Companies are spending more on cybersecurity, but are those dollars properly directed?

With the widespread damage just one cybersecurity breach can cause, middle market companies must continue allocating significant budget and staffing to establishing a sustainable cybersecurity program. While the MMBI data shows that many organizations are indeed increasing their cybersecurity budgets, how they are spending those dollars and building their security and privacy staff could raise concerns.

The data shows that 91% of survey respondents plan on increasing their spending on cybersecurity in the coming year while only 2% project a decrease. However, despite the spending increases, Ghazi sees a common gap in cybersecurity investment strategies. 

“Spending is definitely increasing, but that does not always mean it’s effective,” he says. “Often, companies are paying for more tools, more extensibility and more licensing, but they may overlook key consultative resources that could help drive automation, with better engineering to solve problems at a lower cost and with a lower need for skilled resources to maintain day-to-day tasks.”

Survey results showed that for U.S. respondents, the cybersecurity budget is most often located under the chief executive officer/president/owner or the chief financial officer (42% each). While smaller middle market companies follow that pattern (with 45% under the CEO and 35% under the CFO), for larger respondents, the cybersecurity budget most often resides under the chief information security officer (48%) followed by the CFO (47%).

The person responsible for guiding cybersecurity planning and execution efforts has a critical role within the organization. When asked who in the organization oversees cybersecurity and related decision making, the top responses in the MMBI survey were the IT department, without a dedicated cybersecurity leadership position (25%); a dedicated CISO or equivalent role (22%); and a chief information officer or equivalent role (20%).

For smaller middle market companies, the IT department has the most responsibility for cybersecurity strategy (26%), followed by the CIO (21%). At larger companies, the CISO leads cybersecurity most often (27%), ranking just ahead of the IT department. For budgeting and planning, more larger companies rely on a CISO compared to smaller organizations, which rarely have a CISO role.

From a staffing perspective, 33% of respondents have five or fewer data security and privacy employees, with 28% reporting they have six to 10 and the same percentage indicating they have 11 to 15. Not surprisingly, larger middle market organizations have a larger number of dedicated internal staff; 36% of those respondents indicated they have six to 10 employees and the same percentage stated they have 11 to 15. Meanwhile, most respondents from smaller middle market companies cited zero to five internal personnel focused on data security and privacy.

As security and privacy grow in complexity, more specialized skill sets will be necessary, and staffing will continue to be a critical focus for middle market organizations.

“Most security and privacy organizations still need help and will need outside help,” says Antalik. “Just on the privacy front, the regulatory landscape is so dynamic. There are around 160 countries that have different data protection regulations, and by 2026, 19 U.S. states will have their own data privacy regulations. It’s confusing, it’s challenging and it’s changing all the time.”