Middle market businesses across Latin America are increasing cyber investment, building their security capability, and bringing AI governance into sharper focus.

RSM’s Latin America Cybersecurity Survey 2026 provides security leaders and decision makers with insight into where the gaps remain between cyber budget and maturity.  

The insights draw on responses from 265 experts and leaders actively engaged with cybersecurity issues. The findings show a market moving from awareness to action as accountability, cloud security, and AI reshape the agenda. All the while, bridging the gap between investment and cyber maturity remains a key challenge for mid-market companies in Latin America.

 
“The survey confirms that Latin America is heavily investing in cybersecurity. The real challenge is no longer how much to invest, but how to translate that investment into governance and risk management capabilities. In a landscape defined by the rapid adoption of cloud technology and artificial intelligence, organisations that align leadership, strategy, and execution will be the ones to transform security into a competitive advantage.”

Luis Gorgona
IT Consulting Partner, Costa Rica

Budget and investment: cyber spend is increasing, but control sits outside the security function

69% of participants expect cybersecurity budgets to increase, likely in response to cloud, AI, and third-party risk, alongside rising regulatory expectations.

Only 16% of respondents report that the CISO controls the budget, meaning decisions on spend are typically fragmented across business functions.

Cyber comprises 5% or more of IT budgets for almost half of respondents, signalling that cybersecurity has become a visible and recurring part of IT spend.

The cyber agenda is maturing, but governance remains a challenge. Cybersecurity is becoming a more established and recurring part of IT investment, driven by expanding exposure across cloud, AI, and third parties. However, increased spend does not immediately translate into stronger protection.

When budget authority sits outside the security function, cyber priorities can be shaped by operational demand, technology procurement, or compliance pressure rather than a clear view of risk. This can lead to fragmented spending, duplicated tools, underinvestment in critical controls, or capability gaps that remain unresolved.

For middle market organisations, the next step is to align funding, accountability, and risk ownership so that investment builds measurable resilience.

 

Governance and workforce: the accountability gap at the heart of cyber

With only 30% of organisations having a dedicated CISO or equivalent owning cyber strategy, most do not have a single cyber leader directing prioritisation and escalation.

27% rely on IT leadership without dedicated cyber oversight, while 13% operate through a cross-functional committee, indicating that cyber is often managed through broader operational structures.

50% of organisations have two or fewer staff dedicated to data security and privacy, leading many to rely on external specialists. 

Limited internal capacity means cyber strategy is often owned by IT leaders, cross-functional committees, or small teams expected to manage a growing risk agenda with constrained resources. While cyber may be recognised as a business priority, ownership, decision making, and execution are not always clearly aligned.

The outsourcing findings reinforce this pattern. Security Operations Center monitoring, vulnerability management, and cloud security management are the most outsourced functions, suggesting organisations are using external partners to fill structural capability gaps. That can be an effective model, but only if it is actively governed. 

As reliance on third parties grows, clear service expectations and internal accountability become essential to ensuring outsourced capability strengthens resilience rather than creating new dependencies.

Risk management: building for resilience, not just defence

Top cyber initiatives are attack surface management (39%), resilience and recovery (38%), and securing the cloud (38%), showing continuity and cloud control are high priorities.

41% of organisations use a formal risk management framework such as NIST or ISO 27001, marking progress toward a more consistent maturity baseline.

Only 22% have cyber insurance in place, suggesting that financial risk transfer remains relatively limited.

Organisations are preparing to both prevent incidents and limit disruption when they occur. Priorities such as attack surface management, recovery, and cloud control point to a more mature understanding of cyber risk as an operational resilience issue, not just a technical security challenge.

However, financial preparedness also forms a key part of resilience. The limited use of cyber insurance, combined with uneven adoption of formal risk frameworks, suggests some organisations are building response capability on an incomplete foundation.

The findings around identity security also present a clear opportunity for improvement. While centralised Identity and Access Management (IAM) with Multi-Factor Authentication (MFA) is the most common approach, many organisations still rely on password policies alone or have limited formal controls in place. Strengthening IAM, MFA, and access governance could help reduce a common source of risk and support more mature cyber resilience.

Cloud: controls must keep pace with adoption

40% of organisations report more than half of their IT environment operates in the cloud, making cloud governance central to cybersecurity.

Hybrid cybersecurity solutions that combine on premises and cloud based security are the most popular approach to cybersecurity (30%), reflecting the complexity of transitional technology environments.

Only 8% use cloud security posture management (CSPM), one of the most effective tools for identifying and addressing cloud misconfigurations.

Cloud adoption is now significant across Latin America’s middle market, making cloud security is a key part of improving cyber maturity. Many organisations are operating in transitional hybrid environments and this is mirrored in their cybersecurity solutions, while others rely on cloud-native tools or provider built-ins as their primary line of defence.

This is a practical starting point, but without clear ownership, configuration management, continuous monitoring, and visibility across environments, cloud can expand the attack surface rather than reduce it. 

Cloud security posture management provides one way for organisations to identify misconfigurations, enforce policy, and maintain control as cloud operations scale.

AI governance: from principles to practice

28% of respondents report having no AI governance practices in place, indicating that AI oversight has yet to be formalised in many organisations.

With 27% of organisations having AI principles or guidelines, a sizeable proportion are in the early stages of AI governance.

18% have conducted AI-focused risk assessments, while 16% have defined roles and responsibilities for AI governance, showing that practical oversight is on the rise but still emerging.

AI governance across Latin America’s middle market appears to be at an early stage of maturity, with many organisations still moving from awareness to structured oversight.  AI-related risk, meanwhile, is rising quickly: the World Economic Forum reports that 85% of respondents in Latin America and the Caribbean say risks linked to AI vulnerabilities have increased in the past year.

Principles and guidelines are a critical first step, but they need to be translated into ownership, risk assessment, monitoring, and escalation. As AI becomes embedded in operations, organisations will need to understand where AI is being used, how systems behave, what data they rely on, and who is accountable when outcomes create risk.

The next stage of maturity is turning AI governance from a policy statement into a repeatable operating discipline.

What comes next: turning investment into maturity

Across Latin America’s middle market, cyber investment is rising, but the structures needed to direct and govern that investment are still developing. Cloud dependence and AI adoption are making cybersecurity more urgent, as security must move in step with digital transformation and innovation.

The next stage of cyber maturity will depend on organisations aligning budget with risk ownership, strengthening accountability, and building the operating disciplines needed to sustain resilience. That includes clear cyber leadership, better-governed outsourcing, more consistent use of risk frameworks, stronger cloud posture management, and AI governance that moves from principles to active oversight.

The middle market organisations that close the gap between investment and maturity first will be better positioned to protect value and compete in a more complex digital environment.
 

Methodology

In Q1 2026, RSM surveyed 265 respondents across 18 countries in Latin America to understand how organisations are approaching cybersecurity investment, governance, resilience, cloud security, and AI oversight. Respondents hold roles in IT, cybersecurity and information security, finance, risk, audit and compliance, and executive leadership. The sample includes a mix of technical practitioners, senior leaders, governance and control professionals, and respondents from a range of industries and company sizes.

Contact us

Complete this form and an RSM representative will be in touch.