Cyber Budgets Slow, AI Surges: What the Data Says About 2026

As I talk to many CISOs and other security leaders around the country during the second half of 2025, the budget outlook appears to be mixed in both the public and private sectors.

But at a time when AI spending is soaring, even raising fears of an AI bubble, what’s happening now and what’s ahead for cybersecurity budgets and priorities as we head into 2026?

SECURITY SPENDING: WHERE HAVE WE BEEN AND WHERE ARE WE NOW?

First, in August 2025, Beinsure released their report on cybersecurity spending trends. Here's an excerpt:

“Cybersecurity spending rose by 70%, over the past four years (response rate: 27%). There was considerable variance in growth rates among respondents, but budgets were up overall, and significantly for most sectors. Budgets for corporates grew the most — up 100%.

“Overall, issuers say they devoted a median of 8% of their technology budgets to cybersecurity in the survey (response rate of 36% to 47%), up from 5%. The increase is likely a response to rapid digitalization and an accompanying rise in cyber risk in recent years. A shift to remote work during the COVID-19 pandemic has also broadened issuers’ digital footprints and opened new channels for cyberattacks.

“Cybersecurity is typically more resilient to economic pressure than other technology-related budget items because companies must often meet certain compliance and regulatory requirements or minimum spending levels to qualify for cyber insurance. In Moody’s cyber survey, only 27 respondents reported a drop in their spending between 2019 and 2023.”

Second, and more recently, I want to look at a CFO Dive article from August with the headline: "Cybersecurity budgets tighten as economic anxiety rises." The report starts by saying, “Uncertain tariff policies and fluctuating inflation and interest rates are leading to stagnant or reduced budgets, according to an IANS Research report.”

Here are some summary points:

• “Cybersecurity budgets grew 4% in 2025 on average, down from 8% in the previous year, likely driven by economic uncertainty, according to a report released Tuesday by cybersecurity firm IANS Research and executive search firm Artico Search.
• “As a share of overall information technology budgets, cybersecurity spending declined from 11.9% to 10.9%, breaking a five-year upward trend, according to the research.
• “‘Once again, we find that security budgets are not immune to macro conditions,’ Steve Martano, a partner in Artico’s cybersecurity practice, said in a press release. ‘Despite most companies identifying cyber as a top five business risk, most CISOs are not receiving budget increases commensurate with the increase in security program scope.’”

Third, Dark Reading writes: “Cybersecurity spending is beginning to slow this year, with average security budgets growing 4% year over year, just half of the recorded growth in 2024 and the lowest rate in five years.”

And fourth, this month, APTA’s Transit Cybersecurity Working Group’s report highlights risk and budgeting needs in the transportation sector:

“A Framework for Continuous Improvement — Effective cybersecurity budgeting is agile, iterative and measurable. Grounding the process in the NIST CSF supports a continuous Plan–Do–Check–Act cycle: Plan–Set a target CSF maturity level. Do–Implement required controls. Check–Assess current maturity and results. Act–Reallocate resources to close performance gaps. This structure transforms cybersecurity budgeting from a static cost center into a dynamic mechanism for risk reduction and resilience building.

“The Bottom Line — Cybersecurity budgeting should never rely on guesswork. Benchmarking transforms subjective decisions into a governance discipline, enabling transit leaders to invest with confidence, demonstrate measurable risk reduction, and strengthen operational reliability and public trust. By tying investment to data and maturity, agencies can ensure safer systems, resilient service delivery, and communities that remain connected and on the move."

WHERE ARE WE GOING WITH CYBER SPENDING?

Cybercrime Magazine projects metrics and spending in cybersecurity each year, and their 2026 market report just came out last week. Here are some of their statistics:

• "Cybersecurity Ventures predicts that global spending on cybersecurity products and services will exceed $520 billion annually (USD) by 2026, up from $260 billion in 2021.
• AI is expanding a $2 trillion total addressable market (TAM) for cybersecurity providers, according to a 2024/2025 study by McKinsey.
• Today, nearly 15 percent of (corporate) cybersecurity spending comes from outside the chief information security office (CISO), and non-CISO cyber spending is expected to grow at a 24 percent CAGR over the next three years, according to McKinsey.
• The U.S. and Western Europe will account for more than 70 percent of global information security spending in 2025, according to IDC.
• Microsoft in fiscal 2025 generated around $37 billion in cybersecurity revenue, representing about 14 percent of its total revenue, according to Investing.com, and its security business can reach $50 billion by 2030 if it grows at a mid-teens CAGR.
• The U.S. spends more than $25 billion on cybersecurity every year to defend federal systems against increasing threats from hackers, ransomware groups and state-sponsored actors, according to Palo Alto Networks.
• Cybersecurity Ventures predicts that cybercrime will cost the world $10.5 trillion USD in 2025, up from $6 trillion in 2021, and $3 trillion in 2015."

And this video from CISO Tradecraft shows how to create a cybersecurity budget using an Excel template.

FINAL THOUGHTS

Back in June of this year, the EY Center for Government Modernization found a surge in state and local governments’ AI use and an interest in private-sector collaboration as modernization efforts increase in coming years. Here's an excerpt from EY's press release about the report:

"However, this enthusiasm is tempered by concerns regarding the lack of clear regulations or government standards for AI development (78 percent) and cyberattacks becoming more sophisticated due to AI (82 percent).

“'AI offers a powerful opportunity to achieve greater efficiency in a resource-constrained environment,' said Estes. 'But our survey reveals an acute awareness of the amplified cybersecurity and regulatory risks this technology brings. The real opportunity lies in agencies proactively embedding governance and security measures from the outset of their AI journey to fuel, rather than hinder, efficiency gains.'”

Meanwhile, last week, Government Technology reported that Congress moved to reauthorize the State and Local Cybersecurity Grant Program but did not specify the amount of funding.