Identity security should be the top investment area for businesses in 2026: Report

A new year, a new business strategy. As 2026 approaches, businesses are setting their investment plans and growth strategies. With data governance, quality, and privacy becoming significant and mandatory focus areas for organizations, boardrooms will be thinking carefully about where to allocate their budgets.

During this time, identity security has emerged as the clear number one investment priority for organizations across the Asia-Pacific (APAC) region over the next 12 to 18 months, according to a recent IDC report commissioned by Fortinet.

This pivot signals a foundational shift in defense philosophy, recognizing that identity, for both human and digital entities, is the new perimeter in a constantly evolving and increasingly aggressive threat landscape.

The drive toward identity-centric security is an urgent response to a rapidly changing and complex threat environment. The study reveals that nearly two-thirds (61%) of APAC organizations reported experiencing AI-driven cyberattacks in the past year. These AI-powered threats are far more difficult to detect than traditional attacks, with 64% of organizations seeing the volume of threats double, and nearly a third (29%) observing a triple increase. Attackers are leveraging AI to launch stealthier, faster, and more adaptive campaigns, exploiting gaps in governance, visibility, and internal processes.

A shift to risk-centric investment

Despite rising awareness, cybersecurity budget increases remain cautious, with nearly 80% of organizations reporting an increase, yet most of these uplifts are modest (typically less than 5%). This cautious spending necessitates strategic prioritization, driving the focus away from infrastructure-heavy spending toward targeted, risk-centric solutions.

The top five areas for investment over the next 12–18 months underscore this shift:

1. Identity Security

2. Network Security

3. Secure Access Service Edge (SASE)/Zero Trust Frameworks

4. Cyber Resilience

5. Cloud-Native Application Protection (CNAPP)

The prioritization of Identity Security and Zero Trust highlights the need for continuous verification and least-privilege access to protect data across hybrid and multi-cloud environments.

AI becomes the core of defence

In terms to counter the AI-powered adversary, organizations are rapidly integrating AI into their defense strategies. More than eight in ten organizations in APAC are already using AI in their security environments. AI is no longer confined to detection; it is now being operationalized for advanced use cases such as predictive threat modeling, automated incident response, and behavioral analytics. Generative AI (GenAI) is also gaining traction for automating routine tasks like running playbooks and updating policies, although full autonomy in remediation remains limited.

Overcoming complexity and resource constraints

While the adoption of advanced technologies is accelerating, security teams remain heavily constrained. The report highlights that security teams are significantly under-resourced, with only a tiny fraction of the total corporate workforce dedicated to security. Compounding this talent shortage, more than half of all respondents cited surging attack volumes and tool sprawl, the complexity arising from managing too many fragmented solutions, as key challenges leading to operational fatigue.

In response, organizations are strategically pursuing two major operational shifts:

1. Security-Networking Convergence: Nearly all respondents (97%) are either already integrating security and networking or actively evaluating how to do so, seeking simplified architectures and end-to-end visibility.

2. Vendor Consolidation: A majority of organizations (79%) are actively considering vendor rationalization. Consolidation is viewed not just as a cost-reduction measure, but as a strategic necessity to improve security posture, detection speed, and system integration.

In summary, the survey findings illustrate a growing maturity in APAC's cybersecurity posture. Organizations are embracing AI as a core component of defense, and by placing identity security at the top of their investment lists, they are shifting toward a converged, intelligent, and adaptive security model built for platform-driven resilience.