In this write up, we attempt to balance the tradeoff between employee training and additional cybersecurity technology within the confines of a limited budget. Based on the reasoning discussed below, a budget split of 70-30 should be given in favor of employee training because it would allow for the development of a strong synergized defense against cyber threats while allowing each facet of security to build off one another.

Introduction

            When creating an organization’s budget, all factors must be considered when determining which facets of a company will receive more funding. As a Chief Information Security Officer (CISO), it is important to decide whether it would benefit my company to invest more in employee training or technological advancement when considering my given monetary limitations. To do this, it is important to take a look at the strengths and weaknesses of each side, the long-term effects, and the overall risk to security and infrastructure.

The Human Component

            In the world of cybersecurity, human error is the largest contributor to cybersecurity vulnerabilities. According to Lau (2024), “88% of data breaches are attributed to human error​​”, which demonstrates that the human component of any cybersecurity system must be made stronger to have the largest positive effect on cyber security strength. If we follow the premise of a company only being as strong as its weakest link, then the human component of cybersecurity is where funding should be focused. Cybersecurity training also has many long-term benefits, such as allowing for proactive action against threats, evolving employee knowledge of threats, and being cost-beneficial to a company’s finances. As Ucar points out, cybersecurity training and knowledge enable employees to “identify risks, take precautions, and report suspicious activity proactively”, and it “saves money in the long run” (2024). By having employees who can advance their skills on a day-to-day basis, your company security is ever-advancing, this reduces overall risk, while also reducing long-term costs. One final note to consider concerning the human component of company security is a logical one: you can have the best technology in the world, but if you don’t have well-trained employees who understand that technology and what to do in case it fails, you have a very single-layered defense strategy to security.

The Technological Component

            Investing in additional technology and high-end software is a great way to increase company security and infrastructure in the cyber realm. As Shah stated, “the traditional security systems once found in brick-and-mortar businesses are no longer capable of meeting quickly evolving security challenges”, which demonstrates the importance of implementing additional advanced technologies within a company’s cybersecurity model (2024). Technologies like AI, Cloud-Based software, and Machine Learning are all cutting-edge advancements in cybersecurity that can help make a company’s cybersecurity stronger than it has ever been. These advancements automate a lot of the tasks employees do now, and they carry out these tasks with much more efficiency as well. Gallant reaffirms this by talking about how “using outdated equipment creates a significant security risk”, which leaves businesses highly vulnerable to cyber threats (2024). However, there are downsides to overreliance on technology. By investing too much into additional technology as the foundation for your security, you sacrifice employee training, risk having a single-layered defense structure, and fail to fully create a well-rounded security model. A factor to also consider in the long-term finances of the company is that these technological advancements are very expensive to implement, sustain, and upkeep for long periods. As reported by Filipowski, “global security spending is on the rise yet again”, and constantly upgrading systems to handle the latest security defenses is an unattainable goal in today’s cyber and economic climate (2024). Overall, investing in advanced and additional cyber technology plays a large role in modern digital security and defense; however, its implementation difficulties and expensive costs make it a worse option than investing in better employee training practices.

Conclusion 

            Of the two possible avenues for financial diversification discussed above, I believe that preference should be given to employee training over additional technology. Investing in employee training mitigates the primary threat of human error, provides long-term financial benefits, and creates a strong foundation for building overall company security. I think that a budget split of 70-30 would be more than adequate to develop a strong synergized defense against cyber threats while also allowing each component to complement one another.

References

• Filipkowski, B. (2024, February 23). The rising cost of cybersecurity expertise. Field Effect. https://fieldeffect.com/blog/rising-cost-cyber-security-expertise
• Gallant, B. (2024, April 4). How outdated technology increases the risk of cyber attacks. https://www.linkedin.com/pulse/how-outdated-technology-increases-risk-cyber-attacks-brett-gallant-lotwe/
• Lau, J. (2024, August 13). Is your cybersecurity training program missing the mark? Forbes. https://www.forbes.com/councils/forbestechcouncil/2024/01/17/is-your-cybersecurity-training-program-missing-the-mark/
• Shah, S. (2024, September 5). How emerging security technologies can benefit your business. Time Doctor Blog. https://www.timedoctor.com/blog/emerging-security-technologies-for-business/#:~:text=Deep%20learning%20algorithms%20have%20the,amount%20of%20time%20and%20money.
• Ucar, A. (2024, June 13). The critical importance of cybersecurity awareness training. https://www.linkedin.com/pulse/critical-importance-cybersecurity-awareness-training-ibrahim-ucar-a7vif/