Cyber & Infrastructure · 2026
Cyber & Infrastructure Security Leadership Report 2026
The talent behind Europe's most critical technology infrastructure
Executive Summary
The cybersecurity threat landscape has entered a qualitatively different era. The WEF Global Cybersecurity Outlook 2026 — produced with Accenture and drawing on 804 respondents across 92 countries, including 316 CISOs and 105 CEOs — found that 94% of leaders now cite AI as the single most significant driver of change in cybersecurity, while 87% identify AI-related vulnerabilities as the fastest-growing cyber risk. McKinsey's cybersecurity research identifies a total addressable market approaching $2 trillion against a current vended market of approximately $250 billion — a tenfold gap driven by AI-enabled threats, regulatory mandates, and the explosion of digital attack surface. The executives who can operate at this intersection of AI, geopolitical risk, and compliance are the defining talent challenge in European technology.
The attack-defence asymmetry is acute and worsening. BCG's report 'AI Is Raising the Stakes in Cybersecurity' (December 2025, survey of 500 global senior leaders) found that approximately 60% of organisations believe they have already experienced an AI-powered cyberattack in the past year — yet only 7% of organisations have deployed AI-enabled defensive tools, while 88% plan to do so. Only 5% of organisations have meaningfully increased cybersecurity budgets in response to AI threats, and 69% report struggling to hire the AI-cybersecurity talent they need. The gap between understanding the risk and acting on it continues to widen, and the executives who can close it are extraordinarily scarce.
Structural talent shortage is the greatest constraint on European cyber resilience. The WEF Outlook found that 85% of organisations reporting insufficient cyber resilience also cite missing critical skills and people as the primary cause — compared to only 22% of highly resilient organisations. The global cybersecurity workforce gap stands at 4.8 million unfilled roles, with demand growing at 8.1% annually against active workforce growth of only 0.1%. Against this backdrop, KPMG's Cybersecurity Considerations 2026 — synthesising insights from more than 20 KPMG cyber leaders worldwide alongside senior executives from Google, Microsoft, Palo Alto Networks, and ServiceNow — identifies eight CISO priorities shaping the function in 2026, from managing non-human identities and safeguarding AI systems to post-quantum cryptography and the broadening strategic role of the CISO itself. The NIS2 directive (160,000 EU entities in scope), DORA (all EU financial services firms), and the EU AI Act are compounding this demand into the largest regulatory-driven cyber hiring wave in European history.
Key Findings
AI has created a dangerous offensive-defensive gap — and only 7% of companies are closing it
BCG's December 2025 survey of 500 global senior leaders found that 53% of executives now rank AI cyber risks in their top three organisational risks. Despite this, only 7% of organisations have deployed AI-enabled defensive tools, while 88% plan to do so. The executives who have built and operated AI-native security functions — threat detection pipelines, autonomous response systems, adversarial AI defences — are the most commercially urgent hire in European cyber today. BCG found that only 25% of existing AI defence tools in use are classified as 'advanced', and only 5% of companies have materially increased cyber budgets to match the threat.
CISO is the hardest C-suite role to fill — and the skills gap is structural, not cyclical
The WEF Global Cybersecurity Outlook 2026 (316 CISOs surveyed across 92 countries) identified skills and talent as the defining gap between resilient and vulnerable organisations: 85% of insufficiently resilient organisations also cite missing critical skills, versus only 22% of highly resilient ones. Small organisations are 2.5× more likely to report insufficient resilience — a structural vulnerability that is worsening as large enterprises and hyperscalers compete aggressively for the same narrow talent pool. The combination of technical depth, regulatory fluency (NIS2, DORA, EU AI Act), and board communication capability required at CISO level is found in perhaps 500–800 executives across Europe.
NIS2 and DORA are creating the largest regulatory-driven cyber hiring wave in European history
NIS2 (effective October 2024) applies to approximately 160,000 EU entities — 10× more than its predecessor — and mandates board-level accountability for cybersecurity, meaning senior leaders can be held personally liable for failures. DORA (effective January 2025) covers every financial services firm operating in the EU. The WEF found that 64% of organisations now factor geopolitically motivated cyberattacks into their risk strategy, and 66% have changed strategy due to geopolitical instability. Together, these forces are creating demand for cyber leadership roles at organisations that have never before hired at this level.
Non-human identities are the fastest-growing unmanaged attack surface — and most CISOs are unprepared
KPMG's Cybersecurity Considerations 2026 identifies non-human identity (NHI) management as one of eight critical CISO priorities. In the average enterprise, non-human identities (service accounts, API keys, AI agents, machine-to-machine credentials) now outnumber human identities by 80:1 — and in cloud-native or DevOps-heavy environments the ratio can reach 144:1. An estimated 97% of NHIs carry excessive privileges. This is the attack surface that most legacy CISO mandates were not designed to manage. Executives who understand NHI governance and can build the identity security architecture to match are one of the rarest profiles in the market.
The McKinsey $2 trillion market opportunity is reshaping what cyber executives must understand
McKinsey's cybersecurity market analysis identifies a total addressable market approaching $2 trillion — roughly ten times the current $250 billion vended market — with 13% annual vendor revenue growth and projected cyberattack damages of $10.5 trillion annually. This scale means that CISOs at large enterprises are now making decisions with board-level commercial consequences. The CISO who can translate security risk into business risk, engage institutional investors and regulators, and evaluate a rapidly expanding vendor market is a fundamentally different profile from the technically excellent but commercially opaque security leader of the previous decade.
