If my budget were limited, I would retain a balanced approach as CISO, paying equal attention to employee training and necessary, core cybersecurity technology. I have said before and will likely say again that human error plays too large a role in our cyber incidents. Phishing, social engineering, and just plain human origin (i.e., when people think up new and creative ways to be bad) make life so easy for our adversaries. Furthermore, every adversary we face is looking for the easy way in. Regular, mandatory, and yes, engaging cyber training for all employees creates a more threat-aware environment within which our human firewall can operate.
To use the allocated cybersecurity budget effectively, I would customize all technological investments to the specific risks the organization already faces. I would target problem areas most exposed to potential threats. I would prioritize automation
and threat intelligence to give the currently understaffed security team a fighting chance in managing the not-so-simple problems with which they must contend. I would engage the team in an ongoing process of “threat hunting,” whereby they actively seek to discover and neutralize threats before they can cause harm. This is a no-fail, proactive path to a resilient cybersecurity posture.

References:

https://www.nist.gov/
https://www.sans.org/