It/security is a cost center it doesn’t make a company money
So short sighted executives look for savings and cut staff vs cutting ridiculously expensive tool contracts or services first or looking to see that maybe they have too many fucking managers that add no value but cost a lot
We are at an age of industry where the "do better" watermark is no longer a noteworthy contributing factor to compensation. Little accountability is enforced so long as "reasonable" due diligence can be spun.
Leaders have no reason, professionally or personally, to do more than the status quo. Often those who do have intrinsic motivation are run off by bureaucrats who would rather die than risk their cush status quo.
I work at a consultancy and we advised our customer who was doing some insanely insecure operations to make some immediate changes. They basically refused to even enable MFA. We said we can't be associated with them when they inevitably end up in the media (they deal with peolle innthe public eye), so we parted ways. The cost to fix their issues was around 10k, which is about 1% of their turnover annually. Some people can't be helped.
That doesn’t matter to executives though
Anything that doesn’t directly generate revenue for a business is always going to be at risk for cuts
Have you worked for any corporations before?
This is how every industry works
Even in the public sector budgets have to be justified
Maybe you need to google it dumba$$
I just say a few 100 cyber people get laid off this quarter where I work
If you think it doesn’t happen you’re misinformed you
Sweet baby Jesus you’re dumb
I’ve been in Intel/it/cyber work longer than you’ve been alive
I don’t work in that crypto currency BS
If you’re referring to my username it’s a movie reference
Get a f@@cking clue
Long term impact of a cyber incident might be minimal. Target and Equifax have recovered just fine and at the time those were considered huge breaches. On the other hand, Solar Winds stock price has yet to recover from the 2020 hack. So maybe it depends on the industry?
Have you all seen the cost of Microsoft Copilot for Security? We were quoted $30/month/user! That’s on the levels of multiple FTEs with actual intelligence.
I feel that security teams (and tech teams) do an awful job of explaining their value, their wins and their operational efficiency in terms that work for business people.
Our inability to communicate in a way that non techies understand hurts us.
Absolutely.
There are ways to spin it to execs and decision makers that show how Cyber actually results in a net positive. But very few people are able to articulate that properly in a board room.
Ascensions attack last night comes to mind. If you can establish and convey a cost metric and how an attack/temporary loss of IT infrastructure effects revenue a lot of C-suiters would change their tune rather quickly.
The end-all-be-all answer for this however will be firms like McKenzie and Deloitte recognizing the value of cybersecurity staff and infrastructure because for some reason the only people execs will listed to are management consultants.
If you wait for Deloitte to come up w a framework to justify security ....then you are screwed.
Deloitte makes money by saying your group sucks....we can do it better.
Once they are in the door - the battle is lost
I have a unique role in GRC where I've sort of been put as a SME for security in sales discussions. We've been keeping track of all of the new business we've helped on as a justification of security budget.
We often fail at explaining risks in the same language as other SMEs. I worked at one company that had a monthly 'roll up' where every business unit explained their risks to senior management.
Finance, Legal, Operations managed to do this in one or two slides.
The CISO pushed out a 90 slide 'dashboard'.
Guess who didn't get taken seriously?
I'm a red teamer working for a consulting firm. We're seeing a *lot* more work across the board. It looks like companies are deciding to downsize their full time teams, and shift that work off to consulting firms and MSSPs.
Interesting, I’ve been in a product company for several years but my friends who stayed in consultancies (ncc group, ioactive) are getting laid off .
Oh we're seeing the same stuff here as well. The increased workload isn't evenly divided.
Our cybersecurity strategy consulting, vCISO, and auditors in some specific frameworks are seeing major slow-downs. However, our audit work in other frameworks, IR, and (surprisingly) pentesting are all seeing massive growth that's pushing the whole department to overall net growth. Our work in "mandatory" frameworks like PCI and FedRAMP have especially been a nice source of stability for our firm in this economy.
> Interesting, I’ve been in a product company for several years but my friends who stayed in consultancies (ncc group, ioactive) are getting laid off .
In fairness, IOActive has always been a sh!t show; and, NCC Group has been shaky for a good 6 years now - their loss of top talent during 2015-2017 (to places like DataDog) certainly didn’t help things.
Everytime someone knowledgeable quits a company, the company is left with a knowledge gap and it's not always easy to find a replacement. Especially on small teams . The idea of an mssp is that they will always be able to provide resources to you
I'm not in the tech field. But my research suggests that the layoffs are due to excess hiring therefore trimming the fat now.
My opinion, co.panies are trimming the fat to use that extra cash to invest into other investments right now.
There is a huge push for military supplies globally. The agriculture sector is damaged due to Ukraine's short supply, and there seems to be a huge boom in electric vehicles manufacturing (there seems to be an arms race on EV factories right now in the US), heck oil prices are high to therefore its a no brainer to invest money into lucrative stuff related to oil and wars.
my opinion is that they're betting on these things but use their excess fat to hedge while the internet stuff is not as hot right now.
