also asked where AI is providing real returns inside the security function. The leading use cases are threat detection and analysis (63%), generative AI for reporting and analysis (53%), and incident response automation (44%). These are not moonshot applications. They are practical productivity levers applied to work that security teams were already doing.
A pattern worth noting from the qualitative findings: practitioners who have seen the most traction tend to describe it as "boring AI," meaning the unglamorous but high-return application of automation to existing workflows. Nearly 90% of CISOs expect AI security spending to rise over the next 12 to 18 months. Most of that investment will come from reallocating existing budgets rather than adding net-new dollars.
Steady Budgets, Steady Teams
Security spending grew modestly in 2025, rising from 0.57% to 0.75% of revenue on average. Heading into 2026, 54% of CISOs expect further increases, up from 44% the prior year, and the share expecting flat budgets declined by 10%. That is a cautiously positive directional shift, driven primarily by anticipated company performance and digital transformation priorities rather than incident-triggered spending.
Staffing tells a similar story. Most organizations expect headcount to hold steady, with AI positioned as an efficiency tool for existing teams rather than a reason to reduce them. Contractor roles face more exposure, particularly at larger enterprises, with 20% of CISOs at firms exceeding $10 billion in revenue projecting contractor cuts.
A Broader Mandate, Familiar Barriers
The CISO role continues to expand. Seventy percent of respondents now own AI as a formal area of responsibility, and product security has grown as an accountability area year over year.
Despite that broader mandate, the barriers to executing security initiatives remainlargely structural. Tensions between security and broader IT prioritization (cited by 70% of CISOs) and budget constraints (68%) outrank threat landscape factors as the top obstacles to getting things done.
Average NIST CSF maturity scores were flat from 2024 to 2025 despite projected improvements, a gap that reflects how hard it is to move programs forward when the structural conditions stay the same.
What the Data Is Good For
Benchmarks are most useful when they help security leaders calibrate, make the case internally, and recognize that what their peers are navigating looks a lot like what they are navigating. That is the intent of this research and the community it comes from. The full 2026 CISO Benchmark Report is available at rhisac.org.