Mid-market businesses, e.g. companies with at least $50 million revenue and between 400-6000 employees, say they don’t have the right technology solutions, leaving them stuck in what’s called the “security middle child problem," according to Intruder’s Security Middle Child Report.
Almost half of cybersecurity leaders (46%) say enterprise platforms assume more staff, budget, or complexity than they can support and 29% say SME tools no longer meet their needs. As a result of these poor fits, 42% describe their teams as either stretched, overwhelmed or consistently behind.
“Midmarket companies are being treated as the middle child when it comes to cybersecurity solutions. They are overlooked by vendors focused on Fortune 500s or SMBs, while they are just as important and just as vulnerable to attackers,” says Chris Wallis, CEO and founder of Intruder. “This is a structural problem, the majority of solutions available to midmarket security teams were never built for the position they're now in.”
Key takeaways:
· The cybersecurity vendor market is not adequately serving the midmarket, leaving teams with limited visibility into what's exposed (28%), too many tools to navigate (26%), and struggling to prioritize (24%).
· 89% report increasing budgets, and around 70% say headcount has kept pace with their digital estate. 64% feel their posture scaled appropriately with growth. 94% are confident in their ability to identify and remediate critical risks before attackers exploit them while 51% are "very confident."
· 65% of C-suite respondents are very confident in their ability to catch critical threats, but that drops sharply among those closer to the actual work: Directors at 55%, senior managers at 46%, and middle managers at 35%.
· 51% of respondents say it would take approximately a week to assess their exposure to a critical zero-day. 28% cite lack of visibility into what's exposed as a top challenge, 18% are still tracking internet-facing assets manually, and 9% are running multiple cloud environments without a unified view of security risk across them.
· 91% of respondents say their digital estate grew over the past 24 months and 38% say it grew significantly. While many teams responsible for securing that estate are growing with it, a large portion are lagging behind: only 30% of organizations grew headcount faster than their digital estate, 17% grew more slowly, and nearly 10% stayed flat. That gap has a human cost. 41% reported their teams are dealing with feelings of strain: 21% say they are stretched but coping, 11% feel overwhelmed and stuck in a reactive mode, and 9% are consistently behind and exposed.
· 36% of respondents acknowledge their security posture hasn't scaled appropriately with digital estate growth. For 14%, that gap won't close for at least another six months. However, only 17% are prioritizing headcount this year. The dominant investment priorities are AI and automation (49%) and adding new solutions (33%), suggesting security leaders are reaching for technology to compensate for people. The data suggests this isn't working: 44% describe a stack that is either outgrown or fragmented. In SaaS, that figure rises to 86%, with only 10% growing more slowly.
· No single tool breaks above 56% adoption. Cloud Security Posture Management (CSPM) leads at 55%, followed by Security Information and Event Management (SIEM) at 47%, Web Application Firewall (WAF) at 47%, Data Security Posture Management (DSPM) at 44%, and Endpoint/Extended Detection and Response (EDR/XDR) at 43%.
· 28% of respondents cite lack of visibility into what's exposed, 24% cite too many alerts with poor prioritization as a top challenge, and 26% cite navigating too many security tools.
· 22% have outgrown their tech stack and manual processes and 22% have stitched together point solutions but struggle to prioritize issues from different tools and get a unified view of cyber hygiene.
· 46% say enterprise platforms assume more staff, budget, or complexity than they can support. 29% say SME tools no longer meet their needs. Midmarket teams aren't failing to use the right tools. It’s that the right tools largely haven't existed for them.
· Only 9% discuss cyber risk at board level. 34% reach executive leadership. The majority (51%) keep it at security/IT leadership only, and 7% confine it to the security team alone.
