Global shortage of CISOs, rising ransomware costs, and workforce gaps are exposing organisations to greater cyber risk, says new study
Sophos has released its Sophos CISO Report 2026, highlighting a growing imbalance between escalating cyber threats and the availability of experienced cybersecurity leadership worldwide.
Developed in partnership with Cybersecurity Ventures, the report estimates that only 35,000 Chief Information Security Officers (CISOs) are currently supporting nearly 359 million businesses globally translating to an approximate 10,000:1 business-to-CISO ratio.
The findings come at a time when global cybercrime costs are projected to surge from US$6 trillion in 2021 to US$12.2 trillion annually by 2031. Ransomware alone is expected to cost organisations US$275 billion annually by the same year, with attacks predicted to occur every two seconds.
The report also points to a significant cybersecurity workforce shortage, with an estimated 4.8 million unfilled roles globally. Leadership burnout is emerging as another major concern, with 75% of CISOs considering a job change and average tenure ranging between 18 to 26 months.
AI is increasingly becoming central to enterprise cyber strategies, according to the report. Nearly 96% of organisations surveyed are already using AI to strengthen cybersecurity operations, while 57% of CISOs identified AI, machine learning, and data analytics expertise as top priorities.
The report further notes that human error continues to remain one of the biggest vulnerabilities, contributing to 70–90% of breaches through phishing, social engineering, and related attack vectors.
From an India perspective, organisations are allocating nearly 24% of their IT budgets toward cybersecurity, among the highest globally. However, increasing digital adoption, talent shortages, and expanding attack surfaces are intensifying enterprise exposure to cyber threats.
“The data clearly shows a structural imbalance in cybersecurity today with 35,000 CISOs supporting hundreds of millions of businesses globally is simply not sustainable. At the same time, cybercrime is projected to reach US$12.2 trillion annually by 2031, while ransomware alone could cost US$275 billion, underscoring the scale of the threat landscape,” said Sunil Sharma.
He added, “For organisations in India and globally, this means cybersecurity leadership must evolve beyond traditional models. To bridge the leadership and skills gap and strengthen resilience, businesses need to look at scalable approaches, leveraging AI, managed services and integrated platforms.”
The report concludes that organisations will need to adopt more scalable, intelligence-led, and partner-driven cybersecurity models to address growing risks and ensure long-term cyber resilience.