Security is infrastructure. Fund it like infrastructure.

Rethinking the economics of cybersecurity

As 2026 ramps up, I find myself thinking less about technology trends and more about economics. Over the past few years, we have debated architecture, AI, automation and every new acronym that promises better defence. Yet beneath those discussions sits a more uncomfortable question that rarely gets addressed directly: if cybersecurity is truly foundational, why is it still structured and funded like a controlled cost item rather than core infrastructure?

‍

This question surfaces most clearly in conversations with communications service providers. Connectivity remains the centre of gravity for most CSPs. It drives valuation, market share and board-level attention. Managed security services are important and increasingly expected, but they are seldom treated as the structural backbone of the organisation. That distinction matters because it shapes decisions long before any incident occurs.

‍

When connectivity economics shape security outcomes

Connectivity operates in a commoditised market. Customers compare pricing closely, margins are tightly managed, and competitive pressure is constant. When security is bundled alongside connectivity, it inevitably inherits those commercial constraints. It must remain competitive, it must not materially increase cost, and it must not complicate sales cycles. At the same time, the expectations placed on network-level protection are uncompromising. Enterprises assume clean traffic, regulators assume continuity and end users assume availability. None of these expectations is calibrated to the economics of a margin-sensitive product.

‍

The contradiction becomes clearer when you examine how security is implemented in practice. In more than one situation, I have seen a baseline mitigation tier introduced as the default configuration because it aligns with procurement realities and commercial constraints. More robust resilience, which requires additional infrastructure and operational depth, becomes an upgrade discussion. That discussion typically gains urgency only after a visible incident shifts the perception of risk. This pattern is not the result of negligence; it reflects how incentives operate within organisations.

‍

However, this dynamic does not originate solely within CSP boardrooms. Buyer behaviour plays an equally significant role. Enterprise customers negotiate aggressively on connectivity pricing and expect bundled security features as part of the package. Offerings are evaluated side by side, frequently reduced to line items and cost comparisons. In doing so, customers reinforce the very commoditisation that limits how security can be structured and funded.

‍

Security budgets within enterprises also tend to follow perceived risk rather than structural exposure. When disruption is recent, investment expands, and resilience is prioritised. When systems appear stable, optimisation resumes and cost discipline returns. Organisations often want infrastructure-grade protection, but they hesitate to fund it proactively. As a result, both providers and customers are incentivised to minimise cost until risk becomes visible.

‍

The reactive cycle of perceived risk

Across the ecosystem, security investment follows a reactive cycle. Providers optimise their offerings to remain commercially viable. Customers optimise spending to control budgets. Adjustments occur primarily after incidents force a reassessment of exposure.

‍

Network-level DDoS mitigation illustrates this dynamic clearly. It is widely assumed to be part of modern connectivity, yet meaningful mitigation requires scrubbing capacity, monitoring capability, engineering depth and continuous tuning. These are operational commitments that carry real cost. When such services are positioned primarily as bundled features and evaluated primarily on price, they are funded accordingly. Over time, that economic structure constrains how resilient the overall system can realistically be.

‍

The issue, therefore, is not a lack of awareness. Most boards and enterprise buyers understand that cybersecurity is critical. The problem lies in the misalignment between the resilience that is implicitly expected and the budgets and structures that are explicitly approved.

‍

A deliberate choice in 2026

As we move further into 2026, the question is not whether cybersecurity matters to CSPs or to their customers. That debate is largely settled. The more relevant question is whether both sides are prepared to treat it as infrastructure in practical terms.

‍

If security is expected to carry infrastructure-level responsibility, it must be structured, funded and evaluated accordingly. That means defining baseline protection honestly, distinguishing clearly between commodity-level features and infrastructure-grade resilience, and aligning budgets with those distinctions. CSPs cannot sustainably deliver infrastructure-grade resilience at commodity margins, and customers cannot reasonably expect uncompromising protection while negotiating solely on price.

‍

CSPs sit at the centre of digital economies, but enterprises and regulators shape the expectations placed upon them. Stability is assumed throughout the ecosystem, and that assumption is unlikely to weaken. If cybersecurity is expected to uphold that stability, it cannot remain economically structured as an accessory to connectivity or as an afterthought in procurement cycles. The tension at the centre of this issue is economic rather than technical, and providers and customers who recognise that early and adjust their models accordingly will be better positioned for what lies ahead.