The job of defending corporate networks is getting harder and more personal.
Cyber attackers are abandoning the noisy tactics that once dominated breach headlines and shifting toward quieter, faster forms of extortion. At the same time, the chief information security officers (CISOs) responsible for stopping them are increasingly worried they could be held personally liable when things go wrong.
These are the findings from Arctic Wolf’s 2026 Threat Report and Splunk’s The CISO Report: From Risk to Resilience in the AI Era study.
According to Arctic Wolf, ransomware, business email compromise and data theft accounted for 92% of incidents it handled in 2025.
However, the nature of those attacks is changing. Data-only extortion — where hackers steal sensitive information and threaten to release it rather than encrypting systems — surged from 2% to 22% of cases year on year, an elevenfold increase.
The shift reflects improved corporate backup and recovery capabilities, which have eroded the leverage of encryption. In response, cyber attackers are turning to data theft and the threat of reputational or regulatory fallout as a more dependable form of coercion.
See also: Enterprise AI agent boom draws attention of state-sponsored hackers: reports
“Attackers continue to rely on operational efficiency — logging in instead of breaking in, stealing data instead of encrypting it, and exploiting trusted tools rather than complex vulnerabilities,” says Ismael Valenzuela, vice president of labs, threat research and intelligence at Arctic Wolf.
Most intrusions no longer hinge on cutting-edge exploits. Nearly two-thirds (65%) of non-email-based breaches in Arctic Wolf’s caseload stemmed from abused remote access technologies such as remote desktop protocol, virtual private networks and remote monitoring tools. All of the most exploited vulnerabilities last year had been disclosed in 2024 or earlier, pointing to weak credential hygiene rather than software innovation.
When ransomware does hit, the financial outcomes are often less dramatic than public narratives suggest. Arctic Wolf found that 77% of affected organisations did not pay in 2025. Among those that did, professional negotiators reduced ransom demands by an average of 67%.
See also: Enviro-Hub suffers from cyberattack
That data underscores the value of preparation and the growing role of a specialised negotiation industry in limiting damage.“When defenders identify malicious activity before an adversary can detonate ransomware or escalate privileges, the difference in cost, downtime and business disruption is dramatic,” comments Kerri Shafer-Page, Arctic Wolf’s vice president of incident response.
Cases where attacks were stopped before encryption accounted for 5% of incidents, reinforcing that detection speed has become one of the few clear advantages defenders can still claim.
The expanding role of chief information security officers
For CISOs, the technical challenge is now matched by personal risk. More than three-quarters of security leaders surveyed by Splunk say they worry about personal liability for security incidents, up from just over half a year earlier. The jump reflects a regulatory and boardroom environment increasingly willing to hold individuals accountable.
Their remit is widening too. Nearly all CISOs said AI governance and risk management now fall under their responsibility, while more than four in five oversee secure software development, which was once owned by engineering teams.
“CISOs operate in the eye of the storm. Role responsibilities expand, threats evolve, and AI accelerates everything,” says Michael Fanning, CISO at Splunk, a Cisco company.
Splunk’s study also found that while artificial intelligence (AI) is helping security teams cope, it is also making their jobs harder.
To stay ahead of the latest tech trends, click here for DigitalEdge Section
CISOs say AI enables them to review more security events (92%) and supports data correlation (89%). Among those using agentic AI systems that act autonomously, 39% strongly agree that the technology more than doubled reporting speed.
Yet, 86% fear the same tools will sharpen social engineering attacks. Arctic Wolf found AI-enhanced phishing drove an 85% phishing-linked rate across business email compromise cases last year. More than four-fifths of CISOs also worry that AI will speed up cyber attackers’ ability to maintain persistence inside networks.
The strain is showing. Nearly two-thirds of cybersecurity teams report moderate to significant burnout. High alert volumes, false positives and tool sprawl were cited as the biggest stressors, suggesting that the problem is not a lack of data, but too much of the wrong kind.
Despite the rise of automation, CISOs say they are still addressing skills gaps primarily by training staff, hiring full-time employees and using contractors. AI, the Splunk survey suggests, is a force multiplier rather than a replacement, particularly for judgment-heavy tasks such as threat hunting.
What is changing is who owns the problem. Sixty-two per cent of CISOs say joint accountability across the C-suite delivered the most value for major security initiatives, with more than half pointing to shared budget ownership.
