Global security threats are increasing in volume and capability. However, organizations in northern Europe report high levels of preparedness and resilience.
This week, Stockholm-based Truesec released its biennial report based on interviews with chief information security officers (CISOs) located in Nordic countries. Compared to data collected two years ago, a distinct trend emerged: security leaders are not observing an increase in severe security incidents affecting their organizations. The vast majority report facing similar severity levels as they did two years ago, before artificial intelligence became a practical variable in unauthorized activity.
The report's authors describe this as a notable achievement, pointing out that a stable number of incidents during a period of accelerated threat activity represents a net improvement in defensive efficacy. They attribute this stability to improved security controls and processes, even as the formal resources and reporting structures afforded to CISOs remain largely unchanged.
Stability despite accelerated timelines
Nordic CISOs observe the same broader industry trends as other security professionals: heightened threat activity, more aggressive tactics, and persistent unauthorized access attempts. According to survey respondents, the average time threat actors took to compromise targeted organizations dropped from 53 days in 2024 to 2.4 days in 2026, largely due to AI enablement.
Given this acceleration, one might expect CISOs to report a rise in severe security incidents. Instead, 91% of respondents reported stable, consistent levels of severe incidents. For comparison, in 2024, only 29% of respondents reported stability, while 53% reported an increase.
Gabriel Winnberg, senior security adviser at Truesec, attributes this improvement to better organizational security practices. "One example is increased outsourcing to mature managed detection and response (MDR) service providers, providing the capability to identify and manage incidents before they become severe," Winnberg notes. "Another example is better attack surface management."
Diana Kelley, CISO at Noma Security, observes similar patterns in the US and other regions. She notes that data showing severe incidents stabilizing while lower-severity incidents rise suggests security teams are improving at detection and containment, even under greater time pressure.
Additionally, AI tools currently appear to assist malicious actors more with lower- and medium-severity incidents that are less likely to result in critical outcomes. Concurrently, the frequency of ransomware. Historically a primary driver of severe incidents—has been declining globally.
It is also worth noting the methodological context of the study. Surveys relying on qualitative, in-depth interviews often involve smaller sample sizes, which can lead to variance in year-over-year figures. For example, no CISOs reported a decrease in severe security incidents in 2022, 18% reported a decrease in 2024, and the number returned to zero in 2026.
Organizational alignment and budget trends
CISOs also reported stability regarding their organizational positioning. Most still report to technology leaders (CTOs, CIOs) or finance executives (CFOs), rather than directly to the board.
Security budgets show similar consistency. In 2026, 68% of respondents reported a budget increase and 9% a decrease, nearly identical to the 2024 figures of 66% and 9%. The distribution of these budgets varies by organization. While some CISOs manage centralized cybersecurity budgets, Winnberg notes that many report security investments shifting into broader IT budgets. Such as for core software licensing—removing them from direct CISO oversight.
Despite minimal material changes to their organizational hierarchy, the interviewed CISOs feel their voices carry more weight. The report authors suggest that proximity to executive leadership makes CISOs more business-driven, prompting a shift in focus from strictly protecting critical systems to safeguarding key business processes.
Kelley agrees that this alignment is necessary. "The emphasis on translating cyber exposure into business-process risk is exactly where CISO focus and executive alignment need to go, moving forward on a global basis," she says.