The issue here is that cyber security folks seem to forget that fundamentally security is insurance. The goal is to pay the least youb can to prevent issues.

The number of times I’ve talked to CSOs or CISOs that want every piece of data in their seim or extremely strict controls is innumerable. If your spend all your budget on tools and data you have no budget for people. Its better to actually understand your risk posture and plan accordingly.

However, thats boring. Just like devs want to use kubernetes for their 5 user site, security folks want the shiniest endpoint protections. Resume driven development and resume driven security are real, and in a world where there is more direct cost and fewer discreet deliverables, its likely felt more on security.