For those who either work in or closely with cybersecurity organizations, it is continuously challenging to understand why more individuals and businesses have not adopted practices to make themselves more cyber secure. Much of the available data indicates that the cyber landscape is treacherous, constantly evolving, and devastating for those who are victimized by an attack.
To demonstrate these incredible challenges, Cybersecurity Ventures estimates the total cost of global cyber crime in 2024 will be around $9.5 trillion, which is expected to balloon to $10.5 trillion next year (1). For context, the current gross domestic product (GDP) of the United States is $28.652 trillion, according to the Federal Reserve Bank of St. Louis (2). These costs, which are approximately one-third of the United States’ total GDP, include organizational downtime and associated revenue loss, recovery costs including Incident Response and Digital Forensics, ransom payments, expenditures for software upgrades and infrastructure changes, additional salaries, and more.
Many of these costs are incurred after a breach, and pale in comparison to the potential savings of proactive security.
The question of why organizations are not more resilient is further challenging in light of data present in the 2024 Cisco Cybersecurity Readiness Index. Data indicates that 54% of businesses “experienced a cybersecurity incident in the past year” and “73% believe a cybersecurity incident will disrupt their business” in the next 1-2 years (3). Considering both experiencing a breach and anticipating additional breaches, “only 3% of [these] organizations are assessed as having a Mature stage of cybersecurity readiness”. In other words, most organizations are not adequately prepared for a cyber incident they expect to disrupt their operations.
Given this knowledge, it would be reasonable to expect that every business fitting this profile would turn its pockets inside out to invest in enhanced cybersecurity. This, however, is not what is happening.
Per insights provided by S&P Global, at least 20% of organizations lack a formal plan for how they will respond to an active incident—despite expecting one to occur—and one-third of the organizations that do have a plan have indicated they do not test it (4). Beyond this, reports reveal that 92% of organizations with 50 or fewer employees lack a “designated cybersecurity budget” (5). To better help these businesses achieve cyber maturity, it is important to explore the reasons why this is currently not the case.
Among the most common reasons why organizations, particularly those that are small and medium-sized, do not achieve cyber maturity is the associated expenses. To become cyber mature with an entirely internal approach requires investments in software, hardware, staff to cover a 24/7 schedule, ongoing training, additional infrastructure, and more. Simply thinking about this can become overwhelming, let alone making the investments and implementing the cyber plan.
Staffing concerns are an additional challenge. To be resilient 24/7/365 requires, at a realistic minimum, at least 8 people, all of whom must be experienced, educated, and trained to identify and effectively respond to active and potential threats. Both the labor costs and recruiting issues compound this issue. The World Economic Forum reports that “four million professionals are urgently needed to plug the talent gap in the global cybersecurity industry” (6). The noted gap is one that every company is facing, indicating a highly competitive hiring market, which often increases associated labor costs.
Furthermore, these team members must possess a knowledge breadth and depth vast enough to manage a diverse security stack (e.g., SIEM, EDR, A-V) in multiple security areas (e.g., Incident Response, Digital Forensics, Vulnerability Scanning, Penetration Testing, IT Services). Simultaneously, they must meaningfully engage with and assist customers. A shortage in these areas correlates to a less mature security posture.
A third challenge facing businesses, which is implied in the first two, is the complex nature of implementation. It is not enough to simply deploy a set of tools or hire an inexperienced team to fill gaps. One such example of a complexity is the sheer amount of software applications (SaaS) used, on average, by organizations: per the BetterCloud 2024 State of SaaSOps, organizations have 112 active SaaS applications in their environment (7). Team members must manage and update these tools to limit network vulnerabilities. Beyond these tools, cybersecurity requires threat intelligence gathering, incident response planning and practice, among other things.
It should go without saying but will be said nonetheless: organizations do not want to experience a cyber incident. While this is true, the data indicates behavior does not always align with this preference. So, what are some potential explanations?
Two of these concepts are optimism bias and risk aversion. The former is the “tendency to overestimate our likelihood of experiencing positive events and underestimate our likelihood of experiencing negative events” (8) while the latter extends to a “hesitancy to take a risk with an uncertain outcome” (9).
A study in Risk Sciences magazine noted that organization leaders engage in optimism bias to rationalize their way out of optimizing their cybersecurity posture because “they believe that no single party can be completely secure, regardless of the cyber risk management strategy implemented and assume that they themselves will not face such risks” (10). The result of this, according to the published research, is a perception that security software upgrades and insurance are mutually exclusive, overlapping options.
The research further found that “if the price becomes more reasonable, agents would tend to purchase for cyber insurance,” which points to the idea of risk aversion. For risk averse decision makers, they tend to “choose the low-risk preservation of…existing liquid capital [the status quo] over the volatility of a high-risk investment [tools, staff, insurance] even if there’s the possibility of a high rate of return [reduced likelihood of an incident]” (9). The calculus essential boils down to this: the cost of security is too high relative to our likelihood of experiencing a significant and expensive incident.
An additional reason to consider for the lack of investment in cyber resilience for some organizations may be connected to a lack of a process for learning lessons from previous (and external) cyberattacks and implementing what is learned. A study published in Computers and Security noted that zero surveyed participants found that their organization assessed lessons learned from experienced breaches and that “incident reports submitted by security teams to executives and risk committees are often accepted without thorough scrutiny…” (11). This, paired with a “decrease in organizations’ willingness to share security data” indicates knowledge management regarding cyber incidents is lacking. As a result, large-scale lessons are not adequately understood, and necessary improvements cannot then be applied.
The disparity between the known threats in the cyber landscape and the actions taken by organizations to mitigate these risks underscores a significant gap in cybersecurity preparedness and resilience. Despite the overwhelming evidence of potential financial and operational damage, many businesses remain underprepared, driven by factors such as prohibitive costs, staffing challenges, and psychological considerations. Bridging this gap requires a concerted effort to prioritize cybersecurity investments, foster a culture of continuous learning from past incidents, and develop strategic plans that are regularly tested and refined. Only through such comprehensive measures can organizations hope to achieve true cyber resilience in an increasingly hostile digital environment.
Identify, neutralize, and counter cyberattacks - provide confidence in your security posture
©2025 SpearTip, LLC. All rights reserved.