Introduction
As Chief Information Security Officer (CISO), one of the biggest challenges is deciding how to spend a limited cybersecurity budget wisely. While technology provides the backbone of protection, human behavior remains one of the greatest risks to an organization’s security (Milnes, 2025). Achieving the right balance between technical controls and employee training is essential to prevent, detect, and respond effectively to cyber threats.
Investing in Technology
Approximately half of the budget should go toward core technologies that immediately reduce technical vulnerabilities. This includes implementing multi-factor authentication to prevent unauthorized access, automated patch management to minimize exploit windows, and endpoint protection to detect malware or intrusions early (Humphreys, 2023). Additionally, secure backup systems and basic network segmentation can greatly reduce the impact of ransomware or other attacks (Milnes, 2025).
Investing in People
Around 40% of the budget should focus on developing a strong security culture through education and engagement. Targeted phishing simulations, role-based training, and security awareness programs teach employees how to recognize and respond to cyber threats (Osterman Research, 2019). Launching a Security Champions Program—training select individuals in each department to promote good practices—amplifies this impact at a low cost. Since human error is a leading cause of breaches, consistent training can drastically lower the organization’s overall risk (Kenosha.com, 2025).
Continuous Improvement and Risk Assessment
The remaining 10% of the budget should be reserved for continuous improvement initiatives such as periodic audits, risk assessments, and small-scale pilot programs (Klogix Security, n.d.). Tracking metrics like phishing click rates, patch completion times, and incident response speed helps evaluate effectiveness and justify future investments (Milnes, 2025). This ensures that spending decisions remain data-driven and adaptable to emerging threats.
Conclusion
Cybersecurity is strongest when technology and people work together. By strategically splitting a limited budget between technological safeguards and comprehensive user training, organizations can achieve sustainable, cost-effective protection. A balanced approach doesn’t just defend systems; it empowers people to become active participants in securing their digital environment.
References
Humphreys, E. (2023, April 20). Budgeting as a CISO: Software vs. Training. WordPress. https://sites.wp.odu.edu/emma-humphreys/2023/04/20/budgeting-as-a-ciso-software-vs-training/
Kenosha.com. (2025, June 12). How does human error relate to security risks? https://www.kenosha.com/2025/06/12/how-does-human-error-relate-to-security-risks/
Klogix Security. (n.d.). CISO Q&A: Cybersecurity Budgets. https://www.klogixsecurity.com/blog/ciso-qa-cybersecurity-budgets
Milnes, N. (2025). The human factor in cybersecurity [PDF]. https://sites.wp.odu.edu/nathanmilnes/wp-content/uploads/sites/34303/2023/11/The-Human-Factor-in-Cybersecurity-Nathan-Milnes.pdf
Osterman Research, Inc. (2019). The ROI of Security Awareness Training. https://ostermanresearch.com/wp-content/uploads/2021/01/ORWP_0313-The-ROI-of-Security-Awareness-Training-August-2019.pdf
KnowBe4. (n.d.). The outstanding ROI of KnowBe4’s security awareness training platform. https://blog.knowbe4.com/the-outstanding-roi-of-knowbe4s-security-awareness-training-platform