A CIO’s or CFO’s ledger has a fundamental, if unspoken, equation: Resources must, at a minimum, match the scale of the risk. For 2026, however, this equation doesn’t work. Today’s AI supercharges and scales threats, which are multiplying at a rate no technology has ever seen. Meanwhile, many cybersecurity budgets remain stubbornly linear, forcing a series of hard choices about where to invest, what to automate and which risks to accept.
We’ve seen the effects of AI as a massive force multiplier for both attackers and defenders. It both accelerates the pace of attacks and promises new forms of automated defense. For leaders, the real test is how strategically they invest in AI to get the greatest return on security.
This ambiguity — where risk and new technology collide — is familiar territory for Mark Settle. A seven-time CIO (most recently at Okta), an author and an advisor, he guides technology leaders through multiple cycles of disruption, from moving to the cloud to the pressures of downsizing.
I sat down with Mr. Settle to discuss these critical tradeoffs. He reflected on the practical choices security and tech leaders must make as they plan for this new landscape. His insights offer a clear-eyed view for any leader tasked with managing exponential risk with finite resources.
How worried should we be about the pace of innovation on the offensive side of cybersecurity?
It cuts both ways. AI clearly creates new threat opportunities, but it’s also the latest automation tool, after years of automating in cybersecurity. Many CISOs will tell you that criminals don’t need AI yet, because people still make the same mistakes, like clicking on bad links, reusing weak passwords and leaving the door open. In that sense, attackers are still winning the old-fashioned way.
Security threats are multiplying, but budgets aren’t keeping pace. How should tech leaders think about that tension as they approach planning for next year?
That’s the reality they face. You can’t defend on every front at once, and you can’t expect headcount or budgets to suddenly expand. What you can do is recognize that the landscape itself is shifting — through vendor consolidation, category convergence and AI capabilities getting embedded into larger platforms.
If you step back and look a bit beyond one budgeting cycle, those secular changes create opportunities to simplify and focus.
What are the biggest opportunities you see?
If I were going into a budget exercise for next year, I’d be looking at three things.
The first one is consolidation. Everybody complains about the size and complexity of their security tech stack. M&As [mergers and acquisitions] are highly competitive in this space, with major platforms absorbing point solutions. If you look closely, you may find tools you bought two or three years ago that were “must-haves” then but now overlap with what your primary platform vendor does well. Dropping some of those tools saves real money.
Second, some categories are merging. Take vulnerability management, which used to require two separate tools — threat intelligence and vulnerability scanning. Now, you have continuous exposure management platforms that marry those together and add business context. You don’t want to be the last person paying for a tool that’s on its way out.
And the third is AI. Every vendor is pushing AI capabilities right now. My advice would be to experiment aggressively, but with an objective. The one that appeals most to me is automation. Use AI to automate away routine work, reduce latency in responding to threats and eliminate some of the headcount pressure.
The reality is that you’re not going to get more people. Rather, you might be told to make cuts, so it’s better to put these tools to work now.
How do you pull that off without falling into the trap of always pursuing every new tool and capability?
That’s the bigger issue. Do you leverage the AI capabilities your existing vendors are rolling out, or do you also invest in new AI-native products? You can’t really afford to do both, which is where the tradeoff comes in.
My bias is to start with incumbent platforms that their vendors are embedding AI into. You can evaluate their capabilities with your concrete goals. For example, you might ask: Can they automate repetitive tasks? Can they shrink response times? Can they free up people? These areas, I believe, will have the fastest returns.
Once you’ve made those tradeoffs, how do you protect the savings to ensure they’re reinvested in security instead of disappearing into the broader budget?
If you find ways to cut vendor costs or labor dollars, don’t wait for finance to spend the savings on marketing. Talk to the CFO up front and cut a deal. You might say: “If I save three dollars, I get to reinvest two dollars into reskilling and cloud security.” That way, you have a gain-share model that lets you reinvest in security instead of losing out on those dollars.
You’ve talked about automation as the most compelling near-term use case for AI. What happens as AI agents start acting more independently? How does that change your risk calculus?
I don’t believe it’s here yet, but it’s coming — and it’s something I’ve been researching closely. In a multiagent world, AI systems will commission actions on behalf of one another, often with little or no human involvement. That raises fundamental questions about authentication. Today, we think about authenticating a person. But what happens when it’s an agent initiating a transaction on behalf of another agent? How do you establish trust at machine speed? That’s going to reshape identity and access management in the next few years, and CIOs and CISOs will need to start preparing for it now.
As leaders plan for 2026, what’s the biggest change in mindset you would encourage them to make?
Before leaders become enticed by their existing vendors’ new AI capabilities, they need to learn as much as they can about how cybercriminals are using AI to weaponize the threat vectors that matter most to their companies. They need to focus their AI investments on new defensive capabilities that can blunt those AI-turbocharged threats. Simply put, they need to use AI to fight AI.
If you’re curious about what else is on the horizon for 2026, check out Palo Alto Networks Predictions.
