Cybersecurity Investment: No Clear Priorities, Overconfidence

Global leaders continue to view cyber insecurity as a leading global risk, according to the latest report from the World Economic Forum. However, threats related to artificial intelligence are still not perceived as short-term risks, when in fact they are already an immediate challenge. Today, the use of this technology is increasing the complexity and reach of cyber incidents in a matter of minutes, while many organizations still hesitate over whether they should strengthen their security investments or whether their current protection will be enough to keep business operations running for another year.

This perception is particularly risky considering that, according to Kaspersky researchers, one of the main trends for this year is that artificial intelligence will consolidate as a cross-cutting engine throughout the entire cyberattack chain. AI already makes it possible to automate tasks that previously required high levels of expertise; the result is an environment in which attacks are faster, more scalable, and much harder to trace, and are increasingly targeted at specific organizations.

The idea that these scenarios are far away — or even irrelevant — also shows up in business leadership. Many companies overestimate their true level of protection, even though the data shows that their cybersecurity maturity is limited given today’s threat landscape, while at the same time their own employees leak confidential data to open AI platforms in search of shortcuts or quick solutions that help them complete their tasks.

This is confirmed by a recent Kaspersky survey conducted among 300 cybersecurity leaders in Latin America. In Mexico, 98% of respondents say that their company’s data and systems are well protected. However, a significant portion of organizations remain vulnerable due to two key factors.

The first is related to a lack of adequate protection. At least one-third of Mexican companies do not use basic security tools such as antivirus software, which today should be understood as just one layer within a much more robust and comprehensive protection framework. This framework must be complemented with advanced technologies, such as threat intelligence services that help anticipate attacks, as well as detection and response solutions. Despite this, fewer than half of organizations in the country have these capabilities, which seriously limits their ability to identify an attack in time and respond before it happens.

The second factor is the allocation of investments that does not reflect real risk priorities. Deciding where to invest to strengthen cybersecurity is one of the biggest challenges for 45% of the country’s business leaders, while 15% admit they do not have a clear strategy in this area. Some organizations do not conduct risk assessments regularly or run incident simulations to measure their response capacity. In many cases, procedures exist only informally or are not documented, so they are neither tested nor adjusted based on real-world scenarios.

Both factors reveal a deeper problem: On the one hand, companies have an excess of confidence in their level of protection that does not match their actual preparedness. On the other hand, they confirm that the challenge is not always a lack of budget, but rather the absence of a roadmap that enables organizations to prioritize risks and guide investment decisions.

When a company believes it is more protected than it really is, it becomes harder to identify priorities and justify investments. Unaddressed vulnerabilities accumulate, response times increase, and resilience — understood as the ability to withstand, adapt, and recover from an incident — does not develop. In a context where threats are already immediate, companies are forced to rethink controls, internal policies, and security strategies. Competitive advantage will no longer be only about detecting threats, but about building resilient business models capable of maintaining operations even in adverse scenarios.

Where to Start?

To reduce the gap between the confidence companies have in their protection and their real ability to respond to an incident, they must establish and regularly test procedures, conduct attack simulations, define minimum security levels according to the type of operation, and evaluate the adoption of new technologies from a cost-benefit perspective.

Before investing in new solutions, it is essential to assess the organization’s digital maturity through a structured diagnosis of its current cybersecurity posture or a risk analysis based on the real impact an incident could have on operations. This exercise makes it possible to identify critical areas that require immediate attention, justify investments with clear arguments, and define measurable benefits.

It is also important to remember that technology alone covers, on average, only 30% of known threats. Cybersecurity does not depend solely on tools, but also on trained and aware teams, as well as clear policies that enable prevention, detection, response, and rapid recovery from an incident. That is why an effective cyber defense is built on a three-legged stool that integrates technology, people, and processes. When one of these pillars is neglected, corporate protection becomes reactive, fragile, and costly.

Today, cybersecurity must be understood as a business enabler and an essential component of continuity. Promoting a security culture across all areas, defining timelines, establishing performance indicators, and measuring progress are all part of responsible risk management. A solid cybersecurity strategy is not bought off the shelf, it is built through planning, continuous training, and effective integration between technology and governance. Only then will companies be able to stop investing blindly and start protecting themselves with a clear view of their real risks.