Companies balance risk and budget pressure as cyber spend and structures shift

As the cybersecurity environment continues to evolve and new threats emerge, Q1 2026 RSM US Middle Market Business Index survey data shows that the security approaches of many middle market companies are also shifting significantly. Financial pressures are leading to structural changes in many cybersecurity departments, but companies cannot afford to lose sight of persistent risks.

In the survey, 81% of respondents said they plan to increase their cybersecurity spending in the coming year, a drop from 91% last year. With ongoing economic uncertainty, many middle market companies are taking a more cautious approach to cybersecurity spending.

When revenue visibility is unclear, cybersecurity decisions get harder, not easier,” says RSM US LLP Principal Alden Hutchison. “That’s where many middle market companies struggle. Pulling back indiscriminately increases risk. The smarter move is prioritization. Spend that reduces material exposure stays. Everything else gets questioned.”

Survey results showed that for U.S. respondents, the cybersecurity budget is now most often located under the chief technology officer (43%), followed by the chief financial officer (37%) and chief information security officer (34%). In last year’s survey, the CEO/president/owner controlled the cybersecurity budget most often, along with the CFO (both 42%); this year, the CEO/president/owner role controls the budget for only 25% of companies.

The responsibility for guiding cybersecurity planning and execution has also undergone a shift this year. Asked who oversees cybersecurity and related decision making, the top responses were a dedicated CISO or equivalent role (30%); a chief information officer or another executive-level leader (24%); and the IT department, without a dedicated cybersecurity leadership position (20%). The IT department was listed as the responsible party most often in last year’s data (25%), followed by a dedicated CISO (22%).

Building an effective cybersecurity workforce

From a staffing perspective, 52% of middle market respondents reported having more than 11 employees dedicated to data security and data privacy, 46% have 10 or fewer and 20% have less than five. Not surprisingly, larger middle market companies have more dedicated internal staff, with the largest share (42%) indicating they have 16 or more employees. On the other hand, most respondents from smaller middle market companies have five or fewer (34%).  

“Larger organizations are on the build side of the build versus buy equation for cybersecurity departments,” says RSM US Principal Steve Kane. “A, they can afford it, and B, they often have differing business needs that require keeping personnel in-house. Many need customized approaches to processes that are more difficult for managed service providers to provide. However, all organizations have limited cyber budgets and should take a hard look at the outcomes that are a priority. Many times, managed services can provide the outcomes clients really need at a fraction of the cost of building it yourself.”

Board involvement in cybersecurity at larger companies typically translates to more internal personnel. “As you move upmarket, especially in public companies, there’s already board awareness around cybersecurity,” RSM US Principal Autumn Hurley says. “The board’s responsibility is to ensure a strong cybersecurity program is in place because it can affect the bottom line. In addition, cybersecurity is making its way into enterprise risk programs, so leaders are treating it as an enterprise priority.”

Regardless of the size of internal departments, many middle market companies continue to rely on outsourcing for key cybersecurity functions, especially for specialized tasks.  Respondents indicated that the leading cybersecurity functions currently outsourced are cloud security management (50%), security awareness training (44%), security operations center (43%), and cybersecurity risk and compliance management (41%).

“Cloud security management is definitely something that requires a high level of expertise,” RSM US Principal Autumn Hurley says. “Cloud security engineering is a very specialized skill set, and a lot of organizations don't feel comfortable with it or they feel that they don’t have the talent internally to support that.”

As with many other key business processes, AI is affecting how middle market companies leverage service providers. In many ways, AI is an evolution of the service provider, augmenting internal teams as it becomes more stable, more directed and more reliable. Service providers are reinventing what they deliver and are still better equipped to leverage tools underpinned with AI than internal personnel in most cases. But many organizations are reconsidering what they outsource to providers versus what they do in-house, utilizing products and essentially outsourcing activities to nonhuman entities in a trusted fashion.

“The cybersecurity workforce of the future is currently under construction, and companies need to consider how to build their departments moving forward,” says RSM US Principal Daniel Gabriel. “This includes how they staff and how they determine the right balance of insourcing versus outsourcing, and reliance on humans versus nonhuman resources. That's a big pivot.”