Team8's CISO Village draws its respondents from Google, Oracle, Barclays, the NSA, Checkpoint, and Wiz. The newest revenue band in IANS and Artico Search's CISO budget study starts at $400 million. Lightspeed's current CISO survey screens for a $500 million minimum in annual revenue before a respondent even qualifies. These are three of the most-cited CISO surveys shaping vendor roadmaps and VC theses in 2026, and by their own published methodology, none of them can see a company below roughly nine figures of revenue.
Now look at where the money actually moves. Canalys puts 91 percent of security spend running through channel partners rather than direct vendor relationships. The fastest-growing revenue line at nearly 1,000 MSPs surveyed by Kaseya is security itself. The buyers driving that growth are small and mid-sized companies purchasing through an MSP or MSSP, not a CISO filling out a survey panel.
So the surveys and the spending have stopped looking at the same market. That is the whole of it. This is not a story about anyone lying. Every one of these surveys is doing exactly what its methodology says it does, sampling the security leaders it has access to at the company sizes it targets. The problem is a blind spot, the gap between what the marquee CISO research can see and where the growth in security spend is actually happening. And the gap gets treated as if it were not there, every time a $400 million revenue floor gets read as a picture of "the CISO," full stop.
I read this from an operator's seat, because I run growth for MSPs and cyber firms and spend my time on where the money in this market actually lands. When an entire ecosystem calibrates its roadmaps and its investment theses on the same enterprise-skewed inputs, the mispricing that creates is the interesting part. This piece walks through what the surveys actually sample, why the revenue floor matters more than it looks, and the one research firm whose own two reports prove the point better than any argument I could make.
What the surveys actually sample
Start with the methodology sections, because that is where the aperture is set and it is all published. None of this is inference.
Team8's CISO Village Survey 2025 is built on responses from over 110 security leaders gathered at Team8's CISO Village Summit, an invite-only event Team8 itself describes as "the Davos of Cybersecurity." The largest sectors in the sample are technology at 34.5 percent and financial services at 27.4 percent. It is a summit poll of CISOs who have a travel budget and a seat at an exclusive gathering, which structurally selects for large, well-resourced enterprises. There is no SMB band, no mid-market band, no managed-service channel anywhere in the available methodology.
IANS Research and Artico Search's Security Budget Benchmark, now in its sixth annual edition, fielded 587 CISOs between April and August 2025. When IANS breaks its own respondents into revenue bands, the bands are "$400 million to $5 billion," "$1.1 billion to $10 billion," and "$10 billion plus." There is nothing below $400 million in the published breakdown.
Lightspeed's CISO survey, the one behind the Cyber 60 series, has actually tightened its frame between editions. The 2024 edition polled 214 members of Lightspeed's own CxO advisory network, a self-selected pool of C-suite executives who advise the firm. The current 2025-26 edition was fielded by Wakefield Research across 200 US CISOs at companies with a minimum of $500 million in annual revenue, with a proper margin of error disclosed. That revenue floor is a stated screening criterion, not an accident of who responded.
NightDragon's CISO-facing survey line runs off its Advisor Council, which it describes as 100 leading CISOs and cyber experts drawn from "Fortune 500 and other large enterprise organizations." The 2025 edition calls its population "some of the nation's most prestigious and influential firms." Same shape as the others: a standing panel of enterprise security leaders.
| Survey | Reported sample | Stated floor or frame | Who is in the room |
|---|---|---|---|
| Team8 CISO Village 2025 | Over 110 security leaders | Invite-only summit, no size band published | Google, Oracle, Barclays, NSA, Checkpoint, Wiz |
| IANS / Artico Budget Benchmark 2025 | 587 CISOs | Revenue bands start at $400M | Midsize to very large enterprise |
| Lightspeed Cyber 60 2025-26 | 200 US CISOs | $500M minimum annual revenue, screened | Companies above half a billion in revenue |
| NightDragon Advisor Council | 100 CISOs and cyber leaders | Fortune 500 and large enterprise | "Nation's most prestigious and influential firms" |
Read the table as a group and the pattern is not subtle. Four different survey designs, four different sponsors, one shared population: the security leader at a company large enough to employ a CISO with a real budget. That is a legitimate population to study. It is just not the whole market, and the trouble starts when it gets quoted as though it were.
The revenue floor is where the argument lives
The sharpest evidence that the floor matters does not come from me. It comes from IANS's own analysts, reading their own data.
Analyzing its respondent set, IANS reports that "68% of CISOs rely on one or more MSSPs to manage parts of their security operations, with adoption being highest in organizations with $1.1 billion to $10 billion in revenue." Then comes the sentence that makes the entire case: "smaller companies don't always have the budget for MSSPs, while very large enterprises often have larger security teams and tend to keep capabilities in-house."
Sit with what that says. MSSP adoption peaks in the $1.1 billion to $10 billion band and falls off below $400 million. Not because smaller companies buy less security. Because they cannot afford the category of vendor, a dedicated MSSP contract, that a company needs a CISO's budget to negotiate in the first place. Below that revenue line, the buying does not stop. It moves to MSPs, a different channel entirely, one that bundles security into a broader managed-IT relationship and sells to an owner or an IT manager rather than a CISO.
