The issue here is that cyber security folks seem to forget that fundamentally security is insurance. The goal is to pay the least youb can to prevent issues.

The number of times I’ve talked to CSOs or CISOs that want every piece of data in their seim or extremely strict controls is innumerable. If your spend all your budget on tools and data you have no budget for people. Its better to actually understand your risk posture and plan accordingly.

However, thats boring. Just like devs want to use kubernetes for their 5 user site, security folks want the shiniest endpoint protections. Resume driven development and resume driven security are real, and in a world where there is more direct cost and fewer discreet deliverables, its likely felt more on security.

Too many managers fail to understand that IT needs to be a revenue centre and not a cost centre.

They treat it like a cost centre, and they are going to carve it to the bone until something comes along and eviscerates the company for lunch - or worse, for lols. And then they are going to look stupid and wonder why IT failed to protect the company. Well, no duh - it was starved for resources and ability: