BLUF: With a limited budget, I would invest just a bit more in ongoing employee
security training but still heavily fund our core cybersecurity technology. Careless users
make it easy for attackers.

Discussion: Coming into this position, you’ll face the risk-budgeting question: where
can you decrease risk the most given your constraints? You can buy all the technology
you want (IDS/IPS, EDR, EPP, Firewall, SIEM, etc.) but at the end of the day, people
are still going to make mistakes. Despite technological advancements, the majority of
real-world attacks I’ve seen started from phishing, social engineering, weak passwords,
or mishandling data.

That’s why I would spend about 55–60% on the training side and 40–45% on the
technology side. Technology gives you a floor, but your employees can raise or lower
that floor.

For training, I’d focus on regular, contextual training vs. a “here’s what not to do”
seminar once a year. I’m talking things like phishing simulations, role-based training
(what you should definitely do if you have creds for XYZ system), and 5–10min monthly
newsletters. Get your employees to develop a “security-first mindset” so they help catch
attacks instead of unknowingly facilitating them. Depending on your situation
(Government,intelligence-adjacent workplaces tend to be prime targets) this step is
critical.

Security training will only take you so far. Once you separate people and tech, spending
your budget becomes a lot easier. But together, they create layers of protection that are
far more effective than just one or the other.
Conclusion: Ultimately, I would split funding between employee education/training a bit
more and foundational security tech. Cybersecurity is half a people problem and half a
tech problem. The better you make your users and your defenses, the lower your
overall risk will be.