The Everything Feed - All Packet Pushers Pods HS115: Cyber-Risk Assessment and Cybersecurity Budgeting: You’re (Probably) Doing It Wrong
Oct 28, 2025
Dive into the intricate world of cybersecurity budgeting as the hosts uncover why traditional percentage-of-IT methods fall short. Learn how spending should reflect actual cyber risks rather than IT costs. The conversation highlights the shift in attack surfaces towards staff and cloud vulnerabilities, the importance of measuring median total time to contain breaches, and new threats posed by AI. Discover how to better assess and justify cybersecurity investments amidst evolving challenges in a landscape where perimeters no longer exist.
AI Snips
Chapters
Transcript
Episode notes
Budget Opinions Often Conflict Internally
- Organizational views on cybersecurity budgets diverge: some say too much, others say too little, often simultaneously.
- Lack of catastrophic events skews perceptions toward cutting security spend prematurely.
Ditch Obsolete Benchmarking Rules
- Stop using obsolete percent-of-IT benchmarks like Gartner's to set security budgets.
- Use per-employee spend and adjust for vertical, IT culture, and cloud adoption instead.
Make Business Leaders Define Value Pillars
- Engage business leaders to identify the company's value pillars and where cyber risk threatens them.
- Present risks to the board and show where mitigation is missing to secure funding and priority.
