Midsize Company Cybersecurity Budget: Expert Strategies from InfoSec World 2025

Perry Schumacher Ridge IT Cyber CSO Security Weekly podcast on midsize company cybersecurity challenges InfoSec World 2025

The Critical Question: Can Midsize Companies Afford Enterprise-Grade Security?

Midsize company cybersecurity budgets face unprecedented pressure in 2025. Cyberattacks on small and midsize businesses have surged 16%, while the average breach costs have increased 13% from 2024—representing a significant financial impact that can threaten business viability. Meanwhile, 83% of SMBs report that AI-powered attacks have raised the threat level, and ransomware incidents have exploded by 126% year-over-year.

Yet despite 94% of business leaders acknowledging cyber threats as a serious risk, only 42% provide regular security training to employees. This awareness-execution gap is precisely what makes midsize organizations the forgotten stepchild of cybersecurity: too big to fly under attackers’ radar, too small for enterprise budgets.

In this exclusive Security Weekly interview from InfoSec World 2025, Ridge IT Cyber’s Chief Strategy Officer Perry Schumacher reveals proven strategies for maximizing security budgets, automating threat response, and securing executive buy-in—strategies that helped his team deploy secure remote access for hundreds of companies in 48-72 hours during the COVID-19 crisis.

The Midsize Company Dilemma: Enterprise Threats, SMB Budgets

Midsize companies occupy a uniquely vulnerable position. With 50-500 employees, they possess valuable data and intellectual property that attracts sophisticated threat actors. But unlike Fortune 500 enterprises, they lack dedicated security teams, specialized expertise, and the budgets to implement comprehensive defenses.

2025 threat landscape data confirms this reality:

  • 75% of system intrusion breaches now involve ransomware
  • Phishing attacks are up 57.5% since late 2024
  • 15% of employees are using AI tools without security oversight
  • Only 47% of micro-businesses (under 10 employees) have a security plan
  • 70% of SMBs rely on outside experts to guide security decisions

The solution isn’t simply “doing more with less”—it’s about working smarter through strategic tool selection, automation, and partnership models that extend your team’s capabilities.

Midsize companies are the 'forgotten stepchild' of cybersecurity. They face enterprise-level threats—ransomware, advanced persistent threats, supply chain attacks—but they're working with 3-person IT teams and budgets that force difficult trade-offs.

— Perry Schumacher, Chief Security Officer, Ridge IT Cyber Tweet

Strategy #1: Focus on Two Core Security Objectives

Before diving into tool selection or budget allocation, Perry emphasizes starting with clarity on why you’re investing in cybersecurity at all.

“Everybody has a tool, zero trust, comply-to-connect—there’s acronyms galore,” Perry notes. “But if we’re in cybersecurity, we’re after two key objectives:”

Objective 1: Business Continuity

  • Prevent ransomware attacks that shut down operations
  • Minimize downtime from cyber incidents
  • Maintain continuous business operations
  • Block threats before they disrupt revenue-generating activities

Objective 2: Data Protection

  • Secure sensitive company and customer data
  • Prevent unauthorized access to confidential information
  • Avoid costly breach recovery and regulatory fines
  • Maintain compliance with data protection requirements

Why this framework matters for budget planning: Every security tool purchase, every staffing decision, every policy implementation should support one or both of these objectives. If a solution doesn’t clearly advance business continuity or data protection, question whether it’s worth the investment.

If we can funnel every solution that we look at underneath those two primary objectives, things make a lot more sense. It's about keeping things simple because they do get complex as to how you go about doing it.

— Perry Schumacher, Chief Security Officer, Ridge IT Cyber Tweet

Strategy #2: Optimize Security Spending: Implementation vs. Operational Costs

When evaluating cybersecurity budget allocation, most midsize companies focus too heavily on upfront costs and miss the bigger picture: operational expenses over 3-5 years typically dwarf implementation fees.

“I call it ‘build the house right,'” Perry explains. “What does it cost to do an implementation? That’s all one-time fees. But after that, it’s the operational cost that really matters—that’s what hits the bottom line over the next three, four, five years.”

Real-World Budget Optimization Example

Consider two email security solutions:

  • Option A: Higher implementation cost, lower annual ongoing fees
  • Option B: Lower implementation cost, higher annual ongoing fees

While Option A costs more upfront, when calculated over a 5-year period, it may actually deliver lower total cost of ownership—and that’s before factoring in reduced staffing needs if it offers better automation.

