CISO: AI Risk Reshapes Cybersecurity Strategy In Retail And Hospitality

by

Estimated reading time: 7 minutes

Marks & Spencer, Co-op, and MGM Resorts, we could go on and on. These examples show how damaging cyberattacks can be for retail and hospitality. M&S had to pause some online orders during its 2025 breach. Co-op reported that hackers stole customer data that same year. MGM’s earlier breach disrupted hotel and casino operations and was expected to cost $100 million in earnings. These cases reveal a key cybersecurity weakness highlighted in a new report: these industries use complex digital systems, many vendors, sensitive customer data, payment networks, and constant uptime. As a result, each new attack method becomes more dangerous, especially now that AI helps attackers find and exploit weaknesses faster, making attacks broader and quicker.

Executive Summary Summary

The 2026 CISO Benchmark Report from RH-ISAC and IANS surveyed 201 CISOs in retail and hospitality. The main findings are that security budgets are rising slightly, staffing levels are steady, and AI is creating new risks and responsibilities. AI has become the top challenge for security leaders, even though it also helps with detection, analysis, and reporting. Security leaders need to address both the benefits and risks of AI now.

CISO in a hotel lobby viewing digital data flows across retail and hospitality systems, illustrating AI cyber risk, cybersecurity exposure, and cyber insurance concerns

The report shows that budgets are increasing slowly, not dramatically. Average IT spending went from 3.2% to 3.9% of revenue in 2025. Security spending rose from 0.57% to 0.75% of revenue. The share of IT budgets going to security changed only slightly, from 5.7% to 5.8%. Boards are making small increases rather than overhauling budgets. CISOs need to manage with careful growth, internal tradeoffs, and tighter execution.

2026 Budget Outlook

More than half of those surveyed expect budgets to rise again next year. According to the report, 54% of CISOs expect budget increases in 2026, while 33% expect budgets to stay the same. Smaller organizations are most confident about growth, while larger companies expect more stability. In hospitality, retail, and other consumer-focused businesses, spending is still expected to rise more often than fall. This shows an understanding of why security investment matters.

What Drives Spending Decisions

Budget increases are mostly tied to business growth, regular yearly changes, and digital transformation. Sudden increases after incidents are less common, which points to more mature planning. On the other hand, budget cuts usually happen because of company-wide cost controls and economic pressures. As one retail security leader put it: “The work is still being done, but it doesn’t have to be in our budget.” This shows that today’s CISOs are maintaining results by guile; reallocating and negotiating, not just waiting for more funding.

See also  Move Over Wind & Earthquakes, Here Come Cyber Cat Bonds

Where Security Dollars Go

Security budgets still focus mainly on people and technology. Staff and compensation make up 32% of the average budget, while off-premises software takes 29%. Outsourcing and project work are smaller parts of the budget. Spending on hardware, training, and other areas is even less. Training budgets show a practical approach: 33% goes to conferences and events, and 24% to technical training courses. CISOs are focused on keeping their teams skilled and maintaining cloud-based tools for daily defense.

The Expanding CISO Role

The report shows that CISOs now have a wider range of responsibilities. Most still report to technology leaders: 40% to CIOs and 27% to CTOs, making up 81% overall. Their role now goes beyond traditional operations. CISOs are responsible for vulnerability management, incident response, cloud security, governance, application security, and third-party risk. Seventy percent also oversee AI, and product security is becoming more important. Today, CISOs play a key role in managing enterprise risk.

Watch Our Podcast – The CISO Challenge

Cyber Risk: IT Problem, Leadership Problem, or Something Bigger?

AI Becomes The Top Friction Point

AI is now the top challenge for security teams, according to the report. It was cited by 62% of respondents, ahead of third-party and supply chain attacks at 54%, and vulnerability management at 41%. The press release highlighted that 71% of respondents see AI as a main concern. The report says AI helps attackers by automating attacks, avoiding defenses, and making threats less predictable. While ransomware and phishing are still serious risks, AI brings “an entirely new layer of uncertainty” to an already difficult threat landscape. As one travel-sector CISO said: “AI hasn’t overtaken them; it’s just added another area of exposure to an already full plate.”

