Companies of all sizes face a clear problem in their approach to security. Even though they spend large amounts on systems, products and services, their overall level of protection often remains weak.
This gap exists because many companies, especially those in the mid-market, lack skilled security staff, struggle to align security with business priorities, spend money in the wrong places, and do not have clear policies, processes, or training. As a result, companies often buy more security tools than they need while still being exposed to serious risks.
As we noted in our earlier piece in this series, "Navigating the Security Risk Landscape for SMBs", the operating environment has become more complex. Physical and cyber risks are no longer separate and increasingly affect each other.
Businesses now face a wide range of threats. These include supply chain attacks such as cargo theft, as well as organized retail crime, theft of construction equipment, vandalism, workplace violence, insider threats, and frequent cyberattacks that are increasingly automated and costly.
However, outside of very large companies, few organizations have a dedicated team or functional leader solely responsible for security. Most middle market companies do not employ a Chief Security Officer (CSO) or Chief Information Security Officer (CISO).
Without a clear security leader, important decisions are often made in response to incidents rather than through planning. This is especially true when purchasing security products and services. After a breach, audit, or insurance review, business owners may rely heavily on security vendor marketing or advice from general IT providers rather than on a clear risk-based plan.
This leads to “checklist-driven” security, where money is spent on whatever item is easiest to justify, such as antivirus software or cameras, without understanding whether it addresses the most important risks to the organization.
Meeting compliance or insurance requirements alone can be misleading. These requirements usually set minimum standards and are not tailored to a company’s specific risk profile and appetite. As a result, an organization may pass an audit but still leave its most valuable assets poorly protected, especially where physical and digital risks overlap.
In addition to leadership challenges, many companies lack the skills needed to govern and manage security effectively.
The talent shortage problem is getting worse:
Because of these staffing gaps, security responsibilities in smaller organizations are often spread across multiple roles and handled informally.
This means that even when a security role exists, it is usually filled by one person juggling many responsibilities. This limits their ability to specialize on any one area.
As a result, important issues are missed. Sophos data shows that 45% of companies with 100 to 250 employees said their ransomware attack occurred because of a “known security gap” that had not been addressed.
In many mid-sized firms, the person responsible for security is also the IT Director. Day-to-day issues take priority, leaving little time for planning, testing response plans, or maintaining controls. Over time, risks build up and only become visible after a major incident. Similarly, the VP for Real Estate often becomes the de facto owner of security alongside facilities and janitorial services. Managing the guard force, CCTV and alarm systems, perimeter and access controls becomes one of their many competing responsibilities, which end up being addressed tactically and inconsistently.
Even without formal security teams, middle market companies make up a large share of total security spending.
Unlike large enterprises, which plan and centralize their purchases, SMB spending is often spread across locations, departments, and vendors. This leads to higher costs, duplicate tools, and weaker negotiating power.
Without expert guidance, SMBs often buy security products in reaction to problems rather than based on risks to the organization. Over time, this leads to "security tool sprawl", where companies pay for multiple, likely overlapping, security tools.
Each additional tool also creates extra work. Systems must be updated, monitored, and managed. For already stretched teams, this added complexity becomes another source of risk.
A major challenge is not how much organizations spend on security, but how well that money is used. As we discussed in in our "Consolidate to Win" Insight, money spent on security solutions that are unused or unnecessary is money that cannot support product development, marketing, or core technology.
As the curve in Figure 1 below shows, simply increasing security budgets does not always reduce risk. After a certain point, additional spending produces smaller and smaller improvements.
Many companies operate in an inefficient zone, either spending too much for the protection they receive or remaining exposed despite high spending.
The goal is not to eliminate all risk, which is unrealistic. Instead, companies should remove waste and align spending with the level of risk they are willing to accept.
However, many organizations end up spending heavily while still leaving critical assets unprotected. New or popular technologies are adopted, while basic weaknesses remain.
Another major weakness in SMB security programs is the lack of written policies, clear procedures, and consistent training.
In many organizations, security expectations are informal and undocumented. Without clear guidance, controls are applied inconsistently, exceptions become common, and responsibility is unclear. This increases the chance of mistakes and slow or incorrect responses during incidents.
Training gaps make the problem worse. Employees are often the first line of defense against phishing, fraud, insider threats, and unsafe physical practices. However, SMBs frequently rely on brief onboarding or occasional compliance training instead of a regular, role-specific program that enhance workforce readiness.
This has real consequences. Many security incidents involve human behavior, such as ignoring alerts, sharing passwords to save time, bypassing access controls, or failing to follow physical security procedures consistently.
Without policies, procedures, and training, security depends on individual judgment rather than consistent organizational practices. Under pressure, this approach breaks down quickly.
The “security maturity gap” is real: most middle market companies simply do not have the in-house governance, policies, SOPs and training programs to ensure their significant security spending is effective.
This leads to unnecessary cost (buying tools that aren’t used to full potential or that overlap) and leaves exposures that a knowledgeable security team would address first. It’s a classic case of lots of spending, but suboptimal outcomes.
But there is a way forward. The next piece in this series will examine how, through a combination of technology and subject matter expertise, SMBs can access enterprise-like security frameworks and resources that are tailored to their needs.