A widening gap in cybersecurity leadership, rising cybercrime costs and persistent talent shortages are leaving organisations increasingly exposed, according to the Sophos CISO Report 2026, developed in partnership with Cybersecurity Ventures.

The report highlights a structural imbalance in global cyber resilience. While cyber risk continues to grow, the availability of experienced security leaders is not expanding at the same pace.

According to the report, there are approximately 35,000 CISOs worldwide in 2026 serving an estimated 359 million businesses, creating a ratio of around one CISO for every 10,000 businesses. This points to a significant leadership gap at a time when organisations are facing more complex and frequent cyber threats.

Global cybercrime costs are projected to rise sharply, from US$6 trillion in 2021 to US$12.2 trillion annually by 2031. Ransomware remains one of the most costly threats, with damages expected to reach US$74 billion in 2026 and rise to US$275 billion annually by 2031. The report also estimates that ransomware attacks could occur every two seconds by then.

The talent shortage remains another major challenge. The global cybersecurity workforce gap stands at around 4.8 million unfilled roles, making hiring and retention a key barrier to cyber resilience.

The report also points to growing pressure on cybersecurity leaders. Around 75% of CISOs are considering a job change, while nearly one-third say stress is affecting their performance. Average CISO tenure ranges between 18 and 26 months, indicating high levels of burnout and churn at the leadership level.

AI is becoming central to cybersecurity strategy. The report says 96% of organisations are already using AI to strengthen cybersecurity, while 57% of CISOs are prioritising expertise in AI, machine learning and data analytics.

At the same time, human error remains a major weakness. The report notes that 70% to 90% of breaches are linked to human factors, including phishing and social engineering attacks.

In the India context, the report states that organisations allocate approximately 24% of IT budgets to cybersecurity, among the highest levels globally. While this reflects India’s growing digital maturity, it also underlines the country’s rising exposure to cyber risk as attack surfaces expand and dependence on digital infrastructure increases.

The findings suggest that organisations need to rethink traditional cybersecurity models. As cyber threats scale faster than leadership capacity and talent availability, businesses will need stronger cyber leadership, improved workforce development, AI-led security capabilities, and scalable security operating models to improve resilience.

Join the community of 2M+ industry professionals.

Subscribe to Newsletter to get latest insights & analysis in your inbox.

All about ETCISO industry right on your smartphone!