The Triggers Forcing Cybersecurity Investment: Reactive Spending & Real Threats with Matt Mulcahy

Cybersecurity expert Matt Mulcahy discusses the reactive drivers of security spending, AI's double-edged sword, and practical resilience beyond compliance in this candid interview

What if the relentless growth in cybersecurity spending isn't a sign of progress, but a symptom of systemic failure? this interview digs into this provocative premise with Matt Mulcahy, Founder & CEO at Miami Cyber, and a cybersecurity leader who cuts through the hype.

He argues that true investment is rarely proactive, forced instead by breaches, regulations, and business demands. We explore the real threats, the talent crunch, and the sobering reality of how U.S. organizations are, and aren't, building resilience in 2025.

Interview with Matt Mulcahy

What is driving the rapid growth of the cybersecurity market in the United States, and which sectors are investing the most?

In reality, I see cybersecurity spending driven by three very specific triggers:

• Regulatory requirements – Organizations are being forced to formalize security programs and governance.

• Getting hacked – A breach, near miss, or peer incident immediately creates urgency and budget.

• Third-party risk management requirements – Customers, insurers, and partners now require security controls, assessments, and attestations just to do business.

Very little spend is truly proactive. Most investment happens when security becomes a business blocker, not a technical improvement.

The sectors investing most are those where regulation, downtime, or supply-chain trust directly impact revenue: financial services, healthcare, government contractors, critical infrastructure, and B2B SaaS selling into regulated or enterprise customers.

How are U.S. organizations addressing the ongoing talent shortage in cybersecurity, especially for specialized roles like incident response and cloud security?

Most organizations have accepted that they can’t hire their way out of the problem. Instead, they’re leaning on a combination of managed services, automation, and consolidation.

Common strategies include:

• Using MDR or co-managed security for 24/7 monitoring and incident response

• Upskilling existing IT staff instead of chasing scarce specialists

• Standardizing playbooks and response workflows to reduce reliance on individual experts

• Reducing tool sprawl so smaller teams can actually operate what they buy

AI and automation are being used to increase analyst efficiency, not replace human judgment, especially in high-impact response scenarios.

What emerging cyber threats are posing the greatest challenges for U.S. companies in 2025 and beyond?

The biggest shift is the industrialization of identity-based attacks. AI is making phishing, impersonation, and fraud faster, cheaper, and more convincing, and attackers are focusing on people and credentials because they’re still the weakest link.

Ransomware remains a major threat, but it’s increasingly paired with data theft and extortion, not just encryption. At the same time, SaaS environments are becoming prime targets because a single compromised identity can unlock multiple systems.

Looking ahead, more autonomous and AI-assisted attack chains mean higher volume, faster iteration, and less human effort per campaign, which raises the baseline risk for every organization.

How effective are current U.S. federal regulations, such as SEC disclosure rules and critical infrastructure directives, in improving corporate cyber resilience?

These regulations are effective at one key thing: forcing cyber risk into the boardroom. Disclosure and reporting requirements create accountability and make it harder for organizations to ignore security gaps.

That said, regulations don’t automatically equal resilience. They improve governance, documentation, and visibility, but real security still comes from fundamentals: identity controls, asset visibility, tested incident response, backups, segmentation, and recovery.

For critical infrastructure, increased incident reporting should improve national awareness and coordination over time, but resilience still depends on execution, not compliance checklists.

What barriers do small and mid-sized businesses face when adopting modern cybersecurity tools, and how can these obstacles be reduced?

SMBs struggle with cost, complexity, time, and lack of in-house expertise. They’re often sold enterprise-grade tools without the staff or processes required to operate them effectively, which leads to shelfware and alert fatigue.

The way forward is focusing on outcomes instead of products:

• Start with identity, email security, endpoint protection, and backups

• Use managed services where 24/7 coverage actually matters

• Reduce vendor sprawl and complexity

• Tie controls directly to business risk, compliance needs, and customer requirements

Security needs to fit the business, not overwhelm it.

How is AI transforming cybersecurity operations in the U.S., and what regulatory considerations are emerging around responsible AI use?

AI is already improving defensive operations by helping with alert triage, correlation, investigation summaries, and response acceleration. It’s reducing the manual workload that burns out teams.

At the same time, attackers are using AI to scale social engineering and reconnaissance, so it’s clearly an arms race.

From a regulatory and governance perspective, the direction is clear: organizations need transparency, accountability, and human oversight. That means documenting how AI is used, protecting data privacy, testing for errors or bias, keeping humans in the loop for high-impact actions, and being able to explain decisions during audits or incident reviews.