Companies of all sizes face a clear problem in their approach to security. Even though they spend large amounts on systems, products and services, their overall level of protection often remains weak.
This gap exists because many companies, especially those in the mid-market, lack skilled security staff, struggle to align security with business priorities, spend money in the wrong places, and do not have clear policies, processes, or training. As a result, companies often buy more security tools than they need while still being exposed to serious risks.
Companies often buy more security tools than they need while still being exposed to serious risks.
Heightened Risk Environment
As we noted in our earlier piece in this series, "Navigating the Security Risk Landscape for SMBs", the operating environment has become more complex. Physical and cyber risks are no longer separate and increasingly affect each other.
Businesses now face a wide range of threats. These include supply chain attacks such as cargo theft, as well as organized retail crime, theft of construction equipment, vandalism, workplace violence, insider threats, and frequent cyberattacks that are increasingly automated and costly.
The Leadership Vacuum
However, outside of very large companies, few organizations have a dedicated team or functional leader solely responsible for security. Most middle market companies do not employ a Chief Security Officer (CSO) or Chief Information Security Officer (CISO).
- Survey data shows that 74% of Small and Medium Business (SMB) owners either handle cybersecurity personally or delegate it to friends or family members with no professional background in security.
Without a clear security leader, important decisions are often made in response to incidents rather than through planning. This is especially true when purchasing security products and services. After a breach, audit, or insurance review, business owners may rely heavily on security vendor marketing or advice from general IT providers rather than on a clear risk-based plan.
This leads to “checklist-driven” security, where money is spent on whatever item is easiest to justify, such as antivirus software or cameras, without understanding whether it addresses the most important risks to the organization.
Meeting compliance or insurance requirements alone can be misleading. These requirements usually set minimum standards and are not tailored to a company’s specific risk profile and appetite. As a result, an organization may pass an audit but still leave its most valuable assets poorly protected, especially where physical and digital risks overlap.
Skill Shortages
In addition to leadership challenges, many companies lack the skills needed to govern and manage security effectively.
- According to the Sophos State of Ransomware 2025 report, 42% of companies with 251 to 500 employees said they were hit by ransomware due to a “lack of people / capacity”. Another 42% noted a “lack of expertise”.
- Other research shows that in about one third of SMBs with 101 to 500 employees, no one actively monitors or investigates cybersecurity alerts. More than 70% of these organizations report that core security tasks are difficult to manage.
The talent shortage problem is getting worse:
- Survey data from 2025 found that 59% of organizations reported serious security skills shortages, up from 44% the year before.
Fragmented Responsibilities
Because of these staffing gaps, security responsibilities in smaller organizations are often spread across multiple roles and handled informally.
- One survey found that in a sample size of mid-market companies, 64% of CISOs are also responsible for physical security, 85% oversee enterprise risk, and 68% manage general IT tasks as well.
Security responsibilities in smaller organizations are often spread across multiple roles.
This means that even when a security role exists, it is usually filled by one person juggling many responsibilities. This limits their ability to specialize on any one area.
As a result, important issues are missed. Sophos data shows that 45% of companies with 100 to 250 employees said their ransomware attack occurred because of a “known security gap” that had not been addressed.
In many mid-sized firms, the person responsible for security is also the IT Director. Day-to-day issues take priority, leaving little time for planning, testing response plans, or maintaining controls. Over time, risks build up and only become visible after a major incident. Similarly, the VP for Real Estate often becomes the de facto owner of security alongside facilities and janitorial services. Managing the guard force, CCTV and alarm systems, perimeter and access controls becomes one of their many competing responsibilities, which end up being addressed tactically and inconsistently.
The Scale of SMB Security Investment
Even without formal security teams, middle market companies make up a large share of total security spending.
- Research from Analysys Mason estimates that SMBs spent $107 billion on cybersecurity in 2024. This figure is expected to grow by 10% per year through 2028, when SMBs are projected to represent 62% of global cybersecurity spending.
- Analysts also estimate that SMBs account for 50–60% of the $120–130 billion global physical security market, with annual growth rates between 7% and 12%.
Middle market companies make up a large share of total security spending.
Unlike large enterprises, which plan and centralize their purchases, SMB spending is often spread across locations, departments, and vendors. This leads to higher costs, duplicate tools, and weaker negotiating power.
- Bechmarks show that SMBs spend more on security per employee than large organizations. On average, SMBs spend about $3,800 per employee on cybersecurity, while larger firms achieve lower costs per employee due to scale.
Security Tool Sprawl
Without expert guidance, SMBs often buy security products in reaction to problems rather than based on risks to the organization. Over time, this leads to "security tool sprawl", where companies pay for multiple, likely overlapping, security tools.
- A global Sophos study found that many small firms run multiple security tools without the staff or skills needed to manage them properly. Poor setup and maintenance can reduce or even eliminate the value of these investments. For example, a company may purchase advanced threat detection software but fail to implement basic protections such as offline backups or multi-factor authentication (MFA).
- Verizon’s 2025 Data Breach Investigations Report supports this finding, noting that stolen login credentials, which is something that MFA can prevent, were the main entry point in 22% of breaches.
Each additional tool also creates extra work. Systems must be updated, monitored, and managed. For already stretched teams, this added complexity becomes another source of risk.
Efficiency of Security Spend
A major challenge is not how much organizations spend on security, but how well that money is used. As we discussed in in our "Consolidate to Win" Insight, money spent on security solutions that are unused or unnecessary is money that cannot support product development, marketing, or core technology.
As the curve in Figure 1 below shows, simply increasing security budgets does not always reduce risk. After a certain point, additional spending produces smaller and smaller improvements.
Many companies operate in an inefficient zone, either spending too much for the protection they receive or remaining exposed despite high spending.
The goal is not to eliminate all risk, which is unrealistic. Instead, companies should remove waste and align spending with the level of risk they are willing to accept.
However, many organizations end up spending heavily while still leaving critical assets unprotected. New or popular technologies are adopted, while basic weaknesses remain.
Many organizations end up spending heavily while still leaving critical assets unprotected.
Gaps in Security Policies, Procedures, and Training
Another major weakness in SMB security programs is the lack of written policies, clear procedures, and consistent training.
In many organizations, security expectations are informal and undocumented. Without clear guidance, controls are applied inconsistently, exceptions become common, and responsibility is unclear. This increases the chance of mistakes and slow or incorrect responses during incidents.
Training gaps make the problem worse. Employees are often the first line of defense against phishing, fraud, insider threats, and unsafe physical practices. However, SMBs frequently rely on brief onboarding or occasional compliance training instead of a regular, role-specific program that enhance workforce readiness.
This has real consequences. Many security incidents involve human behavior, such as ignoring alerts, sharing passwords to save time, bypassing access controls, or failing to follow physical security procedures consistently.
Without policies, procedures, and training, security depends on individual judgment rather than consistent organizational practices. Under pressure, this approach breaks down quickly.
The Way Forward: Closing the Gap
The “security maturity gap” is real: most middle market companies simply do not have the in-house governance, policies, SOPs and training programs to ensure their significant security spending is effective.
This leads to unnecessary cost (buying tools that aren’t used to full potential or that overlap) and leaves exposures that a knowledgeable security team would address first. It’s a classic case of lots of spending, but suboptimal outcomes.
But there is a way forward. The next piece in this series will examine how, through a combination of technology and subject matter expertise, SMBs can access enterprise-like security frameworks and resources that are tailored to their needs.