Digital & IT

What Boards Are Asking: The CIO, CFO, and CISO Response for 2026

In 2026, cybersecurity presents a leadership dilemma: although budgets are rising, real resilience is constrained by complexity, legacy systems, AI-driven threats, regulatory pressure, and talent shortages . This paper explores how the CIO, CFO, and CISO must jointly address value scrutiny, tool sprawl, and the execution gap through engineered Zero Trust, practical risk quantification, and continuous validation . It argues that only stronger alignment and evidence-based decision logic across this C-level triad can turn growing cyber investments into measurable enterprise value .

by Yuri Bobbert | February 17, 2026

Share item

Introduction

Clayton Christensen’s The Innovator’s Dilemma starts with an uncomfortable truth: great companies often fail not because they’re poorly managed, but because they’re well managed. They listen carefully to their best customers, optimize for predictable returns, and allocate resources to initiatives that align with existing performance metrics and margin expectations. Over time, those very “good management” habits create a structural bias toward sustaining improvements (making today’s model better) and away from disruptive bets (new models that look smaller, messier, and less profitable at the start). Christensen’s point is not that leaders are irrational; it’s that the organization’s resource-allocation logic is rational for exploitation, and therefore systematically hostile to exploration .

That tension is not unique to product innovation. James March famously described organizational learning as a balancing act between exploration (search, experimentation, variation) and exploitation (refinement, efficiency, execution) . Exploration is uncertain and often “inefficient” in the short run; exploitation pays off quickly but can lock you into yesterday’s assumptions. In other words, if you over-invest in exploitation, you become very good at a world that is already disappearing; if you over-invest in exploration, you may never operationalize the basics. Peter Hinsen talks about the pitfall of managing the “shit of yesterday”. This is why the ambidexterity literature argues that long-term survival requires doing both at once, sometimes via separate structures, sometimes via carefully designed governance that protects exploration from being suffocated by the metrics of exploitation .

Cybersecurity in 2026 is living inside this exact dilemma. The market signals say “spend more”. Secureworld summarizes KPMG's findings that 99% of leaders plan to increase cybersecurity budgets and that many expect material growth, driven by AI-powered threats . Yet those same sources highlight a confidence gap: leaders worry most about AI-driven social engineering and targeted attacks, and a relatively small share rate their defenses as effective against them. This is Christensen’s pattern in a new costume: boards and executives will fund what they can see and govern, but the threat has shifted in ways that make the “old performance measures” (tool counts, compliance checkmarks, activity metrics) increasingly misleading

“There are decades where nothing happens. And then there are weeks where decades happen.” – Peter Hinsen

That’s where this article’s triangle, CIO, CFO, CISO, becomes the practical answer to the innovator’s dilemma in cyber. Each role is structurally rewarded for exploitation: the CIO for uptime, delivery, and architectural continuity; the CFO for predictability, controllable spend, and demonstrable ROI; the CISO for reducing incidents and satisfying assurance requirements. Those incentives are not wrong; they keep the enterprise running. But the same incentives can also make it hard to fund and operationalize the “new game” (identity fog from non-human identities, AI-enabled fraud/social engineering, post-quantum preparation), because those initiatives start uncertain, cross-domain, and rarely show immediate payback in traditional terms.

So the CIO–CFO–CISO relationship is an ambidexterity design problem. If the triad governs cyber only through the lens of exploitation, organizations will continue to accumulate complexity (tool sprawl, overlapping controls, fragmented data). They will struggle to convert rising budgets into real resilience. If the triad creates protected space for exploration, while insisting that exploration must still become engineered, validated capability, then strategies like Zero Trust, cyber risk quantification (as ranges and scenarios, not fake precision), and landscape rationalisation can actually deliver what boards want: lower exposure, lower operational drag, and more straightforward decision logic.

What were the three core problems in 2025?

In 2025, the digital landscape was characterized by challenges, rapid technological progress, increased IT investments, and regulatory demands. As we address AI-driven threats, update legacy systems, and align technology with business objectives, the roles of the CIO, CFO, and CISO have become increasingly interconnected. This section discusses the main issues of 2025, and formulates strategies for 2026 in the next section, and essential ambidexterity capabilities for organizations to better exploit and explore.

Proving business value under pressure (ROI, risk, and spend scrutiny)

Gartner’s 2025 view of CIO challenges emphasizes maximizing business value and cost optimization while still navigating cybersecurity and AI. In parallel, BCG’s IT spending pulse shows continued growth expectations (e.g., 2.9% for 2025 and 3.6% for 2026), but with explicit attention to priorities such as security and risk mitigation and vendor consolidation, a signal that boards want value, not just more tools[1].