Key Budget Planning Questions

When allocating your midsize company cybersecurity budget, ask:

  1. What’s the total cost of ownership over 3-5 years?
    • Implementation + annual costs + staffing requirements
  2. How much manual work does this tool require?
    • Time = money for small IT teams
  3. What integrations reduce operational complexity?
    • Tools that talk to each other reduce staffing needs
  4. Can we achieve 80% of the “best” solution’s outcomes at 50% of the cost?
    • Strategic compromise

2025 benchmark data: Preventive cybersecurity measures offer a significant return on investment compared to the cost of recovering from an average breach—industry studies show ROI ratios exceeding 10:1 for proactive security investments.

Strategy #3: Leverage Automation to Extend Small IT Teams

When managing security for midsize companies with 3-10 person IT teams who handle both operations AND security, automation isn’t optional—it’s essential.

The automation imperative: 70% of SMBs report relying on outside experts for security guidance precisely because their internal teams lack the bandwidth to stay current on every threat, tool, and best practice.

Manual Process

  1. Threat detected in network traffic (Zscaler SASE solution)
  2. IT staff member discovers alert (15-30 minutes)
  3. Staff investigates which endpoints are affected (30-60 minutes)
  4. Staff manually isolates endpoints (CrowdStrike EDR)
  5. Staff documents incident and response
  6. Total time: 2-3 hours of reactive work

Automated Process

  1. Zscaler detects threat
  2. Zscaler API automatically triggers CrowdStrike to isolate affected endpoints
  3. Both platforms log actions automatically
  4. IT staff reviews completed actions during next check-in (15 minutes)
  5. Total time: 15 minutes of supervisory work

This automation delivers multiple benefits:

  • Faster response times (seconds instead of hours)
  • Reduced staffing costs (supervision vs. manual execution)
  • Improved security posture (consistent automated responses eliminate human error)
  • Better work-life balance (less after-hours firefighting)

2025 reality check: With phishing attacks up 57.5% and ransomware tied to 75% of breaches, speed of response directly impacts breach costs. Automated tool integration is no longer a luxury—it’s table stakes.

Strategy #4: Partner Without Losing Control

Many midsize companies consider managed security service providers (MSSPs) to augment limited internal teams. But Perry warns against partnerships that require surrendering administrative control—a common MSSP business model.

The Ridge IT Partnership Philosophy

What NOT to do: “A lot of people when they engage you, they want to be like, ‘Well, I own the environment. I’m going to take away your admin rights and I have the admin rights.’ And to me, that never made sense. As an entrepreneur myself, if you try to tell me you’re going to take control away from me and I’m going to pay you for the privilege, it’s just not going to go well.”

The better approach: Your 3-person IT team maintains administrative rights and control. Security partners function as an extension of your team, not a replacement.

This ensures:

  • Business continuity: Never dependent on a single vendor
  • Institutional knowledge: Your team maintains deep understanding of your environment
  • Control and flexibility: Make changes without vendor approval or delays
  • Cost predictability: You’re not paying extra for the “privilege” of losing control

Ideal Division of Responsibilities

Your internal IT team handles:

  • Day-to-day operations
  • ERP systems (SAP, QuickBooks, Salesforce)
  • Basic help desk support
  • Administrative control and final decision-making

Specialized MSSP partners provide:

  • Deep expertise in specific security tools (Zscaler, CrowdStrike, etc.)
  • 24/7 monitoring with qualified analysts
  • Incident response capabilities
  • Playbooks and best practices
  • Economies of scale (monitoring multiple clients reduces per-client costs)

2025 market dynamics: With 70% of SMBs relying on outside experts and only 42% providing regular employee training, the MSSP market continues to experience rapid growth globally—but success requires partnership models that respect client autonomy.

Strategy #5: Speak Executive Language to Secure Budget Approval

The most sophisticated cybersecurity budget strategy fails without executive buy-in. Perry shares his framework for translating technical security needs into business language that C-suite leaders understand.

The Two-Reason Pitch

Key message for leadership: “You have me here as a cybersecurity professional for two reasons. First, to ensure this business continues running without disruption from cyber incidents. Second, to ensure all key company data remains secure and confidential.”

