Back to Blog

Midmarket cybersecurity stats: 45 facts on how lean security teams are managing growth, complexity, and risk

Eamon Carroll
Eamon Carroll
Marketing Coordinator
Updated
May 11, 2026
Published
May 7, 2026
min read
Insights
Eamon Carroll
Eamon Carroll
Marketing Coordinator

Key Points

Midmarket security teams are in an awkward spot. Big enough to be a target, with complex digital estates, significant revenue, and valuable data, but not big enough to operate like an enterprise security team. 

To find out what this actually looks like day-to-day, we surveyed 500 senior security decision-makers across the US and UK from companies with 400-6,000 employees across seven sectors: financial services, fintech, healthcare, manufacturing, professional services, retail, and SaaS. Here are the standout midmarket cybersecurity stats from The Security Middle Child report.

Bookmark it, steal from it, send it to your CFO.

Growing estates, stretched teams

  • 91% of midmarket organizations saw their digital estate grow over the past 24 months.
  • 38% describe their digital estate growth as significant.
  • 70% of organizations say headcount kept pace with estate growth.
  • 30% grew headcount faster than their estate.
  • 17% grew headcount more slowly than their estate.
  • Nearly 10% kept headcount flat while their estate expanded.
  • 42% of teams describe themselves as stretched, overwhelmed, or consistently behind.
  • Professional services report the highest strain at 51%.
  • Healthcare reports the lowest strain at 35%.
  • 28% cite lack of visibility into what's exposed as a top operational challenge.
  • 26% cite navigating too many security tools.
  • 24% cite too many alerts with poor prioritization.
  • 34% cite limited resources and competing priorities.
  • 36% acknowledge their security posture hasn't scaled appropriately with digital estate growth.
  • For 14%, the gap between their security posture and digital estate growth won't close for at least another six months.
  • In healthcare, only 51% kept headcount at pace with their digital estate.
  • In SaaS, 86% kept headcount at pace with estate growth.
  • US organizations are more likely than UK counterparts to have grown headcount faster than their digital estate (36% vs 22%).
The Security Middle Child
How midmarket security teams are managing growth, complexity, and risk
get the report

Projecting confidence, but is it justified?

  • 89% say their security budget is increasing.
  • 94% of midmarket security leaders are confident in their ability to identify and remediate critical threats before attackers exploit them.
  • 51% describe themselves as very confident in their ability to identify and remediate critical threats.
  • 65% of C-level respondents say they're very confident in catching critical threats, that figure drops to 36% among middle managers, the people closest to the work.
  • 51% say it would take approximately a week to assess their exposure to a critical zero-day, in a threat landscape where exploitation can follow disclosure within 24 to 48 hours.
  • 18% are tracking internet-facing assets manually.
  • 9% run multiple cloud environments without a unified view of security risk across them.

More tools, less clarity

  • 44% of teams have either outgrown their stack or stitched it together from point solutions that don't provide a unified view.
  • 49% cite AI and automation as their top investment priority for 2026.
  • 33% are prioritizing adding new solutions.
  • Only 17% are prioritizing increasing headcount.
  • 41% report using AI pentesting.
  • 20% cite the inability to measure and report on cyber hygiene as a top challenge.
  • Cloud Security Posture Management (CSPM) is the only tool appearing in the top five most adopted tools across every sector surveyed.
  • Healthcare tops CSPM adoption at 68%, well ahead of the next-highest sector at 56%.
  • Attack Surface Management (ASM) ranks 10th for adoption, despite 28% citing visibility as a top challenge.
  • Continuous Threat Exposure Management (CTEM) ranks 13th for adoption.
  • Retail organizations cite lack of visibility as a top challenge more than any other sector (38%), yet only 27% use CTEM.
  • Professional services tell a similar story: 35% cite visibility as a top challenge, but ASM adoption sits at just 26%, the lowest of any sector.
  • 57% say their current security solutions are well aligned with their size and maturity.
  • 46% say enterprise security platforms assume more staff, budget, or complexity than they can support.
  • 45% say they're forced to combine multiple tools to compensate for gaps in their stack.
  • 29% say tools designed for small businesses no longer meet their needs.

Cyber risk isn't reaching the boardroom

  • Only 9% of midmarket organizations discuss cyber risk at board level.
  • 34% discuss cyber risk with executive leadership.
  • 51% keep cyber risk discussions at security or IT leadership only.
  • UK organizations are more than twice as likely as US ones to take cyber risk to the board (14% vs 6%).
The Security Middle Child
How midmarket security teams are managing growth, complexity, and risk
get the report

Get our free

Ultimate Guide to Vulnerability Scanning

Learn everything you need to get started with vulnerability scanning and how to get the most out of your chosen product with our free PDF guide.

Download now
Quick links
Heading 2
Heading 3
Heading 4
Heading 5
Heading 6

Recommended articles

19 Cyber Leaders to Follow on LinkedIn (and Why They Deserve Your Attention)

19 Cyber Leaders to Follow on LinkedIn (and Why They Deserve Your Attention)

Cut through LinkedIn noise with 20 security leaders sharing real-world insights. From malware analysis to AppSec to vulnerability intel—voices that help you do better work.
Eamon Carroll
February 5, 2026
Insights
28 cyber security stats and facts you need to know in 2023

28 cyber security stats and facts you need to know in 2023

Discover the scale of today's cyber security challenges and how to stay ahead with our top tips.
James Harrison
May 5, 2023
Insights
6 Cyber Security Trends For 2024 And How To Stay Ahead

6 Cyber Security Trends For 2024 And How To Stay Ahead

Andy Hornegold shares his cybersecurity predictions for 2024. From more zero-day attacks to exposure management and increased regulation, is your organization ready?
Andy Hornegold
February 22, 2024
Insights

Sign up for your free 14-day trial

Try for free