Heavy Strategy HS115: Cyber-Risk Assessment and Cybersecurity Budgeting: You’re (Probably) Doing It Wrong
11 snips
Oct 28, 2025 In this engaging discussion, hosts explore the pitfalls of linking cybersecurity budgets to IT spending, revealing why this approach is flawed. They highlight human complacency and the need for a fresh perspective on security in a world without clear network perimeters. By recommending a spend-per-employee model, they emphasize the importance of identifying what truly matters to an organization. The conversation also delves into the complexities of AI and third-party risks, urging listeners to modernize their risk assessment strategies.
AI Snips
Chapters
Transcript
Episode notes
Protect Company Value, Not Just IT
- Cybersecurity protects company value, not just IT assets, so basing spend on IT size understates business risk.
- Value pillars like brand, market cap, and IP dwarf IT budgets and should drive protection priorities.
Staff Is The New Attack Surface
- The employee is now the primary attack surface as organizations shift to SaaS and cloud-first models.
- Security focus should move from perimeter defenses to protecting accounts and user behavior across cloud services.
Quantify Reputation Through Win Rates
- Reputational damage often manifests as lost deals and lower close rates, not just temporary stock dips.
- Measuring changes in win rates post-incident gives a tangible view of reputational risk impact.