Market Landscape
European Cyber Market
The UK is Europe's largest cybersecurity market, with GCHQ and the National Cyber Security Centre providing a talent pipeline from the public sector into both the commercial and defence-adjacent cyber markets. Germany, France, and the Netherlands have significant cyber industrial bases, particularly in critical infrastructure protection. Israel remains the global centre of cyber innovation, with a consistent flow of technology and talent into European markets through acquisitions and expansion — a dynamic that accelerated significantly through 2024–2025.
The WEF Outlook's finding that small organisations are 2.5× more likely to report insufficient resilience reflects a structural two-tier dynamic in European cyber: well-resourced financial institutions, large enterprises, and hyperscalers are acquiring cyber talent at scale, while mid-market and regulated sector organisations face genuine shortages they cannot resolve through compensation alone. The managed security services market is growing rapidly in Europe as a result, creating demand for executives who can build and operate MSSP platforms — a distinct commercial and operational skill set from enterprise CISO leadership.
Geopolitical Fractures and Critical Infrastructure Threat
The WEF Outlook identifies geopolitical fragmentation as one of three macro forces reshaping the cybersecurity landscape alongside AI and cyber inequity. 64% of organisations now factor geopolitically motivated cyberattacks into their security strategy — up sharply from prior years — and 66% have changed strategy in direct response to geopolitical instability. Nation-state attacks on European critical infrastructure (energy, water, transport, financial market infrastructure) have escalated significantly, driving demand for executives who understand threat intelligence in a geopolitical context, not just a technical one.
KPMG's 2026 priorities framework identifies 'navigating geopolitics, resilience, and compliance' as the second of eight CISO priorities, alongside 'enabling trusted IT/OT hyperconnectivity' — the convergence of operational technology and IT security that is central to critical infrastructure protection. Executives who can operate at this OT/IT boundary, managing industrial control systems under active nation-state threat, are among the most acutely scarce profiles in European security.
Leadership & Talent Trends
Most In-Demand Profiles
CISO (enterprise and scale-up), VP of Security Engineering, Head of Threat Intelligence, Head of Non-Human Identity & Secrets Management, VP of OT/ICS Security, Head of AI Security, Chief Trust Officer, and CISO-as-a-Service for regulated industries are the most consistently requested roles. KPMG's eight CISO priorities for 2026 directly map to the executive roles being created: dedicated leaders for non-human identity, post-quantum cryptography transition, AI system security, and supply chain detection and response are all emerging as standalone mandates at large organisations.
For cyber product companies, the dual profile of product leadership with deep offensive security background remains the rarest and most valuable hire. The most sought-after general CISO profiles combine technical depth with KPMG's identified priority of 'broadening the role and influence of the CISO' — executives who can operate as board-level strategic advisors, not just technical risk managers.
The Skills-Budget Paradox
BCG's finding that only 5% of organisations have meaningfully increased cybersecurity budgets despite 60% experiencing AI-powered attacks captures the central paradox of cyber leadership hiring in 2026: the threat is at an all-time high, the talent shortage is structural, and budget responses remain inadequate. The WEF found that organisations assessing the security of their AI tools nearly doubled — from 37% in 2025 to 64% in 2026 — but this governance improvement has not yet translated into proportionate investment in the leadership required to execute it.
The backgrounds that transfer best into cyber executive roles in this environment: GCHQ/NCSC and equivalent national agency alumni (who understand the geopolitical threat context), Big 4 cyber practice partners (regulatory and compliance depth), military cyber command experience (OT/critical infrastructure), and security engineering leadership from cloud hyperscalers (AWS, Azure, GCP security organisations, where AI-native defence tools are being built). Executives who have delivered post-quantum cryptography transition programmes or built non-human identity governance frameworks are in a category of one.
Why Cyber Searches Fail
BCG's finding that 69% of organisations struggle to hire AI-cybersecurity talent reflects a structural problem that conventional hiring approaches cannot solve. The best CISOs and senior cyber executives are almost never actively searching — they are in high-stakes roles with significant tenure expectations, operating in environments that require extensive vetting before they will engage. Cyber searches that rely on active candidate pipelines systematically miss the highest-capability profiles. Speed is also critical: the window between when a senior cyber leader becomes available and when they accept an offer elsewhere is often measured in days, not weeks.
Key Search Perspective
Key Search has developed a dedicated cybersecurity practice that operates across both the commercial cyber product market and the broader enterprise CISO community. The data from WEF, BCG, McKinsey, and KPMG tells a consistent story: the threat landscape is accelerating at AI speed, the talent pool is not growing fast enough to match it, and the regulatory environment is creating demand at organisations that have never before hired at this level. The executives who can navigate this complexity are extraordinarily rare — and they require a search partner with genuine relationships in the community, not access to a job board.
Our most important contribution in cyber searches is the ability to identify and engage candidates who are not visible through conventional channels. BCG's finding that 69% of organisations struggle to hire AI-cybersecurity talent reflects the inadequacy of standard approaches. The best CISOs and senior cyber leaders are rarely active on LinkedIn in the way other executives are. Our network spans security research communities, ISAC members, the alumni networks of key military and government cyber programmes across the UK, Germany, Israel, and France, and the senior practitioner communities forming around the eight priorities KPMG identifies as defining the CISO function in 2026.
Looking to hire in Cyber & Infrastructure?
Talk to our Cyber & Infrastructure specialists about your next executive hire.
Report Details
- Publisher
- Key Search
- Updated
- 2026
- Read Time
- 12 minutes
- Access
- Free
- Coverage
- EMEA
1–2 Sep 2026 · Zurich, Switzerland
17–18 Feb 2026 · Bern, Switzerland
