Source: Uptime Institute How CISOs communicate security ROI across the business Source: Splunk CISO survey, 2026 Incident reduction Improved MTTD Improved MTTR Server refresh cycles are slowing down By 2022 lifecycles of five years or more had become the norm 2015 (n=220) 2020 (n=418) 2022 (n=639) 1-2 years Rank 1 Rank 2 Rank 3 3 years 4 years 5 years >5 years 4% 13% 14% 80% 5% 74% 82% 6% 9% 9% 9% 7% 25% 15% 33% 19% 26% 15% 31% 19% 37% 20% 20% 14% CISO Scope of Responsibilities, by Annual Revenue of Company (What is included in your scope of responsibilities?) Less than $100M $100M to $1B $1B to $5B Infosec Responsibilities SecOps 91% 95% 96% Security A&E 95% 91% 96% Infosec GRC 91% 90% 84% AppSec 80% 86% 84% IAM 84% 76% 78% Business Risk Responsibilities Digital risk & compliance 95% 90% 86% Third-party risk management 88% 84% 81% Business continuity 76% 65% 52% Enterprise risk management 66% 36% 24% Broader Security Responsibilities Product security 76% 68% 59% Privacy 64% 40% 32% Physical security 9% 38% 22% Fraud 36% 24% 23% IT Responsibilities All/parts of IT 57% 33% 23% IT compliance 53% 29% 16% IT operations 51% 25% 16% Networking 51% 22% 18% IT infrastructure 49% 24% 15% IT architecture 48% 24% 13% OT 40% 21% 11% App development network 39% 15% 7% Source: IANS State of CISO Report of new capabilities doesn’t introduce critical vulnerabilities.” Incidentally, but worth always keeping in mind, 78 percent of CISOs rank data leaks as their top concern with AI, according to Splunk’s figures. Second on the list was shadow AI, which presents a direct challenge to governance, control and the integrity of security operations. The third most common AI concern was the potential negative effects of hallucinations, such as misinformed decision making at scale. Rolling Responsibilities Beyond the realm of AI, the functional scope of the CISO role continues to expand into adjacent domains, suggests more than five years of IANS survey data, supported by ongoing conversations with CISOs. In this year’s survey, 53 percent of CISOs reported their responsibilities have grown during the past 12 months, a reality that holds true across organizational sizes and industries. Information security remains at the core of CISOs’ responsibilities, with that vast majority overseeing elements such as SecOps, security engineering and architecture (A&E), government and risk compliance (GRC) and application security (AppSec) – and, increasingly, identity and access management (IAM). More recently, however, many CISOs have seen their portfolios broaden to include business risk functions such as third-party risk management and disaster recovery, 28 CHANNELVISION | SPRING 2026
RkJQdWJsaXNoZXIy NTg4Njc=