In my recent publication on cybersecurity investment decisions, I explain why “classic ROI” often fails in security: investment decisions are multi-factor and context-dependent, typically balancing TCO, compliance, maturity, risk reduction, technical requirements, strategic alignment, and contextual fit, often with intuition filling the gaps. The takeaway for the CIO–CFO–CISO triad: you don’t win budget conversations with spend narratives; you win with decision logic and fact-based outcomes.

2. The hidden risk multiplier, complexity, tool sprawl, and legacy drag.

Gartner, CIO Magazine explicitly calls out that legacy systems create real constraints and security vulnerabilities, like we saw with the Britisch Library legacy Hack [1]. Gartner goes even further with their "Legacy" Definition Shift: The threshold for what is considered "legacy" has changed; by 2025, any system not built for the cloud (noncloud) will be considered legacy.

Secureworld quotes CISOs describing the operational reality: security leaders must rationalize toolkits, minimize duplication, and “manage their spend accordingly.” BCG similarly elevates vendor consolidation as a strategic move. In my 2022 publication "Perspectives from 50+ Years' Practical Zero Trust Experience and Learnings on Buyer Expectations and Industry Promises," I reflect on the growing problem of “tool sprawl”, where enterprises now average 20-45 security tools, each with license, integration, and tuning costs. Let alone the complexity cumulating tools bring. Unfortunately, this tool sprawl will continue, as Cybersecurity vendors still overwhelm the market with point solutions that rarely deliver on their promise[1]. This information asymmetry between buyers and sellers is an increasing problem. And all new AI based tools and their mystery they bring will only increase the complexity.

This explosion of tools is not only a cost problem; it’s an exposure problem. My often-referred-to “knowing-doing gap” article illustrates how written policies fail when they are not technically enforced and continuously validated; misconfigurations and weak operationalization amplify the impact of breaches[2] and their economic externalities.

3. The execution and governance gap (AI threats, regulation, and talent scarcity)

KPMG’s survey ranks AI-powered threats as leaders’ top concerns (e.g., AI social engineering, AI-enhanced malware/ransomware, automated phishing). Meanwhile, governance expectations keep rising: NIS2 explicitly increases board-level responsibilities and demands structured oversight and measures . In the mergers and acquisitions (M&A) contexts, cybersecurity due diligence is increasingly framed as either a strategic lever or a costly miss, because hidden cyber debt becomes real enterprise risk post-deal . Typically, the CFO oversees valuation of tangible assets like inventory, goodwill, buildings, and funds. Currently, the CIO takes on the role of identifying valuable intangible assets, including customer data, behavioral data, crypto assets, and technology talent. Meanwhile, the CISO points out hidden vulnerabilities in the technology being acquired. Today, these three roles should work closely together, with their responsibilities increasingly intertwined.

Finally, 53% of leaders cite the lack of qualified candidates as a high-impact challenge . My work with Morgan Djotaroeno and Professor Bas van Gils on diversity and inclusion reinforces a practical point: the skills challenge is not only about “more people” but about more diverse and adaptable capabilities, especially when roles require continuous learning and strong technical validation. Since the roles in Digital Security drastically change now that AI, Regulatory inflation, and Data as Currency have become the norm . These trends will demand other capabilities and, therefore, new or adjusted roles such as: Cyberdata Analyst, Cyber Attack Agent, Cyber Calamity Forecaster, Machine Risk Officer, Virtual Identity Defender, Data trash engineer, Cloud orchestration architect, Security vaccinator, Cyber talent magnet, and AI auditor. In the article Influential Trends for Emerging Roles in Digital Security article, I highlight the problems of failing to anticipate these roles and why education is key. So what we learn here is that AI-driven threats require architecture-level change, not incremental tool add-ons.

Discover more about the Cyber Security program

What remedial strategies are needed in 2026, and what does that require from the industry?

Below are the practical “2026 moves” that connect directly to the 2025 problems, along with the symbiotic operating model they require from the CIO, CFO, and CISO, and the ambidexterity capabilities they need.

1) Zero Trust that is engineered (not proclaimed), measured, and assured

My earlier mitigation guidance is blunt: translate Zero Trust and security intent into technical controls and automated checks, and continuously validate posture[1]. I extended this thinking with Tim Timmermans into data governance, writing the article "Overcoming the Fear of Missing Out on Data," where we advocate a Zero Trust mindset that relies on continuous verification and scrutiny, not on assumed trust[2]. What this requires from industry is design with the end in mind, meaning: how do we gain better control over the validation of my design? How do we automate the evidence and ensure “policy-as-code” approaches that reduce manual assurance overhead? In 2025, I wrote the article “Tech Regulations: How to Relieve the Burden of Supervisory Bodies and Reduce Risk for Investors,” and outlined practices that can help reduce the bureaucratic burden perceived by CIOs and CISOs and offer assurance similar like the CFO needs to do over the company’s financial figures[3]. I have detailed in this article how continuous telemetry measurement and reporting enable better visibility and improved resilience. Resulting in an improved insurance coverage, and lower cyberinsurance premiums, simply because breaches are less likely and have a lower impact.

