The Cybersecurity Spending Trap: Why Most Companies Are Funding Failure

 

A few months ago, a CEO told me proudly, “We’ve got cyber handled. We spend about a million a year.”

So, I asked, “What’s the average cost of a breach in your industry?”

Silence.

That silence says everything.

Most executives think they’re doing enough because there’s a line item in the IT budget labeled Cybersecurity. They believe spending money equals being secure. But that’s like buying gym equipment and calling yourself fit.

Cybersecurity isn’t a purchase. It’s a discipline.

At NCX Group, we call this The Illusion of Security — the belief that writing the check is the same as reducing risk, when in reality most businesses are underfunded, underprepared, and overconfident.

 

Be Brilliant at the Ordinary

At NCX Group, we live by a simple philosophy: Be Brilliant at the Ordinary.

In cybersecurity, it’s not the sophisticated zero-day exploits or nation-state actors that take businesses down — it’s the ordinary stuff done poorly. Missed patches, weak passwords, untested backups, incomplete policies, and neglected assessments.

Cyber resilience isn’t about being extraordinary. It’s about executing the fundamentals with excellence every single day.

And here’s another truth: Cybersecurity isn’t about what you think or feel. It’s about what you can prove.

Too many businesses rely on self-assessments or outdated reports that wouldn’t survive a real audit or insurance review. Confidence doesn’t equal compliance, and assumptions don’t equal assurance.

 

The Assessment Gap

Every CEO assumes someone’s “on it.” But are they really?

Recent global reports show how wide the gap is between perception and reality:

• Cisco’s Cybersecurity Readiness Index 2024 found that only 1% of SMEs are “mature” in readiness.
• The World Economic Forum found that only 25% of SMEs conduct annual cyber risk evaluations.
• Verizon’s Data Breach Investigations Report 2024 revealed that 81% of SME breaches occurred without any prior vulnerability scanning or assessment.

Here’s what that looks like by industry:

It’s the same story across industries: businesses are betting their future on hope and half-measures.

When you ask for proof of cyber maturity, too many companies can’t produce a single credible third-party assessment. In other words, they’re flying blind — and calling it strategy.

 

What the Numbers Really Say

Let’s put some real money behind this conversation.

Percentages don’t motivate CEOs. Dollars do.

The chart below shows what upper mid-market organizations actually spend on cybersecurity compared to the cost of a single breach.

This is the illusion of security in numbers. Companies are spending less on protecting their digital assets than they do on real estate, travel, or coffee.

You wouldn’t protect a billion-dollar vault with a ten-dollar lock, but that’s exactly what many organizations are doing.

Cyber budgets look impressive in PowerPoint but collapse under the weight of a single breach.

 

Are Companies Spending Enough?

Deloitte, EY, PwC, and McKinsey all recommend cybersecurity should account for 10–13% of the IT budget — roughly $8M–$12M per year for an upper mid-market company.

Most are spending half that.

Even worse, according to Forrester, 36% of the average cyber budget goes to software, 28% to personnel, and the rest is split among services and hardware. That imbalance means most organizations are over-investing in tools and under-investing in testing, governance, and people.

Cyber risk isn’t an IT problem. It’s a business risk. It touches every process, every person, and every transaction. Yet too many boards still treat it like a technical checklist instead of a strategic conversation.

If you’re a CEO who still thinks cybersecurity belongs in the server room, you’re already behind.

 

The Plus Side of Getting It Right

When cybersecurity spending aligns with risk, the benefits show up fast:

• Insurance premiums go down. Carriers now demand proof of MFA, backups, and endpoint protection before issuing policies.
• Downtime drops. The average ransomware disruption lasts 22–24 days at $240K per day. Strong programs cut that in half.
• Customers stay. 70% of consumers are less likely to buy from a breached company.
• Investors lean in. 60% of large-cap deals now include cyber due diligence.

When done right, cybersecurity doesn’t just protect revenue — it drives it.

 

The $20 Billion Question

A few years ago, we helped a financial services firm win a $20 billion contract. The deciding factor wasn’t their pricing or product. It was their cybersecurity posture — the program we designed, implemented, and proved.

That’s the lesson every CEO needs to hear:

Cyber risk isn’t about what you say you’re doing. It’s about what you can prove you’re doing.

So ask yourself:

If you knew a $20 billion deal was on the line, and the deciding factor was your cyber posture, how much would you spend to make sure you won?

 

How NCX Group Can Help

For 25 years, NCX Group has helped organizations across every industry — from Fortune 50 enterprises to fast-growing SMEs – understand, measure, and mitigate cyber risk.

Our Secure24 assessments, MyCSO programs, and risk management services are designed for one thing: helping leaders prove that their cybersecurity program works — not just on paper, but in reality.

We focus on people, process, and technology because resilience isn’t built by buying tools; it’s built by doing the ordinary things brilliantly and proving that you’re doing them.

If you’re ready to know — not assume — where your business stands, visit www.ncxgroup.com to connect with an NCX Group advisor and schedule a strategy session.

The right conversation today could save your business tomorrow.

P.S. Every CEO already has their CPA, attorney, and insurance broker. But when it comes to the number one business risk — cyber — most still don’t have a real advisor. Don’t wait until you’re explaining to your board or your customers why you weren’t prepared. Add the advisor you’re missing.

Mike Fitzpatrick – Founder & CEO, NCX Group, Inc., Distinguished Fellow, Ponemon Institute Cyber Risk | Data Privacy | Business Resilience www.ncxgroup.com | LinkedIn | X