The Everything Feed - All Packet Pushers Pods HS115: Cyber-Risk Assessment and Cybersecurity Budgeting: You’re (Probably) Doing It Wrong
Oct 28, 2025
Dive into the intricate world of cybersecurity budgeting as the hosts uncover why traditional percentage-of-IT methods fall short. Learn how spending should reflect actual cyber risks rather than IT costs. The conversation highlights the shift in attack surfaces towards staff and cloud vulnerabilities, the importance of measuring median total time to contain breaches, and new threats posed by AI. Discover how to better assess and justify cybersecurity investments amidst evolving challenges in a landscape where perimeters no longer exist.
AI Snips
Chapters
Transcript
Episode notes
Budget Opinions Often Conflict Internally
- Organizational views on cybersecurity budgets diverge: some say too much, others say too little, often simultaneously.
- Lack of catastrophic events skews perceptions toward cutting security spend prematurely.
Budget Per Employee, Not Percent Of IT
- Avoid pegging cybersecurity budgets to a fixed percent of IT spend; that model protects infrastructure, not company value.
- Instead, measure cybersecurity spend per employee and compare by industry and company characteristics.
Staff Are The Primary Attack Surface
- The modern attack surface is the staff and their accounts rather than a network perimeter.
- This shift makes per-employee security investments more relevant than perimeter-focused spend.