2) Cyber Risk Quantification and investment governance lead to better “Bang for the Buck”

The Antwerp Management Schools’ “investment pyramid” explains why different decision contexts (hygiene vs. compliance vs. risk-driven scenarios) require distinct decision criteria, and why governance must make trade-offs explicit by combining quantitative evidence with expert judgment. This requires from industry: usable quant methods (ranges, not false certainty), credible proxies, and standardized reporting that boards can govern. Anyone who thinks risk quantification is only for experts and is wrapped in complexity, jargon, and mystique is wrong. In this 2025 publication, “on improving the adoption of cyber risk quantification“, we (Jesus Caetano, VP Security at BarryCallebaut, and I) detail how traditional biases can be addressed and practical hurdles can be overcome. One of the key findings of this study was that all respondents believed that cyber risk quantificationenriches decision-making and helps companies get more “bang for their buck”. This indicates a growing recognition among organisations of the importance of data-driven decision-making and the role of cyber risk quantification in enabling this.

3) Landscape rationalisation and “tool sprawl reduction” as a security control

CISOs describe the real workload: rationalize toolkits, minimize duplication, and manage spend. This is a CIO-led architectural program with CFO governance and CISO risk prioritization. This requires from industry: platforms that truly integrate (not bundle marketing), clean interoperability, and measurable reductions in operational drag and unnecessary data duplication.

4) Data minimization and “attack-surface dieting” (security + cost + compliance)

In today's information age, data is essential for organizational functioning. While Big Tech firms use vast amounts of data and AI to innovate, EU regulations such as GDPR promote cautious, purposeful data collection. The trend toward greater data collection presents a significant challenge for organizations: collecting too much data can lead to non-compliance with strict data protection laws, damage reputations, expose organizations to legal issues, and increase the likelihood of data breaches that threaten sensitive information and cybersecurity. Along with Timmermans, I pointed out the security and legal dangers of over-collecting data: “every dataset becomes an additional target,” expanding the attack surface. We also discuss practical “data diet” strategies, such as minimizing data collection, implementing automatic retention policies, and deleting unused data, and highlight their connection to costs, such as cloud pay-as-you-go. This requires from the industry: automated retention, labeling, and enforceable governance built into platforms, not bolt-ons[1].

5) Reliable IT as the base layer; continuous validation + resilient operations

My investment pyramid is explicit: basic cyber hygiene depends on reliable IT operations (efficient ITIL processes and validations) unstable environments are inherently complex to secure. My “knowing-doing gap” similarly underscores the need for continuous validation and enforcement to prevent policy drift. This requires from the industry: validation tooling (and the knowledge and understanding on how to operate them), breach-and-attack simulation maturity, and operational support models that don’t overload scarce teams

Conclusions

The “cyber budget boom” is less a victory lap and more a signal that demand is outpacing capacity. When 99% of leaders plan to spend more, but only a minority feel highly effective against the fastest-growing attack vectors (especially AI-driven social engineering), the constraint isn’t intent; it’s execution bandwidth. The data points to a structural bottleneck: budgets can rise quickly, but organizations still face hard limits in available resources and qualified candidates, which means spending can inflate faster than real resilience.

CIO–CFO–CISO “alignment problem” is, in practice, an evidence problem. We keep treating cyber like it needs a single magic ROI number, while the field reality is that decision-making is contextual and multi-factor: TCO, compliance, maturity, risk reduction, technical requirements, strategic alignment, and contextual fit all matter, and most organizations still mix a subset of these with intuition. The opportunity for 2026 is not to demand perfect quantification, but to professionalize the quality of the story: ranges over point estimates, scenarios over slogans, and a clear separation between hygiene, compliance, and risk-driven investments, so the CFO can sponsor the method, the CIO can industrialize it, and the CISO can defend it.

The “tool sprawl” isn’t just a security irritation; it’s a balance-sheet and reliability issue that sits precisely at the overlap of CIO, CFO, and CISO responsibilities. Security leaders are being explicitly pushed to rationalize toolkits, reduce duplication, and favor integrated platforms, while IT leaders are simultaneously moving toward supplier consolidation as a pragmatic way to simplify portfolios, free up funding for innovation, and reduce risk. Meanwhile, the reality of the application portfolio is that legacy systems are expensive, create fit issues, and can introduce security vulnerabilities that are hard to address, so consolidation without modernization is just cost-shifting, not risk reduction.

