Skip to main content

RESEARCH REPORT

The Cost of Stretched Security Leadership

What 17,000+ incidents and $4.8B in claims tell mid-market leaders about security leadership, AI exposure, and the price of going without.

29 pages28 min readPDF download

DOWNLOAD THE PDF

Send me The Cost of Stretched Security Leadership.

We will send the guide to your inbox. No spam. Unsubscribe anytime.

$1.57M

Per-breach gap between high and low security skills shortage

IBM 2025

16 days

Dwell-time gap between internal and external detection

Mandiant M-Trends 2026

27%

Of enterprises replaced their IT or security leader after a ransomware attack

Sophos 2025

$2.2M

Combined per-breach savings from the wider leadership stack

IBM 2025

EXCERPT

A preview of what is in the guide.

The stretched-leadership penalty is now priced in dollars

For the first time, IBM's Cost of a Data Breach 2025 report breaks out security-leadership factors as discrete cost levers. CISO appointment is priced at −$113,840 per breach, board-level oversight at −$110,772, and MSSP engagement at −$128,087. These factors stack. The skills-shortage amplifier alone costs $173,400 per breach on average, and the gap between high-shortage and low-shortage organizations comes to $1.57 million per breach.

Mid-market has different economics

NetDiligence analyzed 10,402 actual cyber-insurance claims paid between 2020 and 2024. Organizations under $50M in revenue average $142,000 per claim. Organizations between $50M and $300M average $374,000, 2.6 times the smallest band. Each step up corresponds to a 2.5–5x increase in average claim cost. The mid-market is not a smaller version of the enterprise problem.

The two-sided AI story

Defenders using security AI extensively saved $1.9M per breach and shortened the breach lifecycle by 80 days. But 63% of breached organizations had no AI governance policy at all, and 97% of AI-system breach victims lacked proper access controls. Roughly four out of five attacks now leverage AI; only roughly one in three defenders do.

Identity is the perimeter

68.6% of all incidents Expel investigated in 2025 were identity-based, and the 60–70% range is uniform across every industry Expel covers. Most damaging: 47.7% of identity-based incidents involved attackers gaining access despite valid-credential MFA. The state-of-the-art bar is now phishing-resistant MFA, conditional access, and continuous session monitoring.

READY?

Get the full guide.

29 pages of cited research, sent to your inbox as a PDF.

Download the PDF →

MORE FROM THE LIBRARY

Keep reading.

Executive Guide

The Executive's Guide to Shadow AI

Detection. Governance. Built from evidence, not questionnaires.

Want to operationalize this?

Z Cyber delivers the wider security leadership stack: fractional CISO leadership, MDR coverage, and AI / identity governance.

Book a discovery call →