logo.svg
blog

Cybersecurity Spending Is Rising. So Why Isn't Cyber Risk Falling?

Organizations are spending more on cybersecurity than ever. It isn't working. The reason isn't the amount — it's where the money goes.

  • July 5, 2026

Global cybersecurity spending is expected to reach $240 billion in 2026, up 12.5% from 2025. Yet nearly a third of organizations say they feel less secure than they did a year ago. If security budgets continue to grow, why is confidence moving in the opposite direction?

The problem isn't how much organizations spend. It's where they direct it, and how they act on it. That's the execution gap: the distance between knowing where the risks are and actually reducing them.

Data from Cye's 2026 Global AI & Cyber Maturity Report, based on more than 2,400 security assessments across 21 countries and 16 industries, reveals the scale of this gap: organizations are increasing investment and strengthening governance while falling behind on executing the controls that actually reduce risk. In short: governance is outpacing protection - and AI is making that gap more dangerous than ever.

Maturity Scores Are Rising — But Don't Tell the Full Story

The average cybersecurity maturity score based on NIST CSF 2.0 rose from 2.19 to 2.35 year over year, driven by growing board engagement, larger security budgets, and increased regulatory pressure.

But 2.35 still places the average organization in the Managed stage of the NIST framework - security processes exist and are repeatable, and boards are taking cyber risk more seriously than ever. But security still isn't standardized or consistently embedded across the organization. The policies are in place. The cultural shift that makes security integral to how the business operates hasn't happened yet.

The Five Levels of Maturity

The Five Levels of Maturity
The Five Levels of Maturity

What the Average Maturity Score Hides

The real insight lies beyond the average score. The report reveals a widening gap between planning security and executing it.

Across the six NIST CSF 2.0 functions measured, Govern scores highest, reflecting stronger policies, oversight, and executive engagement. The lowest-scoring function for the second year running is Protect: the technical controls and safeguards that actually prevent attacks from succeeding.

Average Maturity Score by NIST CSF 2.0 Function

Average Maturity Score by NIST CSF 2.0 Function
Average Maturity Score by NIST CSF 2.0 Function

NIST CSF 2.0 functions at a glance

NIST CSF 2.0 functions at a glance
NIST CSF 2.0 functions at a glance

Why Governance Is Outpacing Protection

Over the past few years, regulations such as NIS2, CMMC, CIRCIA, and other regional cybersecurity requirements have driven organizations to strengthen governance, reporting, and risk management. Boards are more engaged in cyber risk than ever before, treating it as a business issue alongside financial performance and operational resilience.

But attackers don't exploit policies or board presentations. They exploit technical weaknesses.

While governance can be strengthened through policies, frameworks, and oversight, protection depends on operational execution: maintaining visibility across assets, remediating vulnerabilities, validating controls, monitoring continuously, and responding quickly as environments change. Those capabilities require sustained investment, mature processes, and ongoing discipline.

Our data shows that many organizations are still struggling with the fundamentals of execution. The most common weaknesses aren't sophisticated zero-day attacks - they're basic security hygiene issues that continue to create unnecessary exposure.

Top Cybersecurity Findings by Number of Occurrences

Top Cybersecurity Findings by Number of Occurrences
Top Cybersecurity Findings by Number of Occurrences

These are known problems with well-established solutions. They remain widespread because setting direction through policy is one thing; executing against it consistently, across a changing environment, is another. That is why governance improves faster than protection, and why many organizations feel less secure despite investing more than ever.

AI Is Accelerating the Risk That Lives in the Gaps

Neither the execution gap nor the exploitability gap — the widening distance between how fast attackers can move and how fast defenders can respond — is new.

AI is amplifying both.

Agentic AI is dramatically compressing the time it takes attackers to discover, chain together, and exploit vulnerabilities. Activities that once took days - or weeks - now happen in minutes.

The Post Mythos Era: An Expected 90x increase in weaponized exploit output

The Post Mythos Era
The Post Mythos Era

AI hasn't created new security problems. It's made existing weaknesses faster, cheaper, and easier to exploit.

As attack speed accelerates, governance alone isn't enough. Security programs must continuously identify, prioritize, validate, and reduce exploitable risk — before attackers find it first.

So which organizations are successfully reducing this ever-widening risk? Our data reveals a clear pattern - and it has less to do with budget than you might expect.

Only 3 of 21 Countries Score Above Average. What Are They Doing Differently?

Of the 21 countries in the dataset, only three score above the global average of 2.35: Switzerland (2.48), the United States (2.41), and Israel (2.39). Eighteen countries fall below it - most by a significant margin.

Cyber Maturity by country
Cyber Maturity by country

The two biggest year-over-year jumps - Switzerland at +16%, the US at +9% - share a common cause.

Both had major cybersecurity compliance deadlines enforced in the past year. Switzerland's ISA mandatory incident reporting came into force in April 2025, with financial penalties following in October. In the US, CMMC cybersecurity requirements began entering defense procurement contracts in November 2025, with SEC Regulation S-P compliance deadlines for large financial firms following in December.

The implication is hard to ignore: regulation drives maturity in ways that bigger budgets don't. Compliance pressure creates urgency. Urgency forces execution.

How to Move from Awareness to Action

Cyberattacks are inevitable. Preventable exposure is not.

Organizations that improve resilience are the ones that focus on execution as much as strategy:

  • Fix foundational hygiene first. Basic weaknesses create disproportionate risk - and they're among the cheapest to remediate. Don't fund new tools while known gaps stay open.

  • Close cloud blind spots. You can't protect assets you can't see. Map and monitor cloud environments continuously.

  • Treat compliance as a floor, not a finish line. Regulation strengthens governance. Resilience requires continuous operational improvement beyond what any framework mandates.

  • Measure maturity continuously. Annual assessments can't keep pace with a threat landscape measured in minutes.

  • Prioritize exploitable risk, not theoretical risk. Validate whether exposure should be remediated, mitigated, or accepted - and revisit those decisions as the environment changes.

Spending More Doesn't Make You More Secure

Security budgets keep growing. Security outcomes aren't keeping pace.

Organizations have more policies, more frameworks, more governance, and larger budgets than ever before. But knowing where the risks are isn't the same as reducing them.

As AI accelerates the speed of attacks, the organizations that succeed won't necessarily be those spending the most. They'll be the ones that consistently turn strategy into action.

Download Cye's 2026 Global AI & Cyber Maturity Report to benchmark your organization's maturity and learn how leading security teams are shrinking exposure before attackers can reach it.

Request a strategic briefing with a Cye security expert to benchmark your maturity.

Request A Demo

Learn how Cye Platform can help you understand the true potential cost of cyber exposure, effectively communicate with executive teams, and prioritize remediation strategy and planning.

Here's what we'll cover:

  • Your objectives and challenges
  • An overview of Cye platform and the right packages for you
  • Your cybersecurity industry benchmark and how you compare
  • Your current exposure management program