The international technology strategy and management consultancy Eraneos has presented the report “The Voice of Spanish CISOs 2026”, a study that includes the vision, priorities and challenges of more than thirty cybersecurity directors of Spanish companies that are leaders in their respective sectors and come from practically all areas of activity.
The analysis, prepared from the conclusions of the first Eraneos Cybersecurity Summit, confirms a profound change in the way in which Spanish organizations understand and manage digital risk. This is stated by Eduvigis Ortiz, Cybersecurity Head Iberia at Eraneos and co-author of the study, who warns that “identity, industrialized cybercrime and the growing complexity of digital ecosystems are redefining risk. In this new environment, resilience is no longer an ideal and becomes the decisive factor to protect and sustain the business.”
Protect corporate reputation
In this way, the study shows that cybersecurity has reached an unprecedented level of strategic maturity in Spanish organizations. So much so, that 88% of CISOs claim to have a cybersecurity master plan approved by senior management, a fact that confirms the full integration of this function in corporate decision-making. And companies no longer conceive cybersecurity as a set of technical controls, but as an essential element to guarantee business continuity, protect corporate reputation and preserve the trust of customers and investors.
Third party risk, main concern
One of the main areas of concern identified is the risk of third parties. Organizations now operate with an average of more than six cybersecurity service providers, increasing operational complexity and significantly expanding exposure footprint. Only 23% of CISOs declare they fully trust their current suppliers, while managing the risk associated with the company’s digital supply chain and operational ecosystem is the main threat facing 2026.
In this context, security managers are reorienting their investment priorities towards efficiency, simplification and control. Faced with the proliferation of tools, the focus shifts towards the consolidation of platforms and the optimization of the technological environment.
The areas that concentrate the greatest additional investment effort are: identity and privileged access management (46.2%), technological optimization and consolidation (34.6%), cloud security (30.8%) and extended detection and response (XDR) capabilities with 19.2%.
The study draws a clear consensus among those responsible for security: the priority is no longer adding more tools, but rather strengthening the existing technological base. Identity and access management is consolidated as the new security perimeter and the consolidation of platforms emerges as a decisive factor to regain visibility, governance capacity and control over digital environments.
AI and automation
For their part, automation (including the use of agents) and artificial intelligence are also established as essential drivers to strengthen the resilience of organizations. 73% of CISOs consider automation a critical priority for this year, and AI is positioned as a fundamental tool to both scale defensive capabilities and mitigate the shortage of specialized talent. In this area, AI models are beginning to gain prominence, aimed at the advanced automation of detection, response and orchestration processes of cybersecurity.
In the new environment, resilience is no longer an ideal and becomes the decisive factor to protect and sustain the organization.
The study also reflects a profound change in focus: organizations are moving from a vision focused exclusively on prevention, towards a model that prioritizes the ability to quickly and effectively recover from incidents, placing operational resilience as one of the main indicators of maturity.
Finally, Eraneos’ analysis reveals a clear evolution of the role of the CISO towards an increasingly strategic function, with a growing presence in executive committees and boards of directors. In an environment of increasing threats and regulatory pressure derived from European regulations -especially NIS2 and DORA-, cybersecurity is underpinned as an essential pillar for business continuity and sustainability.
