Nordic CISOs Handle Rising Cyber Threats Remarkably Well

Around the planet, cyber threats are both rising in volume and growing more potent. Yet organizations in northern Europe don’t seem to be feeling the brunt of it; chief information security officers (CISOs) in the region report unexpectedly high levels of preparedness.

This week, Stockholm-based Truesec released its biennial report based on interviews with CISOs located in Nordic countries. Compared to the data it collected two years ago, one trend stood out far beyond the rest: Security leaders are not reporting any increase in severe cybersecurity incidents affecting their organizations. The overwhelming majority of CISOs report facing no more serious issues than they were dealing with two years ago, when artificial intelligence threats were still mostly theoretical.

The report’s authors call this “a remarkable feat,” especially because a stable number of incidents “in these accelerated times, would equal a net reduction” in the relative percentage of attacks that manage to cause real problems. They attribute the feat to improved cybersecurity defenses, despite few meaningful changes to the power or resources afforded to CISOs.

In their interviews, Nordic CISOs reported the same trend everyone else in cybersecurity has been seeing: more threat activity than ever before, more aggressive tactics, more persistent attacks. As just one case in point: In 2024, the average time it took for attackers to exploit targeted organizations was 53 days, according to survey respondents. In 2026, that number is down to 2.4 days, largely thanks to AI.

One would expect, then, that from 2024 to 2026, CISOs would report a greater number of severe cybersecurity incidents affecting their organizations. Not so. A whopping 91% of respondents reported stable, consistent levels. In 2024, only 29% of respondents reported stability, with 53% reporting an increase.

“There are probably many explanations for it,” says Gabriel Winnberg, senior security adviser at Truesec. In general, Winnberg and his colleagues attribute the improvement to better organizational cybersecurity. “One example is increased outsourcing to mature managed detection and response (MDR) service providers, providing the capability to identify and manage incidents before they become severe. Another example is better attack surface management.”

Heightened risks balanced by better defenses “is something I’m seeing in the US and other geographies, too,” adds Noma Security CISO Diana Kelley. “The report’s data showing severe incidents stabilizing while lower-severity incidents rise suggests security teams are getting better at detection and containment, but they’re doing it under greater time pressure.”

Related:More Than 40% of South Africans Were Scammed in 2025

It may also be that, cyber defenses aside, AI has mostly helped hackers with lower- and medium-severity attacks less likely to cause severe outcomes. And while AI has been growing, ransomware — once the scourge of organizations everywhere — has been declining. That helps.

A less optimistic possibility is that these figures are merely a fluke owed to the limitations of the study. Surveys conducted without large enough sample sizes can yield dodgy results. Truesec did not report the number of CISOs who participated in its study, but indicated that they took part in “in-depth” interviews, suggesting a smaller, more targeted group. As a consequence, some figures appear distant from reality. For instance, in 2022, no CISOs told the surveyors that they were experiencing a decrease in severe cybersecurity incidents. That figure rose to 18% in 2024, then fell to zero again in 2026.

CISOs also reported stability when it came to their relationships to their larger organizations.

In recent years, CISOs have been known to lobby for a “seat at the table” in the boardroom with other major executives. They’re still one degree of Kevin Bacon away, though, as most still report to technology (CTO, CIO) or finance (CFO) leaders ahead of them in the pecking order.

Security budgets have also stabilized. An almost identical number of respondents reported that their budgets either increased or decreased in 2026 (68% increase, 9% decrease) compared to 2024 (66% versus 9%).

The way those budgets are being distributed seems to vary based on the organization. While some smaller number of CISOs report their budgets consolidating under the banner of cybersecurity, Winnberg notes that “on the other hand, all report that some security investments are being ‘shifted left’ into IT (e.g. licensing), so it’s no longer part of the CISO’s budget.”

Despite few material improvements in their standing, the report noted, “In 2026, the CISOs interviewed perceived having moved up further in the food chain, not necessarily organizationally, but rather communicationally, where their voices matter more.” The authors speculated that “proximity to executives makes CISOs business-driven. Along with this move comes a shift in objectives, from protecting critical systems to protecting key business processes.”

“[That’s] another aspect I’m also seeing here in the US,” Kelley says. “The emphasis on translating cyber exposure into business-process risk is exactly where CISO focus and executive alignment need to go, moving forward on a global basis.”…Read more by Nate Nelson