Comps & Reflections

We Are Spending $213 Billion on Security and Breaches Are Getting More Expensive

Security spending hits $213 billion in 2025. Breach costs hit $4.88 million on average. Both numbers go up together, and that should bother us more than it does.

2026-05-14 · 7 min read Comps & ReflectionsIT Governance & Strategy

I keep coming back to two numbers that should not be moving in the same direction. Gartner reports that worldwide security spending reached $213 billion in 2025 (https://www.gartner.com/en/newsroom/press-releases/2026-04-07-gartner-forecasts-worldwide-it-spending-to-grow-9-8-percent-in-2026). IBM's Cost of Data Breach Report 2024 puts the average breach cost at $4.88 million, up 10% from the year before and the highest figure in the report's history (https://www.ibm.com/reports/data-breach). Both numbers are records. Both are rising at the same time. The simultaneous growth of security spending and breach cost is the most uncomfortable pattern in the industry right now, and I do not think the field has produced an honest public account of why it keeps happening.

The easy explanation is arithmetic. When you add up the total number of confirmed breaches in 2024 at an average cost of $4.88 million each, the aggregate damage is an order of magnitude larger than the $213 billion spent to prevent it. But arithmetic alone misses something. Security investment prevents breaches you never hear about. You cannot count what did not happen. Some organizations spending heavily are genuinely better protected. Some got lucky. The $213 billion figure does not sort those two groups, and that ambiguity is part of what makes the headline numbers so difficult to reason about.

The better question is whether how organizations are allocating $213 billion actually maps onto how breaches happen. It mostly does not. IBM's data shows that phishing, stolen credentials, and unpatched vulnerabilities remain the top breach entry points year after year. These are not new problems. Security teams have been writing reports about them for a decade. The money keeps going up. The attack vectors stay the same. Something structural is not working.

I want to use an IS theory here that I think gets underused in security conversations. DiMaggio and Powell (1983) described institutional isomorphism as the process by which organizations adopt practices not because they have evaluated whether those practices work, but because their competitors, regulators, and industry peers are adopting them. There are three mechanisms: coercive (regulation requires it), mimetic (competitors are doing it so it must be right), and normative (industry professional networks define what a "good" security program looks like). My read is that all three are driving a significant portion of the $213 billion. Organizations buy the tools on the compliance checklist because auditors ask about them. They implement the frameworks their peers are using because the CISO community socializes particular vendors and architectures. They staff security operations centers because that is what a mature security program is supposed to look like. Very little of this is driven by careful analysis of the specific threat vectors facing that specific organization. It is adoption by contagion, not adoption by evaluation.

The consequence of isomorphic security spending is tool sprawl. Large enterprises can operate with dozens of security tools, each from a different vendor, each with its own alert format, its own data model, and its own update cycle. I want to hedge the specific number here because I have seen varying estimates across sources and cannot point to one authoritative figure. The directional claim seems solid, though: the average enterprise security stack is fragmented in ways that create gaps. Alerts from one tool do not reliably correlate with events in another. An attacker moving laterally across an environment can generate events in multiple systems simultaneously without any of those systems producing a combined signal that triggers a human response. The $213 billion is partly buying tools that are not talking to each other in real time.

IBM's same 2024 report provides a counterpoint I find genuinely useful. Organizations using AI and automation in their security operations saved an average of $2.2 million per breach compared to organizations that did not. That is not a small number. It suggests that some portion of the current $213 billion, if allocated toward integrated detection and response capabilities with AI-assisted correlation, would produce measurably better outcomes than the same money distributed across dozens of point solutions. The spending level is not the primary variable. How it is organized and integrated is.

This is where I land as an IS researcher, and where I think the security field underestimates the governance problem. Security spending decisions get made at the executive level under conditions of deep uncertainty. A CISO presenting to a board is more likely to get approval for a tool that maps to a specific compliance requirement than for architectural work that reduces attack surface but does not map to a checkbox. The board can verify compliance. The board cannot easily evaluate architecture. So the spending follows compliance rather than risk modeling, and compliance frameworks always lag attacker techniques by months or years. This is isomorphism in practice: the organization looks like it has a security program because it has the right certifications and the right vendor logos on the slide deck. Whether the underlying architecture reduces actual risk is a separate, harder question.

Sociotechnical systems theory (Trist and Bamforth, 1951) is also relevant in a way I want to flag. The original insight was that optimizing the technical component of a system without jointly designing the human component almost always produces underperformance. Security programs do this constantly. They buy technically excellent tools and then staff them with analysts who are overwhelmed with alerts, working in shifts, rotating between tools with different interfaces, and trying to form a coherent picture of what is happening across an environment. The humans are not a minor add-on to the technical system. They are the system. When alert fatigue causes analysts to dismiss or delay reviewing genuine threats, it does not matter how sophisticated the detection tool was.

What worries me most as an IS researcher is that I do not think the field is building the right feedback loops. We know that spending is rising. We know breach costs are rising. But we do not have good public data on which specific spending categories are producing better security outcomes and which are producing compliance theater. The organizations that know this, the ones with mature security analytics that can connect investment categories to outcome variables, are not publishing that information. The organizations making isomorphic spending decisions are not collecting the data that would tell them whether it is working.

There is a research gap here that I think IS has the tools to address. Security ROI, measured not by adoption of controls but by reduction in incident frequency or breach cost, is almost never studied rigorously outside of closed corporate settings. The IBM report is one of the few public datasets with any causal signal in it, and it is self-reported by organizations that agreed to participate. What we need is more work on the mechanisms: which governance structures, which spending allocation patterns, and which integration architectures actually produce better outcomes, measured against breach frequency and cost, not just compliance certification rates. That question is not a technology question. It is an organizational question. It belongs in IS.

---
claims_checked:
- "Security spending 2025: $213 billion": "https://www.gartner.com/en/newsroom/press-releases/2026-04-07-gartner-forecasts-worldwide-it-spending-to-grow-9-8-percent-in-2026"
- "Average breach cost $4.88 million, 10% increase, highest in report history": "https://www.ibm.com/reports/data-breach"
- "AI/automation saves $2.2 million per breach": "https://www.ibm.com/reports/data-breach"
claims_unverified:
- "Dozens of security tools per enterprise: directional claim based on multiple industry sources, no single authoritative figure cited; hedged explicitly in body"
- "Phishing, credentials, unpatched vulnerabilities as top breach vectors: consistent with multiple years of IBM and Verizon DBIR reporting; not freshly verified against a specific 2024 report page"
sources_used:
- "https://www.gartner.com/en/newsroom/press-releases/2026-04-07-gartner-forecasts-worldwide-it-spending-to-grow-9-8-percent-in-2026"
- "https://www.ibm.com/reports/data-breach"
word_count: 1060

About the author

A
Ali Safari
PhD Student in IS, University of North Texas

Researching AI governance, trust in intelligent systems, and agentic AI. Writing while studying for comps.

in gs

Share

More notes

← Previous
5G Is Not About Faster Phones. Here Is What Enterprises Actually Care About.
Next →
Zero Trust Is Everywhere in Vendor Marketing and Almost Nowhere in Practice

Related notes

AI & Agentic Systems
The AI Dependency Paradox: You Cannot Stop Using What You Cannot Trust
6 min read
IS Theory
Data Governance Is Institutional Work, Not IT Administration
6 min read
Comps & Reflections
DSR Is Not About the Prototype
5 min read