Image from Protiviti's Top Risks Survey
In any volatile business environment, risk and opportunity are two sides of the same coin. The newly released 2026 Executive Perspectives on Top Risks and Opportunities — the 14th annual edition from Protiviti and NC State University’s ERM Initiative — offers a sweeping view of what’s on the minds of board members and C-suite executives worldwide. The message is clear: organizations that treat risk management as a catalyst for innovation and growth are best positioned to thrive.
Blog post contributed by Sameer Ansari, Managing Director, Global CISO Solutions Leader, and Daniel Stone, Director, Technology Risk and Resilience - Protiviti
But as digital transformation accelerates, one risk stands at the top: cybersecurity. This year, cyber threats are ranked as the top global near-term risk and the top investment priority for organizations seeking resilience and growth.
Cybersecurity: the universal risk
Across industries, geographies and organization sizes, cyber threats are the most consistently ranked concern. Board members, CEOs and CISOs alike recognize the risk posed by digital vulnerabilities transcends functional boundaries. In a recent webinar covering this survey, Sameer Ansari, Protiviti’s global lead for security and privacy, cited the following key drivers of this increased visibility for cyber threats:
- Executives and boards are thinking more in terms of “When we do have an event, how will we be able to respond and recover?”
- Cybersecurity is a foundation for trust, enabling revenue growth or leading to lost sales if not carefully maintained.
- AI is putting pressure on foundational cyber capabilities to improve their depth and effectiveness.
Third-party risks, closely tied to cyber concerns, rank second among global near-term concerns. As organizations expand strategic alliances and partnerships (62% of organizations indicated they plan to expand their ecosystem partnerships), the complexity of managing external dependencies grows. This interconnectedness amplifies the potential impact of cyber incidents, making robust third-party risk management frameworks essential.
This universal prioritization reflects a growing recognition that cybersecurity impacts brand reputation, operational continuity and regulatory compliance. The report’s findings show that 43% of executives identify cybersecurity as their top strategic investment priority, well ahead of other areas.
Top strategic investment priorities. Source: Protiviti’s Top Risks Survey
AI and the expanding attack surface
The Top Risks report highlights how the rapid adoption of AI and ecosystem expansion are reshaping the risk landscape. AI is both a transformative growth driver and a complex challenge. This year’s report includes a section focused on the top priorities related to the impact of AI specifically and with no surprises there, the impact of data and cyber exposure relating to AI use was the top priority of 31% of respondents.
Interestingly, when diving into the individual respondents’ data, equipping the workforce to realize AI’s value proposition is the top priority of the board and CEO roles, though cyber threats relating to AI were close behind.
The data show that organizations’ want to deploy effective AI and realize value from it, and one possible risk to achieving that goal is inadequate cybersecurity investment.
Investment planning: cybersecurity as a fiduciary obligation
The survey also shows a decisive shift in investment priorities. Capital is being dedicated to fixing the operational core, ensuring security compliance and building the infrastructure needed to scale AI and other digital capabilities. With regulatory requirements constantly evolving, investment in privacy infrastructure is inseparable from security.
For CFOs and COOs, cybersecurity and data privacy are non-negotiable costs of fiduciary duty. For CIOs and CISOs, these investments form the technical defense layer needed to manage increasing complex and fragmented regulatory oversight. The report’s industry analysis confirms that sectors dealing with highly sensitive data or critical infrastructure place an existential premium on defense.
Why cyber risk quantification — and FAIR — are imperative
Despite the survey responses highlighting the importance of cybersecurity investments, Protiviti’s Sameer Ansari also highlighted in a recent webinar that CISOs are “seeing their budgets are staying flat – maybe up 2 or 3%. CISOs are hoping their organizations’ revenue growth will help drive their budgets to increase more dramatically” to address these risks in 2026. It is clear that CISOs may need to continue doing “more with less,” though optimism in revenue growth is strong.
At the same time, many organizations still rely on qualitative assessments including heat maps and color-coded dashboards that fail to answer the most pressing question: is the investment our organization makes in cybersecurity reducing our risk in financial terms?
This is where Factor Analysis of Information Risk (FAIR) becomes indispensable. By breaking risk into measurable components such as loss event frequency and loss magnitude, FAIR transforms vague risk statements into actionable insights.
Instead of saying “ransomware risk is high,” FAIR enables us to confidently say, hypothetically:
“Our average annualized loss exposure for ransomware is $8.2M (for example), which is our top risk. Based on our analysis, since we show that identity and backup technology investments have the biggest effect on reducing this risk, we should allocate up to 60% of our additional new funding to these areas for 2026. Additional funding could be better used to address other top risks.”
This level of precision empowers leadership to make informed decisions about where to invest, what to prioritize and how to justify cybersecurity budgets.
Linking data to action: how FAIR supports investment planning
The report’s findings underscore the need for risk-based prioritization. With cyber threats as the top risk and investment priority, organizations must ensure that every dollar spent delivers measurable risk reduction. FAIR enables organizations to intelligently deliver:
- Cost-benefit analysis: quantify how a $500K investment in advanced identity management and authentication capabilities reduces annualized loss expectancy by millions.
- Scenario modeling: compare the impact of investing in Zero Trust versus expanding backup recovery capabilities.
- Strategic alignment: present cybersecurity initiatives as enablers of business resilience and cost efficiencies, not just technical upgrades.
This approach transforms budget conversations from defensive cost-justification to proactive business enablement.
The call to action: start small, scale fast
Cyber risk is business risk, and a top investment priority for organizations. Treating it as such requires moving beyond qualitative guesswork to quantitative clarity. Organizations don’t need a massive overhaul to begin quantifying risk. Start with a pilot:
- Identify three to five critical risk scenarios for the organization (e.g., ransomware, third-party breach).
- Gather data from internal sources and industry benchmarks or use a quantification platform with these insights natively included.
- Run a FAIR analysis to estimate annualized loss expectancy and prioritize controls.
From there, scale to a full cyber risk quantification program integrated with governance, risk and compliance processes.
Ready to learn more? Explore additional resources at:
Top Risks 2026: Executive Perspectives & Growth Opportunities | Protiviti US - Cyber risk quantification