This framing works because it maps security investments directly to business outcomes executives care about: revenue continuity and risk mitigation.

Budget Request Framework

When requesting cybersecurity budget approval, structure requests around these business impacts:

Business Continuity Impact:

  • “This tool prevents ransomware that would shut down operations for days/weeks”
  • “75% of system intrusions now involve ransomware—we’re one incident away from business disruption”
  • “A significant percentage of SMBs need over a week to recover from malware attacks”

Data Protection Impact:

  • “This investment protects customer data and prevents breach-related lawsuits and regulatory fines”
  • “The average breach cost far exceeds the annual investment in preventive security measures”
  • “A majority of SMBs fear a major attack could force them out of business”

Risk Quantification:

  • “Without this, we face increased risk of costly incidents based on industry data”
  • “Cyberattacks on companies our size are up 16% this year”
  • “Phishing incidents have increased 57.5%—our current email security can’t detect AI-generated attacks”

Competitive Context:

  • “Companies our size typically allocate a meaningful portion of their IT budget to cybersecurity”
  • “83% of SMBs say AI has raised the threat level—we need AI-powered defense tools”
  • “A majority of our peers now rank cybersecurity as their #1 priority, up significantly from last year”

The Executive’s Perspective

“When communicating to executives,” Perry emphasizes, “we’ve got to understand the purpose. Business continuity—the reason that you have me here is to make sure that this business continues to run. And the second reason is to make sure that all the key data of this company remains secure. Using that as your tool internally to justify why you need things—I think an executive has a little further understanding of that.”

Real-World Application: COVID-19 Rapid Response Case Study

When COVID-19 forced the rapid shift to remote work in March 2020, midsize companies discovered that free VPN solutions couldn’t scale across their entire workforce. Perry shares Ridge IT Cyber’s response to hundreds of panicked Friday afternoon calls.

The Challenge

Friday, March 2020: “We can’t go to the office Monday, our employees need remote access, and our free VPN isn’t working. Can you help?”

The additional complexity: Hardware lead times from China measured in months (if available at all), making traditional VPN appliances impossible to deploy quickly.

The SASE Solution

Ridge IT deployed SASE (Secure Access Service Edge) solutions that enabled:

  1. Rapid deployment: Sign contract Friday, operational Monday (48-72 hours)
  2. Zero hardware dependency: Cloud-based solutions bypassed supply chain delays
  3. Scalable architecture: Support 10 or 1,000 remote workers without infrastructure changes
  4. Location independence: Secure access from home, coffee shops, or anywhere with internet
  5. Affordable pricing: Subscription models fit midsize business budgets better than capital expenditures

The results: “We helped hundreds of organizations transition to secure remote work within days. We were able to turn people around where they’re calling on Friday going, ‘I don’t know how we’re going to continue running the business. Do you guys have anything?’ And go, ‘Sure, here it is. It’s affordable. If you sign this today, by Monday, you’re running again.'”

Why This Case Study Matters in 2025

The COVID response demonstrates that midsize company cybersecurity doesn’t require massive budgets—it requires:

  • Strategic thinking (SASE was the right solution for the specific problem)
  • The right partnerships (deep vendor expertise enabled 48-hour deployments)
  • Proven solutions deployed effectively (zero trust architecture Ridge IT built pre-COVID)

2025 application: As AI-powered attacks increase 126% and phishing surges 57.5%, the need for rapid deployment of modern security tools has never been higher. The same SASE and zero trust technologies that enabled remote work now provide the foundation for defending against today’s threats.

Zero Trust Architecture: The Foundation of Midsize Company Security

Before “zero trust” became a marketing buzzword saturating every vendor pitch deck, Ridge IT Cyber was building zero trust architectures for midsize clients. That pre-COVID preparation proved invaluable when the pandemic hit.

What Is Zero Trust? (Plain English)

Traditional security operated on a “castle and moat” model: hard perimeter, soft interior. Once someone breached the firewall, they had broad access to internal resources.

Zero trust flips this: Never trust, always verify—even inside your network perimeter. Every access request requires authentication and authorization regardless of location.