“Data gravity” has become the hidden amplifier behind both costs and cyber exposure, making data minimization a shared strategic lever rather than a compliance footnote. The data-diet logic is blunt: make storage costs concrete, delete based on usage, and keep “as little as possible, as much as necessary.” When you combine that with a zero-trust mindset in data governance, continuous verification, enforced retention, and scrutiny as standard, you get a rare win-win: lower attack surface and lower operational drag. No surprise, then, that leaders are prioritizing data security/privacy while doubling down on identity as the new perimeter.

The “knowing–doing gap” is the quiet reason many “good strategies” underperform, and it reframes what boards should fund. If policies aren’t translated into technical controls and continuously verified, you don’t have governance; you have documentation. The practical implication for the CIO–CISO relationship is that validation must be treated like an engineering discipline instead of documentation hoarding. For the CFO, it must be treated like an ongoing operating capability, not a one-time audit line item. This maps cleanly onto the investment-pyramid logic: start with measurable hygiene coverage, then prove compliance, and only then optimize scenario-specific spend.

The talent problem is no longer “just hiring”—it’s a design constraint that shapes what strategies are even feasible. Leaders openly cite a lack of qualified candidates and an increasing reliance on partners to access specialized expertise and accelerate implementation; at the same time, my research argues that people must come first and that a deliberate diversity-and-inclusion strategy broadens the resource pool while improving problem-solving capacity.

Finally, looking ahead: architecture is making a comeback. The Secureworld discussion highlights two significant future challenges; post-quantum requirements emerging faster than many governance cycles can adapt to, and a surge in non-human identities that generates “identity fog” across the cloud, networks, and DevOps. This is precisely the type of risk where the CIO can’t “delegate to security,” the CISO can’t “solve with a tool,” and the CFO can’t “approve a budget and move on.” It requires crossing the silos and the ambidexterity capabilities to exploit what we have and explore how we can best improve and make bold moves together.

Sources

[1] Clayton Christensen (1997) The Innovator’s Dilemma: When New Technologies Cause Great Firms to Fail

[2] James G. March (1991) Exploration and Exploitation in Organizational Learning Vol. 2, No. 1, Special Issue: Organizational Learning: Papers in Honor of (and by) James G. March (1991), pp. 71-87 (17 pages)

[3] Charles A. O’Reilly & Michael L. Tushman (2013) Organizational Ambidexterity: Past, Present and Future

[4] Cam Sivesind (2025) of SecureWorld on “The Great Cyber Budget Boom: 99% of Leaders Are Increasing Spend”

[5]BCG (2025) IT Spending Pulse: With Rising Optimism, CIOs Pursue Targeted Investments in AI and Security Priorities

[6]CIO Magazine “A strategic approach to legacy platform modernization: Minimizing risk while maximizing value”, source: https://www.cio.com/article/3853663/a-strategic-approach-to-legacy-platform-modernization.html and British Library Learning lessons from the cyber-attack, source: https://www.bl.uk/stories/blogs/posts/learning-lessons-from-the-cyber-attack

[7]Yuri Bobbert, "Perspectives from 50+ Years' Practical Zero Trust Experience and Learnings on Buyer Expectations and Industry Promises," in SAI Conferences, Antwerp, 2022.

[8] Yuri Bobbert (2025) The Knowing-Doing Gap in Digital Security the Silent Risks of Not Validating Your Security Controls Regularly. Three Takeaways to close the gap. Source: https://isaca.nl/the-knowing-doing-gap-in-digital-security/

[9] Yuri Bobbert (2024) The NIS2 – What Boards Must Do, source: https://www.antwerpmanagementschool.be/en/blog/the-nis2-what-boards-must-do

[10] Yuri Bobbert & Lucas Kuijpers (2025) Cybersecurity due diligence in M&A: a strategic lever or a costly misser? In M&A Magazine 2025

[11] Cam Sivesind of SecureWorld on “The Great Cyber Budget Boom: 99% of Leaders Are Increasing Spend”

[12] Yuri Bobbert & Vincent van Dijk Influential trends for emerging roles in digital security in ISACA Journal

[13] Bobbert (2025) The Knowing-Doing Gap in Digital Security The Silent Risks of Not Validating Your Security Controls Regularly. Three Takeaways to close the gap.

[14] Yuri Bobbert & Tim Timmermans Overcoming the Fear of Missing Out on Data

https://link.springer.com/chapter/10.1007/978-3-031-73128-0_7

[15]Bobbert (2024) Tech Regulations: How to Relieve the Burden of Supervisory Bodies and Reduce Risk for Investors https://www.isaca.org/resources/isaca-journal/issues/2024/volume-3/how-to-relieve-the-burden-of-supervisory-bodies-and-reduce-risk-for-investors

[16] Yuri Bobbert & Tim Timmermans Overcoming the Fear of Missing Out on Data, https://link.springer.com/chapter/10.1007/978-3-031-73128-0_7