The Cybersecurity Spending Surge: Why Boards Are Writing Bigger Cheques Than Ever — and Still Feeling Exposed
Global cybersecurity spending crossed $200 billion in 2024 and is projected to approach $300 billion by the end of the decade — growth rates that would be extraordinary in any mature technology category, and that reflect a security posture response to threat escalation that is itself extraordinary in scale and sophistication. Ransomware attacks on critical infrastructure have moved from occasional incidents to near-constant background noise, with hospitals, water utilities, port operators, and financial market infrastructure each experiencing significant disruptions in the past three years. State-sponsored cyber operations — by Russian, Chinese, North Korean, and Iranian actors — have demonstrated capabilities to penetrate networks that were previously considered adequately secured, including those of intelligence agencies, defence contractors, and the technology vendors whose products underpin much of the global digital economy. The combination of criminal and state-sponsored threat escalation is driving security spending at every level of the economy, from global banks and government agencies to mid-sized manufacturers who discovered, often through painful experience, that they are not too small to be targeted.
The paradox at the centre of the cybersecurity market is that organisations are spending more than ever on security and simultaneously feeling less secure than they did a decade ago. This is not simply a failure of the security industry — it reflects the fundamental asymmetry of the attack-and-defence dynamic. Attackers need to find and exploit one vulnerability; defenders must protect against all of them. Attackers can adapt their techniques faster than defenders can update their defences. The enterprise attack surface has expanded dramatically as cloud adoption, remote work, IoT device proliferation, and supply chain interconnection have multiplied the potential entry points that adversaries can exploit. The result is an industry that generates exceptional commercial value for its participants while delivering security outcomes that are genuinely difficult to measure and imperfect in practice.
The AI Arms Race in Cybersecurity: Attack and Defence at Machine Speed
Artificial intelligence has arrived in cybersecurity simultaneously on both sides of the conflict, and the implications for the balance between attack and defence are still being worked out. On the defensive side, AI-powered security operations platforms — from CrowdStrike's Falcon to Microsoft Sentinel to the emerging category of AI Security Operations Centres — are applying machine learning to threat detection, alert triage, and incident response at a speed and scale that human analysts cannot match. Security teams that previously took hours or days to detect and contain a lateral movement event can now receive automated detection and initial containment in minutes. The productivity improvement from AI-assisted security operations is real and measurable, and it is allowing security teams that were chronically understaffed to cover more ground than their headcount would previously have allowed.
On the offensive side, AI is lowering the barriers to sophisticated attack at an equally significant rate. Phishing emails that previously required native-language proficiency to be convincing can now be generated by large language models in any language with grammatical and cultural accuracy that defeats the simple heuristics that used to filter them. Malware development cycles that required skilled reverse engineers and exploit developers can be accelerated by AI tools that generate exploit code from vulnerability descriptions. The emergence of "LLMs for cybercrime" — whether purpose-built criminal AI systems or the misuse of commercial models — is enabling a class of threat actor that was previously constrained by skills limitations to operate at a sophistication level that previously required nation-state resources. The net effect on the attack-defence balance is contested among security researchers, but the directional conclusion that AI lowers attack costs faster than it lowers defence costs is increasingly accepted as the working hypothesis for threat modelling purposes.
The Software Supply Chain Vulnerability: Log4Shell, SolarWinds, and What Comes Next
The SolarWinds compromise of 2020, in which a single software vendor's update mechanism was subverted to deliver malware to thousands of the vendor's customers including US government agencies, defined the software supply chain attack as the threat vector that the security industry had systematically underweighted. The Log4Shell vulnerability of 2021, exploiting a widely used Java logging library embedded in hundreds of thousands of applications, demonstrated that the supply chain problem was not confined to intentional adversary action but extended to the involuntary propagation of critical vulnerabilities through the open-source software components that underpin the global software ecosystem. The consequences of these incidents have driven significant regulatory and commercial attention to software bill of materials requirements, open-source component security, and vendor security assessment processes that were previously treated as secondary considerations in procurement decisions.
The regulatory response to supply chain security concerns has accelerated significantly. The US Executive Order on Improving the Nation's Cybersecurity mandated SBOM requirements for software sold to the federal government. The EU Cyber Resilience Act introduces mandatory security requirements for products with digital elements, with supply chain security obligations on both manufacturers and importers. DORA — the Digital Operational Resilience Act — requires EU financial institutions to assess and manage the cybersecurity risk of their third-party technology providers in a structured and documented way. Each of these regulatory frameworks is creating compliance obligations that translate directly into security spending, professional services demand for assessment and audit work, and technology investment in supply chain security tooling. For the information security consulting market, the supply chain security regulatory wave is one of the most significant demand drivers of the current decade.
Cyber Insurance: The Market That Tightened Just When Demand Surged
The cyber insurance market entered 2020 with a relatively permissive underwriting posture — broad coverage, moderate premiums, and limited technical assessment of policyholders' actual security postures. The ransomware surge of 2020–2022, which produced loss ratios that were devastating for underwriters who had priced the product on the assumption that large-scale ransomware attacks were exceptional rather than routine, forced a fundamental market reset. Premium rates increased 50–100% in a single year at peak, coverage terms tightened dramatically with ransomware sublimits and war exclusions becoming standard, and insurers began requiring minimum security controls as a condition of coverage — creating a de facto regulatory standard for security hygiene that reached companies through insurance rather than government mandate.
The cyber insurance market has partially stabilised from the 2022 peak tightening, with premium increases moderating as insurers have improved their underwriting models and policyholders have improved their security postures in response to coverage requirements. But the market remains structurally different from the pre-ransomware era: coverage is more expensive, more conditional, and more subject to exclusions for state-sponsored attacks and catastrophic scenarios. For organisations that depend on cyber insurance as a component of their risk transfer strategy, the evolution of the market has created both constraint and incentive — constraint because coverage for the most extreme scenarios is increasingly difficult to obtain at affordable cost, and incentive because the security requirements attached to insurance have driven genuine security investment by organisations that might otherwise have deferred it.
The Talent Gap: Cybersecurity's Unresolved Structural Constraint
The global cybersecurity workforce gap — estimated at 3.5 to 4 million unfilled security positions — is the most persistent structural constraint in the industry and the one that market forces have been least successful at resolving. The demand for security professionals has grown faster than educational institutions, bootcamps, and on-the-job training programmes can supply them. Salary inflation for experienced security practitioners has been among the highest in the technology sector, creating a self-reinforcing cycle in which experienced talent concentrates in organisations that can afford premium compensation while smaller organisations and government agencies struggle to recruit and retain at competitive salaries. The security operations workforce is burned out at scale — studies consistently report that high rates of alert fatigue, stress, and turnover characterise security operations roles, creating a talent retention problem that compounds the shortage problem.
AI-assisted security operations represent the most commercially viable near-term response to the talent shortage, and the security industry's marketing positioning has universally adopted "do more with the team you have" as a central value proposition. The claim is partially validated — AI-powered tools demonstrably improve analyst productivity on routine detection and triage tasks, freeing experienced analysts for higher-complexity investigation and response work. The gap between the productivity improvement that AI delivers in practice and the staffing shortage it needs to close is still significant, but the trajectory is in the right direction. The organisations that are building AI-augmented security operations now — investing in tooling, workflow redesign, and the training required to use AI tools effectively — will have a structural advantage over those that are waiting for the technology to mature further before committing to the transition. In cybersecurity, as in most security-critical domains, the gap between first movers and laggards has consequences that extend beyond commercial competitiveness to operational exposure to adversaries who are not waiting.