For years, the assumption in corporate boardrooms was that a major cyber incident would inevitably trigger fresh rounds of spending on defence. But new data suggests that the reflex is weakening. According to IBM’s annual Cost of a Data Breach report, just 49 per cent of organisations in 2025 said they plan to boost cybersecurity budgets after a breach, down sharply from 63 per cent in 2024.
The decline signals a shift in how companies think about digital risk. Once seen as a clear call to action, breaches are increasingly regarded as unavoidable hazards, part of doing business in a world where cyber threats evolve faster than defences. Some security leaders see this as pragmatic realism, and others call it dangerous complacency.
Data Protection and DPDP Act Readiness: Hundreds of Senior Leaders Sign Up for CDPO Program
From Crisis Spending to Risk Management
Experts say the numbers reflect fatigue with breach-driven investment. Amiram Shachar, chief executive of the cloud security firm Upwind, described reactive spending as “neither effective nor sustainable.” Instead, he argued, firms should embed continuous security programs that evolve alongside cloud workloads.
Others point to board-level maturity. Aaron Perkins, founder of Market-Proven AI, said many executives no longer equate higher spending with reduced exposure. He stated that once you hit a certain threshold, adding layers doesn’t deliver proportional risk reduction. This, he added, marks a shift toward return-on-investment–driven security decisions rather than the “security at any cost” mindset of past years.
Yet some practitioners see a more troubling picture. Zach Lewis, chief information officer and chief information security officer at the University of Health Sciences and Pharmacy in St. Louis, said breaches no longer generate the urgency they once did and that too many companies chalk them up as inevitable.
Insurance, Complexity, and AI’s Limited Role
The change in spending patterns also reflects the rising role of cyber insurance as a tool for transferring rather than mitigating risk. For some firms, policies absorb the financial hit, reducing pressure to overhaul defences. Others lean on frameworks like the NIST Cybersecurity Framework to make incremental adjustments without increasing budgets.
Complex IT environments further complicate the picture. Todd Thorsen, chief information security officer at CrashPlan, argued that in many cases, breaches highlight tangled systems and unused tools more than raw underinvestment. Simplifying infrastructure, he suggested, can be as impactful as adding new defences.
Still, experts note that less than half of the companies that do plan to spend more will direct funds toward AI-enabled security tools, despite their growing role in both attack and defence. Some see this as a missed opportunity. Others argue that governance failures, not tool shortages, remain the real barrier.
The debate underscores a broader rethinking of how organisations respond to cyber crises. What was once a predictable budget reflex now reveals diverging philosophies about whether breaches should prompt more spending, better management, or both.