Every company has a cybersecurity budget now. Most of them are still too small.
TLDR
Australian organisations will spend AU$7.555 billion on cybersecurity in 2026, up 9.5% from $6.9 billion in 2025. Security services dominate at $3.7 billion as firms outsource to managed providers. The talent shortage is intensifying as AI creates demand for specialists who don't exist yet.
KEY TAKEAWAYS
Gartner's latest forecast puts Australian cybersecurity spending at AU$7.555 billion for 2026, up 9.5% from the $6.9 billion organisations spent last year. The growth rate sounds healthy until you consider what's driving it: attacks are getting more sophisticated, AI is amplifying both offence and defence, and nobody can hire enough people who understand how the new tools work.
Where the money goes
Security services account for nearly half the total at $3.7 billion. This includes managed security service providers (MSSPs), consulting, and implementation work. The segment is growing at 6.9% annually, but that understates the shift happening beneath the surface.
More organisations are giving up on building internal security operations centres. They're outsourcing detection, response, and increasingly decision-making to providers who can spread specialist talent across multiple clients. A mid-sized company that can't afford a 24/7 SOC on its own can buy fractional access to one that monitors dozens of organisations.
Network security is growing faster than average as perimeter defences get more complex. Zero-trust architectures require investment in identity management, microsegmentation, and continuous verification. Legacy firewalls aren't enough when employees access corporate systems from home networks and personal devices.
.@wef's Global Cybersecurity Outlook 2026 identifies 3 key trends that executives will need to navigate in #cybersecurity in 2026 as global cyber risk escalates. Here's what to know. #WEF26
— World Economic Forum (@wef) January 2026
Application security spending is accelerating as AI-generated code creates new vulnerabilities faster than human reviewers can catch them. Automated scanning tools help, but they require specialists to configure, tune, and interpret the results.
The talent crisis isn't improving
Richard Addiscott, VP Analyst at Gartner, described the core problem: 'AI-literate security personnel shortage is amplifying the talent crisis.' It's not just that there aren't enough security professionals. There aren't enough who understand how to defend against AI-powered attacks or how to use AI tools for defence.
The skills gap compounds. Junior analysts need training that takes years to deliver. Senior architects are being poached by well-funded competitors. The specialists who can bridge security and AI are so scarce that their salaries have detached from normal market dynamics.
This is why MSSP growth outpaces overall spending. Organisations can't build the teams they need, so they rent access to shared talent pools.
AI as threat multiplier
Attackers are using generative AI to craft more convincing phishing emails, automate reconnaissance, and generate malware variants faster than signature-based detection can adapt. Defenders are using AI to detect anomalies, prioritise alerts, and respond faster. The equilibrium keeps shifting.
The net effect is an arms race that requires constant investment to maintain parity. Organisations that fell behind on patching or monitoring in previous years now face both the original technical debt and the increased sophistication of threats targeting those gaps.
Gartner's forecast implies the market expects this dynamic to continue. 9.5% annual growth isn't a one-time adjustment. It's a new baseline for a category that's becoming as routine as IT infrastructure itself.
What boards are hearing
Cyber resilience has entered the boardroom conversation in a way it hadn't five years ago. Directors at ASX 200 companies are asking about attack surface management, incident response plans, and insurance coverage. The questions are informed by high-profile breaches that damaged reputations and balance sheets.
This attention translates into budgets. CISOs who previously struggled to get funding approved are finding executives more receptive. The challenge is that spending more doesn't automatically mean spending well. Security investments can be wasted on tools that don't integrate, controls that create friction without reducing risk, and compliance exercises that check boxes without improving posture.
The $7.5 billion figure represents what organisations intend to spend. What they get for that money depends on how strategically they allocate it.
The outlook
Gartner expects similar growth rates through 2028. The drivers are structural: digital transformation continues, attack surfaces expand, and regulatory requirements accumulate. Organisations that have underinvested face compounding catch-up costs.
The winners will be security vendors that can demonstrate measurable outcomes, MSSPs that can scale talent efficiently, and the rare specialists who understand both the technology and the business context. Australian organisations are spending more on security than ever. Whether they're spending it wisely is a different question.
SOURCES & CITATIONS
FREQUENTLY ASKED QUESTIONS