How AI Is Already Used

Security teams see AI as an immediate priority. Sixty-three percent use it for threat detection and analysis, 53% for generative AI reporting and analysis, and 44% for automating incident response. Leaders prefer practical uses over hype. One CISO said they want “boring AI” that actually improves workflows, not flashy solutions. The best results come from real process improvements, not just new technology labels.

See also  MAPFRE Partners with Cyberwrite to Enhance Cybersecurity for SME

Governance Improves, But Risk Stays High

AI governance is improving quickly, but risks remain. Only 3% of organizations do not have an AI policy. Twenty-four percent have full frameworks, 57% have partial frameworks, and 16% are still developing theirs. The main concerns are data leaks through public AI (74%), insider use of unauthorized AI (56%), and weak governance (49%). Even advanced programs worry about unreliable outputs and prompt-based attacks. CISOs now face a more organized but still unstable risk environment.

AI Spending Rises Faster Than Total Budgets

Spending on AI security is rising quickly. Nearly 90% of CISOs expect their AI budgets to grow in the next 12 to 18 months. Of those, 43% expect significant growth and 46% expect moderate growth. However, this increase rarely means bigger overall security budgets: 42% see no change, and 28% say funds are being shifted from other areas. For CISOs, AI is now a major budget item, but it usually does not bring in extra money.

Staffing Stays Stable

Security staffing is expected to remain stable. Most companies plan to retain the same number of employees in 2026. About 35% will add full-time staff, while 20% of CISOs plan to reduce contractor roles. AI is making teams more efficient, but not causing layoffs. CISOs still need to focus on talent strategy, using automation as a support tool.

Get The Cyber Insurance News Upload Delivered
Subscribe to our newsletter!

Execution Barriers Remain Familiar

The biggest challenges in cybersecurity are still internal, you and me, people. CISOs say the main obstacles are conflicting priorities between cybersecurity and IT (70%) and budget limits (68%). Business speed is also a factor for 49%. Issues like governance stress, tight funding, and competing priorities continue to affect outcomes. While AI is changing the landscape, it has not removed the main sources of friction.

Bottom Line

This report provides a clear 2026 benchmark for CISOs. Retail and hospitality companies are putting in money, but cautiously. They are adopting AI, but with care. Staffing levels are steady even as demands increase. Risks remain high because customer focus, third-party relationships, and constant service make failures expensive. Recent breaches have caused obvious and painful disruptions. The pressure is growing: AI now shapes risk, budgets, and the CISO’s responsibilities.

See also  Marsh Expands Cyber Insurance with Cyber Echo Encore, Adding $45 Million Coverage

CISO FAQ: AI Risk, Cybersecurity, And Cyber Insurance In Retail And Hospitality

1. What Is The Main Finding Of The CISO Benchmark Report?

AI now leads the list of top cybersecurity friction points for retail and hospitality CISOs.

2. Why Does AI Matter So Much To A CISO Right Now?

AI raises risks around data leakage, misuse, governance gaps, and faster attacker activity.

3. Are Security Budgets Rising For The Average CISO?

Yes. Budgets are rising modestly, with most CISOs expecting incremental growth in 2026.

4. Is AI Driving New Security Spending?

Yes. Nearly 90% of CISOs expect AI-related security investment to increase.

5. Are Companies Adding Large Security Teams?

No. Most CISOs expect staffing to stay stable and use AI to improve efficiency.

6. What Are The Top Non-AI Security Pressures For A CISO?

Third-party risk, supply chain attacks, and vulnerability remediation remain major concerns.

7. How Are Security Teams Using AI Today?

They use AI for threat detection, reporting, analysis, and incident response automation.

8. Do Most Companies Have AI Governance In Place?

Yes. Most have at least partial AI governance, though risk remains high.

9. What Concerns CISOs Most About AI Security?

Data leakage through public AI tools ranks as the biggest concern.

10. What Does This Mean For Cyber Insurance And Risk Leaders?

It signals rising exposure, tighter budgets, and greater pressure on the modern CISO.

Martin Hinton

Martin Hinton is the Executive Editor and Publisher of Cyber Insurance News and Information. With over three decades of journalism experience across six continents, his work encompasses investigative reporting, documentaries, and coverage of cultural, political, and business news. To learn more about his career, click on his name to visit his LinkedIn page.

Leave a Comment

×