A survey of 500 senior security decision-makers was conducted across the US and UK, focusing on companies with 400-6,000 employees in seven sectors: financial services, fintech, healthcare, manufacturing, professional services, retail, and SaaS.
91% of midmarket organizations experienced digital estate growth over the past 24 months, with 38% describing the growth as significant.
70% of organizations reported that headcount kept pace with digital estate growth, while 30% grew headcount faster, 17% grew it more slowly, and nearly 10% kept headcount flat.
42% of security teams describe themselves as stretched, overwhelmed, or consistently behind, with professional services at 51% and healthcare at 35%.
28% cite lack of visibility into exposed assets as a top operational challenge, 26% cite too many security tools, and 24% cite poor alert prioritization.
34% cite limited resources and competing priorities as challenges, while 36% acknowledge their security posture hasn’t scaled appropriately with digital estate growth.
14% believe the gap between security posture and digital estate growth won’t close for at least six months.
In healthcare, 51% kept headcount at pace with digital estate growth, while in SaaS, 86% did so.
US organizations are more likely than UK counterparts to have grown headcount faster than their digital estate (36% vs 22%).
89% report increasing security budgets, and 94% express confidence in identifying and remediating critical threats.
51% say it would take approximately a week to assess exposure to a critical zero-day.
18% track internet-facing assets manually, and 9% run multiple cloud environments without a unified security view.
44% of teams have outgrown their security stack or use stitched-together point solutions.
49% prioritize AI and automation for 2026, while 17% prioritize increasing headcount.
Only 9% of organizations discuss cyber risk at the board level, with 34% discussing it with executive leadership and 51% keeping it at security or IT leadership only.
UK organizations are more than twice as likely as US ones to take cyber risk to the board (14% vs 6%).

Midmarket organizations, defined as companies with 400-6,000 employees, face unique cybersecurity challenges. A survey of 500 senior security decision-makers across the US and UK reveals that 91% experienced digital estate growth over the past 24 months, with 38% describing it as significant. While 70% of organizations say headcount kept pace with this growth, 42% of teams report feeling stretched, overwhelmed, or consistently behind, with professional services (51%) and healthcare (35%) at opposite ends of the strain spectrum. Despite 89% reporting increased security budgets and 94% expressing confidence in threat remediation, there are discrepancies: 51% estimate it would take a week to assess exposure to a critical zero-day, while 18% still track internet-facing assets manually. Tool fragmentation is a major issue, with 44% of teams using stitched-together point solutions lacking unified visibility. Only 9% of organizations discuss cyber risk at the board level, with most discussions confined to security or IT leadership. The data suggests a gap between perceived preparedness and operational realities, particularly in visibility, tool integration, and executive engagement.
The findings highlight a tension between confidence and capability. While midmarket leaders express high confidence in their security posture, operational challenges—such as alert fatigue, tool sprawl, and slow response times—paint a more nuanced picture. The disparity between C-level confidence (65% very confident) and middle managers (36%) underscores potential blind spots. Investment priorities reflect this tension: 49% prioritize AI and automation, while only 17% focus on increasing headcount. Sector-specific differences, such as healthcare’s high CSPM adoption (68%) versus retail’s low CTEM usage (27%) despite visibility concerns, further complicate the landscape. The lack of board-level cyber risk discussions (9%) suggests a broader governance gap, particularly in the US (6%) compared to the UK (14%). Overall, midmarket security teams appear caught between enterprise-scale threats and resource constraints, struggling to align tools, processes, and leadership attention with evolving risks.

The strongest version of this narrative highlights a critical inflection point for midmarket cybersecurity: organizations are growing rapidly but struggling to scale security operations effectively. The data underscores a paradox—high confidence in threat remediation (94%) alongside operational fragilities like manual asset tracking (18%) and slow zero-day response times (51% taking a week). This tension suggests a potential overreliance on perceived preparedness rather than measurable resilience. The disparity between C-level confidence (65%) and middle managers (36%) is particularly telling, hinting at a possible "confidence bubble" where leadership may underestimate frontline challenges. The heavy focus on AI and automation (49%) over headcount (17%) reflects a broader industry trend, but the persistence of tool fragmentation (44%) and visibility gaps (28%) raises questions about whether technology alone can bridge the gap.
Patterns detected: **ARC-0024 Ambiguity** (the disconnect between confidence metrics and operational realities), **ARC-0043 Motte-and-Bailey** (broad claims of confidence paired with narrow, qualified operational data).
The root cause appears to be a structural mismatch: midmarket firms face enterprise-level threats but lack enterprise-level resources or governance. The low board engagement (9%) is especially concerning, as cyber risk remains siloed in IT rather than treated as a strategic business issue. This echoes historical patterns where mid-tier organizations are "too big to ignore, too small to prioritize," leaving them vulnerable to both opportunistic and targeted attacks. The sectoral variations—healthcare’s high CSPM adoption (68%) versus retail’s low CTEM usage (27%)—suggest that regulatory pressures (e.g., HIPAA) may drive security investments more than intrinsic risk awareness.
Implications for human agency are significant. Security teams are stretched thin, with 42% reporting overwhelm, yet the response leans toward technological fixes rather than systemic solutions like headcount or governance reforms. The cost of this gap falls disproportionately on middle managers and practitioners, who bear the operational burden without commensurate decision-making power. Second-order consequences could include higher burnout rates, increased breach risks, and a widening gap between perceived and actual security postures.
Bridge questions: If confidence in threat remediation is high but operational metrics lag, what would it take to align these perceptions with reality? How might midmarket firms rethink governance to elevate cyber risk discussions beyond IT leadership? What role could sector-specific collaborations play in addressing shared challenges like tool fragmentation?
Counterstrike scan: A coordinated influence campaign might exploit the confidence gap to push narratives of either complacency ("midmarket firms are secure enough") or panic ("midmarket firms are hopelessly vulnerable"). The actual content does not align with this pattern, as it presents a nuanced, data-driven view of challenges without overstating or understating risks. The focus on operational realities over sensationalism suggests a healthy, evidence-based approach.