CISOs see AI as opportunity amid cyber threat fears

CSC has published its CISO Outlook 2026 report on artificial intelligence and cyber threats. The study found that 73% of security leaders view AI as more of an opportunity than a risk for cybersecurity.

The report is based on a survey of 300 senior executives, including chief information security officers, chief technology officers, chief information officers and heads of cybersecurity. It examines how security leaders are balancing established risks such as domain and domain name system attacks with newer concerns linked to AI use within their organisations and across supplier networks.

Domain and DNS threats remained at the top of respondents' risk lists. They ranked domain and DNS hijacking and subdomain takeover attacks as the leading threat in 2025, followed by cybersquatting, including typosquatting and online counterfeits, and then ransomware and malware.

The findings also point to limited confidence in current defences. Only 14% of respondents said they were very confident in their company's ability to mitigate domain attacks, while one in 10 said major businesses and organisations are significantly underprotected against DNS outages.

AI concerns

Despite broad support for AI in cybersecurity, concern about its risks was widespread. The survey found that 98% of respondents were concerned about giving third-party AI-based systems, including large language models, access to company data.

Supply chain exposure was another concern. Some 79% said they were concerned or very concerned that suppliers' and partners' use of AI tools posed a cybersecurity risk to their organisation, yet 70% said their organisations apply risk controls only to key suppliers.

The report also highlights how widely security teams are already deploying AI tools. More than half of respondents, 57%, said they use AI-based monitoring and enforcement solutions, while 44% use AI-based systems for threat detection and fraud prevention.

Both figures were higher than in the previous year's study. Last year, 50% used AI-based monitoring and enforcement, and 36% used AI for threat detection and fraud prevention, suggesting wider adoption by internal security teams.

At the same time, respondents said attackers are also using AI in ways that are changing the threat landscape. The report found that 86% identified AI-powered domain generation algorithms as a threat, underlining concern that automated techniques are making some attacks harder to identify and contain.

Shifting priorities

Looking ahead, the survey suggests security leaders expect reputation-related attacks to become more prominent. Respondents said social media impersonation and defamation are likely to pose the greatest cybersecurity threat in the period ahead, ahead of domain and DNS hijacking, subdomain takeover attacks and cybersquatting.

That shift indicates concern not only about technical disruption but also about attacks that can damage trust in a brand or organisation. For companies with large digital footprints, those risks often span multiple platforms, suppliers and jurisdictions, making prevention and response more complex.

CSC's research centres heavily on domains and DNS, a core part of internet infrastructure that often draws less attention than endpoint, cloud or identity security in mainstream cyber debate. The low level of confidence reported by respondents suggests many organisations still see a gap between the importance of these assets and their readiness to protect them.

It also points to a divide in supplier oversight. While most respondents said they were worried about the cyber impact of AI tools used by third parties, many appear to apply formal controls to only a subset of partners, leaving weaker governance further down the supply chain.

The survey also shows a clear pattern in adoption. Security leaders appear willing to use AI more broadly in internal monitoring, enforcement and fraud detection, even as they remain cautious about external AI systems that may require access to sensitive company data.

"As cybercriminals continue to leverage AI in new ways to launch targeted and widespread attacks, including those that specifically exploit domains, CISO strategies for domain risk need to evolve to keep pace with the increasing complexity of these threats," said Ihab Shraim, chief technology officer at CSC's Digital Brand Services.

"In 2026, CISOs and security leaders must prioritize securing fundamental digital building blocks for their enterprises, like DNS, which are now considered critical infrastructure but have often been overlooked. Agentic AI could further accelerate this risk by enabling bad actors to automate reconnaissance, impersonation, and domain-based attacks at scale, making proactive domain security and monitoring more urgent for enterprises," Shraim said.