The long held conventional wisdom that organizations commit to increased cybersecurity investments only after a breach has taken a hit.
IBM’s latest annual Cost of a Data Breach study reports a significant reduction in the number of global organizations that said they plan to invest in security following a breach — 49% in 2025 compared to 63% in 2024.
Experts quizzed by CSO were split on whether the drop in post breach spending was “foolhardy” or reflective of a growing realization that reactive spending is ineffective.
“Historically, breach-driven investments have served as wake-up calls for boards, but the latest data shows fatigue is setting in,” says Amiram Shachar, CEO at cloud security firm Upwind. “Reactive, post-breach spending is neither effective nor sustainable.”
Shachar adds: “Continuous proactive security programs that mature as workloads expand in the cloud, from protecting the configurations layer to protecting workloads at the runtime layer continuously increase coverage and reduce the possibility of a breach, deliver far greater impact.”
Aaron Perkins, founder at Market-Proven AI, argues that companies are realizing that once you reach a certain threshold, additional cybersecurity spending doesn’t necessarily translate to proportional risk reduction.
“Organizations that have experienced breaches are shifting from reactive spending to calculated risk management — focusing on optimizing existing investments rather than simply adding more layers,” Perkins says. “This reflects organizational maturity beyond the ‘security at any cost’ mentality toward more sophisticated, ROI-driven decision-making.”
Zach Lewis, CIO and CISO at the University of Health Sciences and Pharmacy in St. Louis, tells CSO that IBM’s numbers are unsurprising because breaches are failing to spark the same urgency they used to.
“Too many companies chalk [breaches] up as an inevitable cost of doing business and move on,” Lewis says. “The problem is, attackers are getting smarter and faster, and if you’re not updating your defenses, especially with tools that can keep up with them, you’re leaving the door wide open for the next hit.”
Moreover, given the board-level emphasis on cybersecurity over the past several years, the post-breach budget question also puts boards on the spot.
“Increasing security spend after a breach requires executives to acknowledge that they have been underinvesting in the first place,” says Jason Rebholz, advisory CISO at managed detection and response vendor Expel.
Risk transference
More security leaders are choosing to transfer rather than mitigate risk through cyber insurance, a business decision that can shift responses to any security breach.
“The drop in post-breach spending suggests a split mindset: Some companies rely on cyber insurance to absorb the impact, while others have already built resilience through frameworks like NIST CSF [Cyber Security Framework]. In those cases, breaches drive lessons learned and fine-tuning rather than new investments,” says Elliott Franklin, CISO of reinsurance firm Fortitude Re.
Complexity and broken processes
Todd Thorsen, CISO at data recovery vendor CrashPlan, said that some breach victims may conclude that they were more exposed to the complexity of their IT environment rather than insufficient investment.
“Complexity can be as big a problem as underinvestment in security — duplicative systems, poorly managed integrations, shelf-ware, etc.,” he says. “This may lead to some organizations simplifying their environments in the wake of a breach and focusing on the right tools, optimization, and consolidation.”
Mark Wojtasiak, VP of product research and strategy at Vectra AI, argues that the decline in post-breach investment intentions suggests a wider shift of mindset among cybersecurity professionals.
“Many security leaders now see breaches less as a signal to buy more and more as an indicator of broken processes, governance gaps, or underutilized capabilities,” he says. “As a result, rather than seeking fresh budget, organizations are focusing on improving how they use existing technology and partners.”
Other experts were far less sanguine about suggestions that breached firms were less likely to invest in cybersecurity improvements in the wake of a breach.
AJ Thompson, chief commercial officer at Northdoor and member of IBM’s Worldwide Security Advisory Council, described the finding as “disturbing.”
“The fact that an organization has been breached means that there is already a vulnerability in place that can be exploited — not addressing this with increased security is foolhardy,” Thompson says.
Limited focus on AI-driven security enhancements
Less than half of those that plan to invest post-breach will focus on AI-driven security solutions or services, according to another key finding from IBM’s report.
“The limited focus on AI-driven solutions is surprising, given how AI and gen AI are reshaping the threat landscape,” Upwind’s Shachar says. “Organizations need tools that can secure AI workloads against risks such as data leakage, adversarial manipulation, and unauthorized model access — gaps traditional defenses can’t address.”
Fortitude Re’s Franklin adds: “AI has a role, but it won’t solve process failures — strengthening governance and automating fundamentals remains the smarter path.”
No Responses