The U.S. leads the world in security spending intent. It also leads in exposure. That's not a paradox — it's the predictable result of treating an arms race like a line item.

shashi.co · May 2026

Every CISO has heard the question from the board: "Why do we need to spend more? We just spent."

It's the wrong question, but it reveals the right problem. Business still treats security like a capital expenditure — something you buy, deploy, and amortize. A thing with a completion date. A project that ends.

Threats don't work that way. They compound. They adapt. They move at a speed that has nothing to do with your fiscal year, your procurement cycle, or your board meeting cadence. Last quarter's investment protects against last quarter's threat landscape. By the time the PO clears, the attack surface has already shifted.

This isn't a failure of budget. It's a failure of mental model.

The Data Confirms the Pattern

Zoho's State of Workforce Password Security 2026 report — 3,322 respondents across nine regions — puts numbers to what security practitioners already feel:

Read those together. Three out of four companies plan to spend more. One in three got hit anyway. Three out of four can't see their own attack surface. Nine out of ten believe AI will save them. Fewer than one in ten are ready.

This is what it looks like when business applies procurement logic to a security problem. The checks get written. The threats don't wait for them to clear.

Threats Don't Respect Budget Cycles

The average U.S. employee now logs into 15+ business applications daily — the highest rate among developed markets. Each application is an identity. Each identity is a credential. Each credential is a door.

Business adds applications at the speed of operational demand. It secures them at the speed of budget approval. That delta is where attackers live.

And it compounds. Every new SaaS tool, every new integration, every new contractor with access creates surface area that last year's security purchase was never designed to cover. The organization that "just spent" on security isn't protected — it's protected against a snapshot of threats that no longer exists.

This is why the question "why are we spending more?" misses the point entirely. You're not spending more to buy the same thing again. You're spending to keep pace with a threat environment that moved while you were deploying the last thing you bought.

The Architecture Problem Under the Budget Problem

The Zoho data surfaces something critical: legacy infrastructure (52%) and migration complexity (48%) outrank cost (41%) as barriers to deploying AI-powered security.

Money is the third constraint. Architecture is first.

This is the compounding effect made structural. Years of buying point solutions — each one rational in isolation — creates a stack that can't see across itself. Identity lives in one system. Access in another. Applications in a third. No single layer has enough context to detect anomalies, because no single layer can see the whole picture.

You can't bolt intelligence onto incoherence. AI needs context. Context requires architectural continuity. And architectural continuity requires a decision most organizations haven't made: to stop buying security as discrete products and start building it as a continuous capability on a unified foundation.

The Real Divide Ahead

The next 12-36 months will separate two cohorts:

The gap between these cohorts won't close with budget. It will close with a different understanding of what security actually is: not something you purchase, but a position you maintain. Continuously. At the speed of the threat, not the speed of the business.

The Question to Stop Asking

"Why do we need to spend more when we just spent?"

Replace it with: "Can our architecture adapt at the speed our threat environment moves?"

If the answer is no, more money won't fix it. A different foundation will.