Security budgets are climbing. Confidence is high. And organizations are getting breached at much the same rate as before. Security has never been better funded or more assured; however, that has not stopped the breaches.
Let’s start with the spending. Expert Insights research into US security leaders found that more than three quarters (77%) are increasing their cyber budgets, with an average rise of 6%, and 90% say they are confident in their security controls. Yet 63% were breached in the past year, and 42% were hit more than once. Spending is up, confidence is up, and outcomes are not following.
That contradiction sits at the center of Expert Insights’ new research, CISO Confidence and Investment Trends 2026, a survey of 250 US security leaders conducted in December 2025. The figures raise an uncomfortable question: if money and confidence are both rising, why are the breaches not falling? The answer lies in what those numbers actually measure, and what they miss.
Confidence Is Shallower Than It Looks
That 90% figure is mostly soft confidence. Only 47% of leaders are “strongly” confident in their controls. For the rest, it comes with reservations.
The budget optimism is fragile too. Forty percent of leaders already say their 2026 budget will not be enough to meet the threats they expect. Split that figure by experience and the pattern becomes clear: 55% of leaders who were breached say their budget is insufficient, compared with just 14% of those who were not.
Confidence, it turns out, tracks more closely with not having been hit yet, rather than with any measure of readiness. That’s luck, not resilience.
Why The Spending Is Not Converting
The instinct, when something goes wrong, is to invest more. Throwing money at the problem feels active, often comes with assurances from those selling to you, and gives the board something concrete to point to. And you can see this mindset reflected in the allocation of the budget.
Cloud security (70%), data security and governance (66%), and AI and machine learning (60%) top the 2026 investment list. But more of the same often deepens the problem instead of solving it.
Craig MacAlpine, CEO and founder of Expert Insights, puts the diagnosis plainly: “Rising security investment doesn’t automatically translate into improved resilience. What matters is whether organizations are reducing complexity and operational risk, not simply adding more tools into already noisy environments.”
Security leaders who have lived this recognize the reflex. Matthew Rosenquist, a longtime CISO, describes the loop he is repeatedly called in to break: “We’ve invested so much in these technical controls, and yet we’re still failing. Why is that? Well, we need more technical controls, obviously.” The question he hears most often, he says, is the one the data raises: “Why do we keep failing? We’re spending so much.”
The fix is rarely another product. As CISO Greg Schaffer puts it, “You could have every security tool in place and still get hacked if your processes, policies, and people aren’t up to snuff.” Tools secure nothing on their own. The processes and people around them decide whether the investment turns into protection.
Confidence Points Inward, Risk Has Moved Outward
The same disconnect shows up globally, and on a much larger scale. Zscaler’s “Ripple Effect” report, which surveyed 1,750 IT leaders across 14 markets in the same period, finds the same pattern across markets. Ninety percent of organizations increased their resilience investment, by an average of 19%, and 96% updated their resilience strategy.
Then comes the catch. Sixty-one percent admit those strategies are still too inward-looking. Sixty-eight percent report greater reliance on third parties and contractors than ever before. And 60% have already suffered a failure caused by a supplier or partner.
The pattern is consistent: the spending pours into an organization’s own defenses while the exposure increasingly sits outside them. Two separate studies, different methods, the same gap.
The Gap Is Widening Fastest Around AI
Nowhere is the spend-without-control pattern repeating faster than in AI. Sixty-four percent of leaders say they lack effective governance over generative AI. Among organizations that were breached, that figure climbs to 76%. And 72% of breached organizations attribute at least one incident to the misuse of, or a vulnerability in, generative AI.
It is the same gap in a newer layer. Spending on AI is climbing, while the governance to control it is not. This divide is widest among organizations that have already been breached. These are exactly the ones who can least afford another blind spot.
The Gap Is Not Evenly Spread
Some sectors suffer far more of this gap than others, and healthcare is the clearest example: 73% of these organizations were breached, yet the sector reports the lowest investment and the lowest confidence in the study. The resilience gap is widest where capacity is thinnest, which is exactly where it does the most damage.
What Actually Moves The Needle
The lesson across both reports is not that organizations are spending too much. It is that spending and resilience are not the same thing, and treating them as interchangeable is how confident, well-funded security teams keep getting breached.
Resilience comes from reducing complexity, fixing the processes and people around the tools, and extending the strategy outward to the suppliers and AI systems that now sit inside the attack surface.
The organizations that close the gap in 2026 will be the ones that stop measuring their security by what they spent on it and instead start measuring it by what they can withstand.
