Balancing Cybersecurity Training and Technology as a CISO

Name: Adryanna Smith

Date: 30th March 2025

BLUF (Bottom Line Up Front):

I would invest my scarce cybersecurity budget in a mix of technology solutions and training personnel as a CISO. While technology is needed for threat detection and response, the biggest cyber threat is human error. A mix strategy gives you both prevention and quick response.

Introduction

With the constantly changing cyber landscape, organizations face difficult decisions about where to allocate constrained security budgets. The most important decision is how much to invest in people versus technology. While expensive tools will keep external threats at bay, without properly educated users, the exercise is futile. As a CISO, adopting a twin-barreled strategy protecting the technology infrastructure and employee awareness is the ticket, realizing that most cyber attacks are enabled through human action.

Human Behavior and Cyber Threats

According to Verizon’s 2023 Data Breach Investigations Report, 74% of the breaches are related to humans, including mistakes, privilege misuse, and social engineering (Verizon, 2023). This is why cybersecurity awareness training is necessary. Through frequent simulations, phishing testing, and behavioral reinforcement, the vulnerability to phishing and ransomware attacks can be reduced.

Technology as a Force Multiplier

Though training is indispensable, technology provides scalable protection. Endpoint detection and response (EDR), multi-factor authentication (MFA), and intrusion detection systems (IDS) are required in order to detect and neutralize threats. I would spend money on tools providing the greatest value per dollar, i.e., open-source or integrated ones that provide automated threat intelligence.

Budget Allocation Strategy

With a tight budget, I would invest approximately:

60% towards employee training and awareness programs to all departments. This includes phishing simulations, annual certifications, and role-based training. 40% toward cyber security technology, to be directed toward endpoint protection, cloud security, and patch management tools.

This investment acknowledges that technology won’t work if not coupled with an astute and prudent workforce. Training can be a line of defense, and technology a safety net.

Conclusion Achieving a balance between training and technology in investing in cybersecurity is not a one-time choice but rather an ongoing strategy. As a CISO, I am aware that technology can respond and detect, yet humans can avoid many threats from arising in the first place. Thus, a combination of both is the best means of protecting organizational assets when budgets are tight. 

References Verizon. (2023). 2023 Data Breach Investigations Report. https://www.verizon.com/business/resources/reports/dbir/. NIST. (2020). NIST Special Publication 800-53 Rev. 5: Security and Privacy Controls for Information Systems and Organizations. https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final