BLUF: When working with a limited budget, foundational security technology to reduce human
error, as well as scrutinous amounts of training need to be the top priorities. This split and
balanced approach to risk helps ensure that the organization is properly protected.

If I was a CISO, I’d initially begin by securing and implementing the fundamentals with
technology to risk the chance of human error. More specifically, I’d fund identity and access
controls (MFA and privilege based controls), consistent patch management, and network
segmentation. Factoring in the limited budget, I’d allocate approximately 60% towards the
previously mentioned technical controls due to their scale and importance. A portion of that 60%
would also be used for reconnaissance/logging based technology to be alerted with errors as
quickly as possible.

With the remaining 40%, I’d invest it entirely in training. From role-based security training,
phishing simulations, and privileged user scenarios, making sure your employees are always
focused and aware is the key to a successful organization. Training however isn’t just a check in
the box, it’s something that needs to be implemented into a corporation’s schedule to ensure all
employees are best prepared to do their job.

Conclusion: Ultimately, the best form of cybersecurity strategy is one that recognizes that
neither technology nor training is superior in terms of securing an organization. Through
intentionally segmenting and balancing resources between technical controls and proper
training, a proper defense posture is formed that is best prepared for any malicious activity.