Key Zero Trust Principles for Midsize Companies

  1. Least Privilege Access: Users get minimum access needed for their role, nothing more
  2. Continuous Verification: Authentication doesn’t stop at login—verify throughout the session
  3. Microsegmentation: Divide network into small zones to limit lateral movement
  4. Assume Breach: Design security assuming attackers are already inside your network

Why Zero Trust Matters More in 2025

With 15% of employees using AI tools without security oversight and cloud adoption continuing to accelerate, the traditional network perimeter has dissolved. Zero trust provides the framework for securing distributed workforces, cloud applications, and BYOD environments—exactly what midsize companies need.

We developed a zero trust architecture pre-COVID, During COVID we got to test how good it actually was, because during COVID everybody got budget, everybody wanted to move to least privilege access, zero trust, comply-to-connect—much of the same concepts under different banners. And we've seen our solution work over and over again. We're deploying it to the government.

— Perry Schumacher, Chief Security Officer, Ridge IT Cyber Tweet

Key Takeaways: Your Midsize Company Cybersecurity Budget Action Plan

Priority 1: Clarify Your Core Objectives

Filter every security decision through two lenses:

  1. Does this advance business continuity? (prevent ransomware, minimize downtime)
  2. Does this advance data protection? (secure sensitive information)

Priority 2: Think Total Cost of Ownership

Stop evaluating tools based solely on implementation costs. Calculate:

  • Initial setup fees
  • Annual subscription/licensing costs (multiply by 3-5 years)
  • Staffing requirements (manual work = hidden costs)
  • Integration opportunities (automated workflows reduce operational costs)

Benchmark: Preventive security measures deliver significant ROI compared to average breach recovery costs—industry studies consistently show ratios exceeding 10:1.

Priority 3: Automate Everything Possible

Prioritize security tools with strong integration capabilities:

  • SASE + EDR integration (e.g., Zscaler + CrowdStrike)
  • SIEM + SOAR for automated threat response
  • Cloud security + identity management
  • Email security + user awareness training platforms

Result: Your 3-10 person IT team shifts from reactive firefighting to proactive supervision.

Priority 4: Partner Strategically

Find MSSPs who:

  • Let you maintain administrative control
  • Function as an extension of your team (not a replacement)
  • Provide deep expertise in specific tools
  • Offer 24/7 monitoring and incident response
  • Use economies of scale to provide enterprise-grade service at midsize pricing

Benchmark: 70% of SMBs rely on outside experts—don’t try to do everything in-house.

Priority 5: Frame Security as Business Risk Management

When requesting budget approval, connect investments to:

  • Revenue protection: Ransomware shuts down operations (75% of breaches)
  • Cost avoidance: Average breach costs far exceed annual preventive security investments
  • Regulatory compliance: Fines for data breaches can exceed breach remediation costs
  • Competitive necessity: A majority of peers now rank security as their #1 priority

Executive pitch: “I’m here to ensure this business continues running without disruption, and to ensure all company data remains secure.”

Stop Overspending on Security

Get a personalized assessment of your cybersecurity budget and uncover savings through automation and smart tool integration.
Click Here

About Perry Schumacher

Perry Schumacher is the Chief Strategy Officer at Ridge IT Cyber, bringing an unconventional background that spans aeronautics, international work in the Amazon and Africa, and philosophy. His unique trajectory has shaped his approach to cybersecurity: remain a perpetual student, avoid sacred cows, and adapt strategies based on context rather than rigid frameworks.

Perry specializes in creating Zero Trust architectures for midsize organizations, helping security teams with limited resources achieve enterprise-grade protection. His philosophy centers on simplification—cutting through industry buzzwords to focus on the fundamentals: keeping businesses running and protecting critical data.

Ridge IT Cyber Track Record

  • Three-time Inc 5000 “America’s Fastest Growing Private Companies” honoree
  • MSSP protecting 500,000+ users globally across multiple countries
  • Diamond Sponsor at InfoSec World 2025 (third consecutive year)
  • Helped hundreds of companies deploy secure remote access in 48-72 hours during COVID-19
  • Specializes in zero trust, SASE, CMMC compliance, and managed detection and response

About Security Weekly

Security Weekly provides cybersecurity professionals with actionable insights through podcasts, interviews, and technical content. They cut through the noise to deliver practical strategies you can implement immediately.

close menu icon

Trusted by organizations worldwide. Let's see what we can do for yours.

Let's have a chat

Cloud-first protection in one slim bill.

Rapid response times, with around the clock IT support, from Inc. Magazine’s #1 MSSP.