That is the mechanism. The revenue floor is not just a demographic detail. It is the exact line below which the buyer stops being a CISO and starts being an MSP client, which means a survey built to interview CISOs is structurally incapable of seeing the buyer on the other side of it. The instrument and the growth segment are separated by design. IANS names the line in its own analysis. The surveys just sit above it.
One firm, two lenses
The single best piece of evidence here is not a contrast between two firms. It is a contrast inside one firm, NightDragon, and it is cleaner than anything I could have constructed.
NightDragon's CISO-facing survey, the Advisor Council report on cyber leaders' spending priorities, runs to 17 pages in the edition I could fully read. A full-text search of it for "MSP," "MSSP," and "managed service" returns zero matches. Not a light-touch mention, not a footnote. A complete report on where CISOs are putting their security budgets that never once names the managed-service channel. Given who is in the room, Fortune 500 security leaders, that is not an omission. It is an accurate reflection of how those particular buyers think. MSPs genuinely are not part of their world.
Now take the same firm's separate SMB Market Report. This is a different publication, a market analysis rather than a CISO survey, and it carries an entire dedicated section titled "Rise of Managed Service Providers," with a second page continuing the same theme. Inside it: "The SMB segment is the fastest growing in the managed security services market," with SMBs forecast to spend $29.8 billion on managed security services heading into 2025 as 82 percent of SMB leaders report increasing budgets. And this: roughly 70 percent of US small and medium enterprises plan to fully or partially outsource security to an MSSP or MSP by 2025, a figure the report expects to approach 90 percent within a decade. NightDragon's own definition of SMB in that report is a company under $50 million in annual revenue, an order of magnitude below the floors in its CISO survey.
So this is not NightDragon contradicting itself. It is the blind spot rendered in miniature, inside a single research house. When NightDragon talks to CISOs, MSPs never come up. When NightDragon studies where SMB security spend actually flows, MSPs are the whole story. Same firm, two reports, two completely different market pictures, and the only variable that changed was who was in the room. If you want proof that the sampling frame is doing the work, this is it. To be exact about the evidence: the zero-mentions finding is fully verified for the 2023-24 edition of the CISO report, which is the one with an extractable text layer. That is judgment I can stand behind on the specific edition I read, not a blanket claim about every report the firm has ever published.
Where the spend actually goes
If the CISO surveys sit above the line, the counter-sample sits below it, and it is measured with the same rigor. This is the part that turns a methodology quibble into a market argument.
On channel share, Infosecurity Magazine, citing Canalys, reports that security spending via the channel accounted for 91 percent of total spend as of Q2 2024, with managed security services revenue specifically forecast to grow 15 percent annually in 2025. Nine in ten security dollars are moving through partners, and the managed-services slice of that is the fast-growing part.
On the MSP side of that channel, Kaseya's 2025 Global MSP Benchmark Report, covering nearly 1,000 MSPs, found that "67% of all respondents said security is one of their five fastest-growing revenue categories," with cybersecurity described as the leading revenue driver among high-performing MSPs. The people actually selling to the sub-enterprise buyer are telling you security is where their growth is.
And on the buyer directly, GTIA's 2025 SMB Technology and Buying Trends report surveyed 720 owners and technology decision-makers at SMB companies with fewer than 250 employees across North America. Its findings: 61 percent outsource IT services regularly or occasionally, primarily for general IT and cybersecurity, and roughly half of all SMBs use an MSP to manage some part of their environment, rising to 62 percent of medium-sized firms. GTIA is the cleanest direct counter-sample to Team8, IANS, and Lightspeed: same published N, same defined bands, same defined geography, completely disjoint population.
| Source | What it measures | Population | Headline finding |
|---|---|---|---|
| Canalys (via Infosecurity) | Channel share of security spend | Whole market | 91% of security spend runs through the channel (Q2 2024) |
| Kaseya 2025 MSP Benchmark | MSP revenue mix | Nearly 1,000 MSPs | 67% name security a top-five fastest-growing revenue line |
| GTIA 2025 SMB Trends | SMB IT buying behavior | 720 firms under 250 employees | About half already use an MSP, 62% of medium firms |
Put the two tables side by side and the picture is complete. The most-quoted research samples the segment where security is bought direct from a CISO's budget. The segment where the spend is growing fastest buys through a channel those surveys were never built to observe. The same dynamic sits under why SMB IT spend is overtaking enterprise, and it is the part of the cybersecurity market map that the headline numbers keep skipping.
Not a sampling failure, a citation failure
Here is the fair objection: maybe nobody studies the sub-enterprise buyer with a proper CISO survey, so the gap is just a hard research problem. That objection is wrong, and it is worth being precise about why.
Sub-enterprise CISO surveys do get run. A Cynet-sponsored study, covered by Cybersecurity Dive, polled 200 CISOs at companies with 500 to 10,000 employees, specifically screened for security teams of five people or fewer, and found that 70 percent of the smallest teams run a budget under $1 million. The methodology exists. The population is reachable. Someone did the work. It just is not the survey that ends up in a vendor roadmap deck or a VC pitch.
