threat_intelligence738 wordsRead on Arc Codex

45 midmarket cybersecurity stats on growth, tools, and risk

Key Points Midmarket security teams are in an awkward spot. Big enough to be a target, with complex digital estates, significant revenue, and valuable data, but not big enough to operate like an enterprise security team. To find out what this actually looks like day-to-day, we surveyed 500 senior security decision-makers across the US and UK from companies with 400-6,000 employees across seven sectors: financial services, fintech, healthcare, manufacturing, professional services, retail, and SaaS. Here are the standout midmarket cybersecurity stats from The Security Middle Child report. Growing estates, stretched teams - 91% of midmarket organizations saw their digital estate grow over the past 24 months. - 38% describe their digital estate growth as significant. - 70% of organizations say headcount kept pace with estate growth. - 30% grew headcount faster than their estate. - 17% grew headcount more slowly than their estate. - Nearly 10% kept headcount flat while their estate expanded. - 42% of teams describe themselves as stretched, overwhelmed, or consistently behind. - Professional services report the highest strain at 51%. - Healthcare reports the lowest strain at 35%. - 28% cite lack of visibility into what's exposed as a top operational challenge. - 26% cite navigating too many security tools. - 24% cite too many alerts with poor prioritization. - 34% cite limited resources and competing priorities. - 36% acknowledge their security posture hasn't scaled appropriately with digital estate growth. - For 14%, the gap between their security posture and digital estate growth won't close for at least another six months. - In healthcare, only 51% kept headcount at pace with their digital estate. - In SaaS, 86% kept headcount at pace with estate growth. - US organizations are more likely than UK counterparts to have grown headcount faster than their digital estate (36% vs 22%). Projecting confidence, but is it justified? - 89% say their security budget is increasing. - 94% of midmarket security leaders are confident in their ability to identify and remediate critical threats before attackers exploit them. - 51% describe themselves as very confident in their ability to identify and remediate critical threats. - 65% of C-level respondents say they're very confident in catching critical threats, that figure drops to 36% among middle managers, the people closest to the work. - 51% say it would take approximately a week to assess their exposure to a critical zero-day, in a threat landscape where exploitation can follow disclosure within 24 to 48 hours. - 18% are tracking internet-facing assets manually. - 9% run multiple cloud environments without a unified view of security risk across them. More tools, less clarity - 44% of teams have either outgrown their stack or stitched it together from point solutions that don't provide a unified view. - 49% cite AI and automation as their top investment priority for 2026. - 33% are prioritizing adding new solutions. - Only 17% are prioritizing increasing headcount. - 41% report using AI pentesting. - 20% cite the inability to measure and report on cyber hygiene as a top challenge. - Cloud Security Posture Management (CSPM) is the only tool appearing in the top five most adopted tools across every sector surveyed. - Healthcare tops CSPM adoption at 68%, well ahead of the next-highest sector at 56%. - Attack Surface Management (ASM) ranks 10th for adoption, despite 28% citing visibility as a top challenge. - Continuous Threat Exposure Management (CTEM) ranks 13th for adoption. - Retail organizations cite lack of visibility as a top challenge more than any other sector (38%), yet only 27% use CTEM. - Professional services tell a similar story: 35% cite visibility as a top challenge, but ASM adoption sits at just 26%, the lowest of any sector. - 57% say their current security solutions are well aligned with their size and maturity. - 46% say enterprise security platforms assume more staff, budget, or complexity than they can support. - 45% say they're forced to combine multiple tools to compensate for gaps in their stack. - 29% say tools designed for small businesses no longer meet their needs. Cyber risk isn't reaching the boardroom - Only 9% of midmarket organizations discuss cyber risk at board level. - 34% discuss cyber risk with executive leadership. - 51% keep cyber risk discussions at security or IT leadership only. - UK organizations are more than twice as likely as US ones to take cyber risk to the board (14% vs 6%).

How it works

Once you click Generate, Ollama reads this article and crafts 5 comprehension questions. Your answers are graded against the article content — general knowledge won't be enough. Score 70+ to count toward your certificate.

Questions are cached — you'll always get the same 5 for this article.