If I found myself in a chief information security officer position with a limited budget, I would balance my spending on employee training and technology, recognizing how critical human behavior is to most cyber incidents. Even the best security tools cannot prevent an employee from clicking on a malicious link, reusing weak passwords, or losing sensitive information. Because of this, I would plan to spend slightly more money on developing a positive, organization-wide security culture by conducting ongoing and relevant training. Examples of this training would be an ongoing cycle of phishing simulations that provide instant feedback, role-based microlearning modules that last fifteen minutes, and simple, accessible instructions on what an employee should do if they see something suspicious. Additionally, since a hybrid and remote work culture can add risk, I would like to focus on training employees on how to secure their home networks and portable devices and recognize social engineering.

Of the remaining 40% of the budget, allocations would be made for targeted cybersecurity technologies that offer layered defense while addressing inevitable human failure. I would focus on tools providing the greatest impact at the least cost, such as multi-factor authentication to protect access, cost-effective advanced email filtering to reduce the likelihood of phishing, and endpoint protection monitoring and detection to capture malware laterally spreading in the environment. I would also allocate budget for centralized logging and monitoring that will allow the security team to identify suspicious activity in real time and address potential small issues before they become significant breaches.

Prioritizing such a balanced approach recognizes that cybersecurity is not just a technology issue, it is a human issue. Training helps to strengthen the organization’s first line of defense, its people, while the structure, automation, and backup protection can augment technology to respond to incidents. By thoughtfully deploying the funds into initiative areas, the organization localizes resiliency by increasing resiliency and resilience through risk reduction, while other mechanisms build a constant battle against change, increasing layering to improve overall protection against future breaches through enhanced effective inclusion of use by employees and varying system defenses.