Cybersecurity

Is Cybersecurity actually being taken more seriously?

Lucas Bernardo

Lucas Bernardo

3 min read
Is Cybersecurity actually being taken more seriously?

Cybersecurity has been getting more and more attention. With massive attacks every month, news articles on the topic becoming more and more popular, incredibly overinflated stock prices, and more and more people going into cybersecurity you would naturally think that it's importance is actually on the rise.

But as the 46th US President once said.

“Don't tell me what you value, show me your budget, and I'll tell you what you value.”
Joe Biden

Whether or not you agree or disagree with the man, this quote is brilliant, and in short, the evidence does not support the sentiment that cybersecurity is being treated more seriously.

Point 1 - Investment is growing linearly

You would expect that with an exponential rise in cybersecurity articles being written in mainstream media, cybersecurity jobs becoming more and more sought after, and investors punting their money into cybersecurity companies at ridiculous valuations, you would also see a rise in cybersecurity investment by businesses all around the world.

Figure 1 - Google Trends for Cybersecurity as of November 2025
Figure 2 - Google Trends for Cybersecurity Jobs as of November 2025
Figure 3 - CrowdStrike one of the most valuable Cybersecurity companies is currently incredibly overvalued.

But this has not been the case.

Figure 4 - Cybersecurity spending for 2024-2026

I mean, it has barely been in line with global inflation (~4%)

Point 2 - Investment has been stagnant relative to Cost of Cybercrime

You would expect to see an increase in spending in cybersecurity investment relative to cost of cybercrime. This is because you would think the news articles would drive fear to company boards to put more money into cybersecurity, but as shown below, this has not happen. In fact, it's not really moving passed the 2% ratio.

Figure 5 - Estimated cost of cybercrime worldwide 2018-2029 - Statista 2025
Figure 6 - Cybersecurity Spending relative to Cost of Cybercrime

Point 3 - Growth doesn't show seriousness

At the moment, we can all agree that there is one technology that is being taken seriously. That technology is AI. Yet with all the claims of Cybersecurity being taken more seriously by comparing CAGR for each industry clearly shows that this isn't the case.

  • CAGR for Cybersecurity ~14%
  • CAGR for AI ~ 34%

Point 4 - Cybersecurity doesn't get a big enough budget

Only a small percentage of the companies budget is spent on cybersecurity. Specifically around 11% of the IT budget is the average spend for businesses.

And from that number only 3%-6% of company budget is spent on IT.

This is such a small fraction, it makes it hard to believe that the average company is taking cybersecurity seriously.

Conclusion

In short, I think it's between kind of and no because:

  • Investment in Security is growing linearly.
  • Investment has been stagnant relative to Cost of Cybercrime
  • Growth doesn't show seriousness
  • Cybersecurity doesn't get a big enough budget
  • The increasing threat of AI facilitating attacks has lead to no boost in spending in defence, even as capabilities continue to grow exponentially.

I believe that cybersecurity will only be taken more seriously when the number of attacks increases exponentially, which we could see one day with fully autonomous AI attacking on behalf of attackers. At the moment there seems to be a resource cap (humans and time), but if autonomous AI attackers were to ever come to exist that cap would be much higher, and the spike in attacks would jump dramatically (cap would be compute).

Read more