Balancing Training and Technology Under a Tight Cyber Budget: A CISO’s Plan
I will provide a simple, repeatable framework for how I would decide what to fund.
First, use a threat-led, risk-based approach to map the most likely incidents
(phishing/BEC, ransomware, lost devices, privilege misuse, cloud misconfig) to specific
controls.
Second, apply defense-in-depth principles, not redundancy. Each dollar should address a
unique vulnerability at different stages of the lifecycle (prevent → detect → respond →
recover).
Third, fund tools and training in tandem. Tools will fail without well-trained staff; staff
will fail to follow best practices without sufficient guardrails.
Fourth, fund based on fast metrics. Spend money where there are clear measures of
performance (e.g., blocked phish rates, MFA coverage, patch SLAs, MTTR) in 1 – 2
quarters.
Now I will describe my initial funding priorities (quarter-by-quarter).
Q1: Protect the front door.
Implement multi-factor authentication (MFA) for all users and phishing-resistant MFA
methods for administrators.
Tune your email security for your most common threats; implement
DMARC/DKIM/SPF.
Install Endpoint Detection and Response (EDR)/Extended Detection and Response
(XDR) on all endpoints; test your backups.
Launch a new role-based training program and run a phishing simulation as part of your
baseline testing.
Q2: Reduce blast radius and build muscle.
Implement Privileged Access Management (PAM) for administrator accounts; centralize
your Security Information and Event Management (SIEM); conduct an Incident Response
(IR) tabletop exercise.
Create micro-training sessions for high-risk teams.
Q3: Secure and automate.
Create baselines for your endpoints and servers; create automated patching processes.
Automate playbooks; focus on Third-Party Risk.
Q4: Validate and refine.
Conduct penetration testing (pentesting) on critical systems; review your metrics; prepare
your spending cycle for next year.
Cost Discipline and Trade-off Logic
Prioritize reducing vendor sprawl: Use a platform or tool that covers multiple adjacent
functions if it meets quality standards.
Secure default by policy: Mandate MFA, disk encryption, and baseline hardening to
reduce the training burden on your team.
Buy outcomes, not features: Define measurable outcomes for every dollar you spend.
Invest in areas where humans interact with risk: Provide additional training for teams
such as Finance, Developers, IT, and Executive teams.
How I will measure success
Prevention:
Achieve MFA coverage of 98% or better
Have EDR installed on 95% or more of your endpoints
Have implemented DMARC p=reject
Restore successfully from backup at least once per quarter
People:
Phish click rate lower than industry average
Report rate greater than 30%
Time-to-report ≤10 minutes
Detection/Response:
MTTD ≤1 day
MTTR ≤4 hours
≥70% automated response coverage
Governance:
≥90% compliance with hardening policies
Patch SLOs achieved
All third-party findings addressed within 30 days
Conclusion
The best way to allocate limited dollars is to invest in a small number of highly effective
controls that shut the largest doors (identity, email, endpoints, backups) and deliver rolebased training that changes human behavior. Pair this with detection/response readiness
and governance and we will significantly decrease the likelihood and impact of humanenabled cyber threats—while avoiding the cost of shelfware.