Issue 006 | May 29, 2026 | So, What's Breaking in Mobile Security?

The Number That Reframes the Mobile Budget Conversation

Mobile breaches now average $10.22 million per incident in the United States, with healthcare and regulated industries running materially higher. The mobile attack surface just acquired a price tag the board can read — and it changes the budget conversation.

The 2025 IBM Cost of a Data Breach report puts the US average at $10.22 million, the continuation of an upward trend in incident economics. Industry survey data through 2025 places mobile-app-related breach costs in the same range. Guardsquare and Enterprise Strategy Group report an average of $6.99 million per mobile-app incident, with healthcare at $7.42 million. Breach-cost numbers carry wide confidence intervals. Mobile has moved from "we know it matters" into the cost-per-incident range that audit committees, cyber insurers, and budget owners price against directly.

Some CFOs will argue the $10.22M figure is an outlier driven by mega-breaches, which is a defensible read. The harder read: even the median mobile-app-incident figure of $6.99M sits above most mobile-program annual spend. The objection narrows the number; it does not remove the threshold crossing. The CISOs who win the next budget cycle walk in with the ratio already calculated. The ones who lose it walk in with the threat narrative.

Here is what moved this week, and the one number worth bringing to the board.

What moved this week

The mobile breach now sits in the same dollar range as ransomware and supply chain.

IBM's 2025 Cost of a Data Breach reports a US average of $10.22 million per incident. Industry survey data on mobile-app-specific breaches places average impact at $6.99 million, with healthcare at $7.42 million. The argument shifts from positional to financial: for many enterprises, the annual cost of a mature mobile program remains materially lower than the modeled impact of a major mobile-related incident.

Where I land: Mobile is no longer a rounding error inside the security budget — it is a line item with a defensible dollar figure attached. The CISO who walks into the budget meeting without that figure is the one who loses the argument to a vector the CFO can already quantify.

Source: IBM Cost of a Data Breach 2025 | Guardsquare / Enterprise Strategy Group mobile application security survey, 2025

Android's patch-distribution gap is still the exposure, and CVE-2026-21385 proves it.

CVE-2026-21385, a Qualcomm component memory-corruption flaw in Android's March 2026 bulletin, was added to CISA's KEV catalog on March 3, 2026 with indications of limited, targeted exploitation. The technical detail matters less than the structural lesson: a bug can be known, triaged, and patched in the supply chain while large numbers of devices stay exposed, because the final stage of remediation often depends on OEM and carrier update distribution cycles rather than direct enterprise control.

Where I land: The exposure window between chipmaker notice and universal device remediation is the gap the program cannot close by patching faster on its own side. Programs measuring "patch SLA" against their own controlled fleet are measuring the wrong half of the problem.

Source: CISA KEV Catalog | NVD CVE-2026-21385

Ivanti EPMM landed in KEV again — the management-plane pattern holds.

On May 7, 2026, CISA added CVE-2026-6973, an improper input validation flaw in Ivanti Endpoint Manager Mobile (CVSS 7.1), to the KEV catalog with a compressed federal remediation deadline. It is the second EPMM entry this digest has tracked in a single quarter.

Where I land: When one management-plane product accounts for repeat KEV additions, the program's exposure is no longer only "we have a management plane with CVEs." It is also concentration risk — a dependence on a single vendor whose CVE cadence the program does not control. That is a procurement-class question, not a patch-cycle one.

Source: CISA KEV alert, May 7 2026

Cyber insurance underwriters are pricing mobile posture into renewal quotes.

Renewal cycles through Q1 and Q2 2026 increasingly include mobile-specific posture questions inside the underwriting questionnaire — mobile device management coverage, BYOD policy, mobile threat defense deployment, and incident response coverage for mobile-originated compromise. Carriers that price cyber risk for a living have moved mobile from "general endpoint" into a discrete underwriting line.

Where I land: The underwriter's questionnaire is now an external audit of mobile posture, with a financial consequence (premium, sub-limit, exclusion) attached to the answer. Programs that cannot document mobile posture to the underwriter's standard are paying the gap in premium, whether they see it on the invoice or not.

Source: cyber insurance market commentary, 2026 renewal cycle (carrier and broker reporting)

What it means for your program

Put the dollar figure next to your own program budget and look at the proportion.

The framework MSG has built measures mobile-attack-surface posture across device, identity, carrier, and management layers. What the breach-economics data adds is a way to price the gap. The math that has always been intuitive to the practitioner becomes expressible in the language the board, the auditor, and the insurer already use.

This is not a claim that every program should spend more. It is a claim that the program should walk into the budget meeting with the ratio already calculated, before someone else asks for it.

The budget-ratio calculator and full methodology are in the 2026 Mobile Risk Report →

Where I land

I spent two decades watching mobile security lose the budget argument to vectors the board could quantify in dollars — ransomware, supply chain, identity. Mobile was always referenced, and it always lost, because "it matters" is not a number.

The breach-economics data closes that gap. $10.22 million is in the same room as the threats that win funding. The practitioner who has been saying "we are under-resourced on mobile" can now say "here is our mobile allocation set against the modeled cost of a mobile-related incident, on one of the fastest-expanding enterprise attack surfaces we have," and that sentence lands differently.

The CISOs who win the next budget cycle walk in with the ratio already calculated, defensible, and tied to the specific gaps the program can close this quarter. The ones who lose it walk in with the threat narrative. Evidence, not alarm.

— William

What to do this week

Calculate your mobile-program budget ratio.

What you'll need (5 minutes to pull, 30 minutes to model):

• Annual mobile-security spend, distributed total — not the budget line

• Headcount allocation against mobile, fully loaded

• Modeled cost-per-incident exposure ($10.22M US baseline; adjust upward for regulated sectors)

Steps:

1. Pull licensing. MTD, MDM/EMM/UEM, and the identity-layer controls allocated to the mobile attack surface. This is almost always larger than the "mobile" budget line suggests.

2. Add operational cost. Mobile-specific SOC time, audit time, incident response retainer allocated to mobile.

3. Add headcount. Any dedicated mobile-program headcount, fully loaded (salary + benefits + overhead).

4. Sum. This is your annual mobile allocation. Write it down.

5. Set the modeled exposure. Start with $10.22M as the US baseline. Adjust upward for healthcare, financial services, defense contracting. Use $6.99M as a floor for mobile-originated incidents specifically.

6. Calculate the ratio. Annual allocation divided by modeled per-incident exposure. The number itself is the artifact.

7. Walk into the next budget meeting with it. Before the CFO, the auditor, or the underwriter asks.

The number that matters is not "what does mobile security cost us" — which sounds like an expense to cut. It is "is our allocation proportionate to our modeled cost-per-incident exposure" — a question the board can defend to the auditor, the insurer, and the regulator.

📄 Get the budget-ratio calculator template (Appendix C of the 2026 Mobile Risk Report) → mobilesecurityguru.com/report (Six questions, instant access to the full report. No sales call required.)

📋 This week's reference card (CVEs, dates, sources, no narrative) → mobilesecurityguru.com/brief/006

🔒 For family offices, principal-level engagements, and personal mobile-security advisory — reply to this email.

Every Friday. Five items. One action.

📬 Subscribe to The Friday Brief on LinkedIn → Subscribe (Every Friday's issue, delivered to your LinkedIn notifications.)

The framework earns trust only if it keeps producing better questions against live evidence.

Has your board asked for the mobile-program budget ratio yet — or are you walking in with it before they do?

#MobileSecurity #CISO #BoardGovernance #CFO #CyberInsurance #CybersecurityBudget #RiskManagement