Heavy Strategy HS115: Cyber-Risk Assessment and Cybersecurity Budgeting: You’re (Probably) Doing It Wrong
Oct 28, 2025
In this engaging discussion, hosts explore the pitfalls of linking cybersecurity budgets to IT spending, revealing why this approach is flawed. They highlight human complacency and the need for a fresh perspective on security in a world without clear network perimeters. By recommending a spend-per-employee model, they emphasize the importance of identifying what truly matters to an organization. The conversation also delves into the complexities of AI and third-party risks, urging listeners to modernize their risk assessment strategies.
AI Snips
Chapters
Transcript
Episode notes
Budget By Spend Per Employee
- Avoid pegging cybersecurity spend to a fixed percentage of IT budget; it misaligns protection with actual company value.
- Instead, measure cybersecurity spend per employee and compare within your vertical to set more realistic budgets.
Protect Company Value, Not Just IT
- Cybersecurity protects company value, not just IT assets, so basing spend on IT size understates business risk.
- Value pillars like brand, market cap, and IP dwarf IT budgets and should drive protection priorities.
Staff Is The New Attack Surface
- The employee is now the primary attack surface as organizations shift to SaaS and cloud-first models.
- Security focus should move from perimeter defenses to protecting accounts and user behavior across cloud services.