So the failure is not that nobody looks. It is that the studies which do look are not the ones setting the agenda. The enterprise-skewed surveys become the citation of record, they get quoted into vendor strategy and investment memos, and the sub-enterprise research sits in the footnotes. This is a citation problem more than a sampling problem, and it compounds as the same numbers get passed around.
You can watch that laundering happen. Sapphire Ventures publishes cybersecurity commentary that gets cited as if it were CISO research, but its "State of Cybersecurity" work draws on Gartner's CIO Agenda study and PitchBook deal data rather than any primary survey of its own. That is not a knock on Sapphire, it is a good example of the mechanism: by the time a "CISO survey says" claim reaches you, it can be one or two layers removed from any actual respondent, and every layer inherits the original enterprise skew without re-examining it. The whole ecosystem ends up passing around the same nine-figure-revenue inputs and calling it the state of the market. It is also why where these citations circulate matters as much as where they originate.
What to do with this if you build or fund security
The practical read depends on which seat you are in, but it comes down to one correction.
If you are a vendor
Treat the marquee CISO surveys as a read on the enterprise segment specifically, not "the market." If the buying journey you are building for runs through an MSP or MSSP relationship rather than a direct CISO relationship, those surveys are describing a population you are not actually selling into. The product priorities of a Fortune 500 CISO with a large in-house team and the product priorities of an MSP packaging security for a 40-person client are not the same priorities, and calibrating your roadmap on the former while selling to the latter is a quiet, expensive mistake. Read the channel research alongside the CISO research, or you are optimizing for the wrong buyer.
If you are an investor
A thesis built on enterprise CISO surveys will systematically misjudge the size and shape of the sub-enterprise opportunity, because the input data cannot see it. That cuts both ways. It can make the SMB and mid-market security opportunity look smaller than it is, and it can make you underweight the channel, the MSPs and MSSPs, as the actual distribution layer for security into most of the economy. This is a live consideration in why VCs have been slow to fund the MSP-to-MSSP transition, and it is worth checking against the most active cybersecurity VCs to see whose theses are calibrated on which sample. This is my operator read rather than a published finding, but I would want to know the sampling frame behind any market-size number before I underwrote against it.
The one-line correction
Whenever you see "CISO survey says," ask one question before you act on it: what was the revenue floor. If the answer is $400 million or $500 million, you are reading the enterprise segment, and you should not let it stand in for the market that is actually growing fastest. The number is not wrong. It is just answering a narrower question than the one most people are asking of it.
Frequently asked questions
It is stated in their own methodology sections, not an assumption. Lightspeed's current CISO survey screens for a $500 million minimum in annual revenue. IANS and Artico Search's published revenue bands start at $400 million. Team8's CISO Village is an invite-only summit at large, well-resourced enterprises. NightDragon's Advisor Council is explicitly built from Fortune 500 and other large enterprise organizations. The floors are published screening criteria, not accidents of who happened to respond.
Because IANS's own analysis of its own respondents found MSSP adoption, 68 percent overall, peaks in the $1.1 billion to $10 billion band and declines below $400 million, not from lower need but from budget. In its words, "smaller companies don't always have the budget for MSSPs." Below that line the buying channel shifts from a direct MSSP contract to an MSP relationship, which none of these surveys are built to capture.
Canalys puts channel share of total security spend at 91 percent as of Q2 2024, with managed security services revenue forecast to grow 15 percent annually in 2025. Kaseya's 2025 MSP Benchmark, covering nearly 1,000 MSPs, found 67 percent name security as one of their five fastest-growing revenue categories. Those are two independent sources pointing the same way, from the channel side rather than the vendor marketing side.
Yes. GTIA's 2025 SMB Technology and Buying Trends report surveyed 720 SMB decision-makers at companies under 250 employees across North America, with the same rigor as the enterprise CISO surveys. It found roughly half of SMBs already use an MSP, rising to 62 percent among medium-sized firms. It just is not the report that vendor roadmaps and investment memos tend to cite.
No. Each is doing exactly what its stated methodology says, surveying the CISOs it has access to at the company sizes its sampling frame targets. Every one of those surveys is accurate for its own population. The issue is downstream, when a $400 million or $500 million revenue floor gets treated as representative of "the CISO," full stop, in decisions that are actually about a much broader market.
Not a contradiction, a structural split. NightDragon's CISO-facing survey, built from its Advisor Council of Fortune-500-skewed security leaders, never mentions MSPs or MSSPs across the full 2023-24 report I reviewed. Its separate SMB Market Report devotes an entire section to the rise of MSPs, citing roughly 70 percent of SMBs planning to outsource security to an MSP or MSSP by 2025. Same firm, two different lenses, two different markets, depending only on who is in the room.
Treat the marquee CISO surveys as a read on the enterprise segment specifically, not the whole market. Before acting on any "CISO survey says" number, check the revenue floor behind it. If your buying journey runs through an MSP or MSSP rather than a direct CISO relationship, the influential surveys are describing a population you are not selling into, and pairing them with channel research like Canalys, Kaseya, and GTIA gives you a truer picture of where the spend is going.