But hey, I'm just speculating. I could be massively wrong.
I think it's the market ebbing and flowing. Boom and bust. C suites tend to copy each other, and last year it was all about trimming the fat. High interest rates and lower valuations make it harder to justify spending and new investments.
In 2021, everyone wanted to hire the best talent and keep it from competitors.
Business leaders likely understand the overall risk of the business better than cyber resources do. There's more to risk than just cyber risk. If it comes down to "downsize x or you go out of business" which do you think wins?
This! Companies are just figures for CXOs: Income, spending, risk, taxes, etc
If the GRC teams is doing a good job, the CEO has a good picture of the risk they are facing and can take decisions based on those figures.
Because companies don't do what makes sense during economic downturns. They make decisions based on costs and cyber teams are expensive. They expect that others will shoulder the load to make up for cuts. And if the IT structure reports to the CFO or worse a CTO who is clueless they will often cut until there is nothing left of the original defense framework as it has been matured because not only will they cut people they also cut software and hardware. So security appliances and software licenses get tossed out with the bathwater as well. And then they come back and ask why spam has suddenly increased or why you can't remediate their inbox for them, etc.Â
There is a permanent skills gap in cyber because so many people burn out.
So unless you are burning out I wouldn’t worry about any “coming layoffs”. Seems cyclical. There’s a whole army of AI based cyber startups that will keep all of us employed for the next 10 years.
they stopped paying for training and told us to use our PTO/salary if we want to attend class...on proprietary enterprise software.
i'm not dropping 10k and burning 1/3 of my leave to take a class on DTEX.
When trying to do more with less they look to those making more money and bringing in less revenue(cost centers) tech folks/cyber/IT generally will fit the bill in orgs that don’t truly value security or IT and dont see it as an integral part of how the business makes money.
These are especially those that know how to revert to the old carbon copy credit card imprinter to take money.
Tech improves so less employees can do more. Instead of constantly improving capabilities, companies are okay with having their capability being flat for a year or two while this blows over. This isn’t limited to tech, a lot of fields are seeing this.
To most people the guy fixing their computer or an application in front of them is the essence of IT. They don't see what has to happen in the background to keep everything running and secure. Cyber security is like insurance. You don't see the return on investment until you need it. Somebody needs to relay the cost of downtime, data loss or public perception for them to make an educated decision on how much to invest in security.
Our company just sold off 50 percent of the business.Nedless to say there is less need for infosec operators. They did not cut us. They just did not increase the salaries and left part of the team to wither on the vine. The parts based in the expensive locations. To that end in 2 months 30 percent of the team will be gone. In my country if you make somone redundant that is 4 gross salaries at the least as a parting gift so they prefer you leave on your own accord. That said finding work is not hard. Legitimately I just fliped my linked in to looking for opportunities. Week later I had a job offer. Week an 2 days I had a good job offer. So I took it. I do detection engineering, threat hunting,IR and some forensics. There where no jobs for me an year ago. Now there is like a lot.
It's all the above. I'm my opinion, having people on a team to do cyber security is one thing, having people who care and are good at their jobs is another. In an era of people working remote, many leaders and employers haven't seen the payback to allowing it. They thought throwing more people at the problem would help. And normally it doesn't. That then turns into a bad culture. Bad culture turns into no stability / revolving door of talent. I've also seen a lot of IT and Security leaders are not good leaders. At one point, they were promoted because they were technically strong, but have no idea how to build a good team culture that fosters accountability and production. They tend to gang up with people who think like them, and hope they make it past the next review cycle. Rinse and repeat.
Many companies don’t want to properly fund/maintain their CS framework because it is viewed as an expense that can be cut…until they experience a data breach. Realized losses are an amazing teacher that executives listen to.
One of my clients is in the physical security sector, and companies from large venues to commercial buildings provide the bare minimum physical security required by their insurance companies. Schools would rather send a janitor on a school trip than a trained security guard. I see the same approach to cyber security with my business clients. Also, as more businesses move to cloud based infrastructure, they see less of a reason to staff an entire on site IT dept when they can outsource maintenance and monitoring for much less.
They justify it by saying the money saved in salaries can be used to purchase cyber insurance. Now, they've addressed the issue of risk so to hell with your data or any other impact caused by an incident. /s
Am seeing increased persistent threats. Have data to back it up, back log of projects and can’t fill an open position due to budget constraints. Hard times right now.Â
Part of it is they do not see it as value add. More than likely what you are seeing is very different than what is happening. These layoffs are happening because security is being outsourced to MSPs(Who use other MSSPs), MSSPs, and Enterprise security. The budget/time sink for in-house security staff and developing out a security program is typically much greater than outsourcing somewhere. So while these layoffs appear to be a bad move(which I'm sure for some companies it is), it's more than likely they are moving laterally to save money. Then they will keep some key security staff around to manage the partnership between the organization and security provider.
