First and foremost, I can’t have everything within a limited cybersecurity budget, so if I’m going to pick and choose what to spend my money on, that would be the right way to go about it. I want to get the basics down first. That’s going to be things like firewalls, anti-virus, secure configurations, that sort of thing. After that, I would train my employees: the stats are very strong on showing that having a well-trained workforce is going to reduce the risk of a breach. Also, I would pick the technology that’s going to deliver a high return on investment. In other words, solve the biggest problem with the biggest bang for my buck. And try to ensure that what I spend is compliant with any industry regulations. If I spend money in an area where the regulators are going to be displeased and hit me with fines, I need to make sure that I’m not overspending. And I will be aware to be agile: there might be new issues that emerge, or perhaps the company’s needs shift, so I would be ready to get feedback and reallocate the budget as needed. When I look at spending on technology versus spending on training that will help my employees defend against cyber attacks, the priority really is not automated tools. The priority is people. It’s not because people are better, it’s because they have the ability to adapt to change more quickly, whereas automated tools aren’t. Humans can change, but technology doesn’t change overnight.