Ask a CEO of a 100-person SaaS company what their security budget is, and they'll probably tell you about their tool costs: maybe $50,000 a year for endpoint protection, a SIEM, some scanning tools. That's the number that appears in the security line item of the budget. It's not the real number.
The real number, for an organization that's taking security seriously at the enterprise level, is north of $800,000 per year. Most SMBs spend a fraction of that, which means they have a fraction of the coverage, which means they're defended at a level that serious attackers treat as a trivial obstacle. Let's build the actual math.
Breaking Down the Real Cost
Start with people. A Chief Information Security Officer at a mid-size technology company earns between $280,000 and $380,000 all-in (base, bonus, equity, benefits). You probably need one. Under them, a security engineer or analyst earns $140,000 to $200,000. A real security function requires at least two of these - one for architecture and red team work, one for compliance and operations. That's already $560,000 to $780,000 before you've spent a dollar on tools.
Tools add to this quickly. An enterprise endpoint detection and response platform (CrowdStrike, SentinelOne) runs $15 to $30 per endpoint per year - call it $30,000 to $60,000 for a 100-person company. A SIEM (Splunk, Sumo Logic) at enterprise scale is $50,000 to $200,000 per year, depending on data volume. A vulnerability management platform is $20,000 to $80,000. Cloud security posture management adds another $20,000 to $50,000. A decent SAST tool for your CI/CD pipeline is $15,000 to $40,000. These numbers compound quickly, and the list of tool categories continues: DLP, CASB, web application firewall, secrets management, privileged access management.
Compliance costs are often the most underestimated. SOC 2 Type II audit: $30,000 to $60,000. The compliance platform to support continuous evidence collection: $15,000 to $25,000 per year. ISO 27001 certification if required by enterprise customers: $20,000 to $40,000 for initial certification, $10,000 to $20,000 annually for surveillance audits. Legal and consultant fees for privacy program management: $20,000 to $80,000 per year depending on your regulatory footprint. Annual security awareness training platform and phishing simulation: $5,000 to $20,000.
Then there's incident response readiness. A proper IR retainer with a firm that will actually show up when you call costs $30,000 to $80,000 per year. Penetration testing - which should happen at least annually for systems handling sensitive data - is $15,000 to $50,000 per engagement.
Add it up honestly. People: $600,000+. Tools: $150,000 to $300,000. Compliance: $70,000 to $160,000. IR readiness: $45,000 to $130,000. The floor for a real enterprise security program is somewhere around $865,000 per year. For a mid-size company with a few hundred employees in a regulated industry, $1.5 million is not unusual.
Why This Makes SMBs Structurally Vulnerable
A 50-person startup with $3 million in ARR cannot justify an $800,000 security budget. The math doesn't work. So they do what's rational given their constraints: they buy the cheapest endpoint protection they can find, maybe add a basic cloud firewall, and handle compliance reactively when a prospect asks about it. Total security spend: $30,000 to $50,000 a year.
Attackers understand this. SMBs are categorically under-defended relative to the data they hold. A 50-person SaaS company might have customer data from 50 enterprise accounts, payment card information, healthcare data, or financial records. The data is valuable. The defenses are weak. The economics of ransomware and data theft strongly favor targeting smaller organizations with valuable data over large organizations with mature security teams.
This isn't a failure of will on the part of small company leadership. It's a market failure - the cost structure of enterprise security was built for enterprises, and it never got redesigned for a world where small companies handle as much sensitive data as large ones.
Where Automation Changes the Unit Economics
The economics of security are beginning to shift because of automation. The expensive part of security has always been labor - the human analysts who review alerts, collect compliance evidence, run scans, triage vulnerabilities, and respond to incidents. If you can automate a significant fraction of that labor, you change what security costs.
Continuous automated scanning that previously required a security engineer can now be handled by a platform that costs $20,000 a year. Compliance evidence collection that previously occupied 30% of a security person's time can be fully automated. Alert triage that required a tier-1 SOC analyst can be handled by an AI agent that classifies and prioritizes faster and more consistently than a human.
None of this eliminates the need for human security judgment - but it dramatically reduces the headcount required to maintain a given level of coverage. A 50-person startup with an automated security platform and one part-time security advisor can achieve coverage that previously required a three-person team. That's not a perfect substitute for a full security organization, but it's a far better option than what most SMBs have today, and it's actually within budget.
The companies that figure this out first - that build security into their operations at the right price point through automation rather than headcount - will close enterprise deals faster, navigate compliance requirements more easily, and avoid the breach that costs more than their entire security budget would have. That trade-off is becoming clearer every year.