BLUF:
I’d spend a little more on security tools (around 60%) to help catch mistakes and stop attacks, and the rest (40%) on training employees so they don’t make those mistakes in the first place. You need both, but tools give you a safety net when people slip up

—
If I’m thinking like a CISO with a limited budget, I wouldn’t put everything into just one area. I’d lean a bit more toward technology, but still invest a solid amount in training. Something like a 60/40 split makes the most sense to me. The reason is simple, people are always going to make mistakes. Even if employees are trained well, someone is eventually going to click a bad link, reuse a password, or fall for something under pressure. That’s where technology comes in. Things like multi-factor authentication, email filtering, and monitoring systems can catch those mistakes before they turn into serious problems. It’s basically your backup plan.

At the same time, training still matters a lot. A lot of cyber attacks start with human behavior, especially phishing. If employees know what to look for and think twice before clicking or sharing information, you can stop a lot of issues before they even start. I’d focus more on short, ongoing training and real-world examples instead of long, one-time sessions people forget.

At the end of the day, it’s about balance. Technology protects you when people mess up, and training helps reduce how often that happens. You really need both working together to make your security strong.