People are getting laid-off? Man I can’t even get an entry level job because it’s not enough experience. Is it too much to ask for more than $35/hr to do support. Fml bruh
It’s because businesses are extremely poor at assessing risk.
Additionally, they don’t generally think they have to “outrun the tiger, but just run faster than others”.
These issues combined mean that waning security posture, lack of regular employee training, cost of living and insider threat, plus advances in AI are making companies more vulnerable than ever.
The perceived savings in layoffs pale in comparison to the financial risks.
Why the companies like AT&T which puts millions of Americans in trouble As they were hacked claims no financial responsibility? Shouldn’t they pay people for damages they cause because of by not hiring expert cybersecurity employees in the first place?
The layoffs are mostly a correction from a hiring bubble from 2020-2021 where companies were willing to take risks on less experienced workers because of freely available cash and low interest rates. They’re probably factoring in the risk of threats vs. how much they’re funding their security team in these decisions. How well they’re actually quantifying that risk is not certain and might depend on the maturity of their InfoSec teams.
The problem with security is how do you quantify the money spent vs. what you earned spending that money.
If you can't tell me for certain your ROI I'm going to just assume it's zero.
In other words, you can spend a million and get hacked, or you can spend zero to get hacked.
The big monster on the horizon for cyber is businesses willingness to continue to spend money on things that don't work. We're just patching patches at this point.
the risk depends on the sys admins, network engineers and developers doing their job well.
Cyber guys are just highlighting the problem or supporting the wider business.
Security isn't profitable but also when was the last time spending on security actually prevented a breach.
I thought ransomware and insurance would scare/force companies into spending on security.
Instead insurance gave them a way out. And if they get ransomed they just pay or recover
Most prevention based professions unfortunately fall into this area too. Im a Dietitian, where we would excell is in prevention vs reaction. But most of the time we are viewed as an added cost thats not worth the FTEs for clinics and offices, because we are poorly reimbursable for insurance. Its also a lengthy process to counsel and you don't often have measurable outcomes. So I think what you're saying is totally accurate.
I've been working on trying to pivot to cyber for about a year now. Comparisson is a bit apples to oranges, but I've always seen the parallel between the two.
You can also pay cash for a house and then refuse to buy fire insurance because it is an “expense” that you can cut and will probably “never need.”
How about a better analogy. Would you buy a $2M home and not invest in a security system to help prevent/discourage a break-in? Penny wise, pound foolish!
It/security is a cost center it doesn’t make a company money So short sighted executives look for savings and cut staff vs cutting ridiculously expensive tool contracts or services first or looking to see that maybe they have too many fucking managers that add no value but cost a lot
We are at an age of industry where the "do better" watermark is no longer a noteworthy contributing factor to compensation. Little accountability is enforced so long as "reasonable" due diligence can be spun. Leaders have no reason, professionally or personally, to do more than the status quo. Often those who do have intrinsic motivation are run off by bureaucrats who would rather die than risk their cush status quo.
I work at a consultancy and we advised our customer who was doing some insanely insecure operations to make some immediate changes. They basically refused to even enable MFA. We said we can't be associated with them when they inevitably end up in the media (they deal with peolle innthe public eye), so we parted ways. The cost to fix their issues was around 10k, which is about 1% of their turnover annually. Some people can't be helped.
THIS đź’Ż
It doesnt make a company money but it saves a company money from getting hacked which couod save thousands/millions of dollars
That doesn’t matter to executives though Anything that doesn’t directly generate revenue for a business is always going to be at risk for cuts Have you worked for any corporations before? This is how every industry works Even in the public sector budgets have to be justified
Cybersecurity employees dont really get laid off other sectors of tech do software engineers etc.
Yeah they do Who told you that BS?
Google it
Maybe you need to google it dumba$$ I just say a few 100 cyber people get laid off this quarter where I work If you think it doesn’t happen you’re misinformed you
Stfu pussy stick to crypto u dont know shit about cyber
Sweet baby Jesus you’re dumb I’ve been in Intel/it/cyber work longer than you’ve been alive I don’t work in that crypto currency BS If you’re referring to my username it’s a movie reference Get a f@@cking clue
Long term impact of a cyber incident might be minimal. Target and Equifax have recovered just fine and at the time those were considered huge breaches. On the other hand, Solar Winds stock price has yet to recover from the 2020 hack. So maybe it depends on the industry?
It’s all for shareholders too. Nothing actually worth ruining peoples lives for.
Because businesses are built on risk based decisions.
... and AI is going to solve all the staffing issues.
Have you all seen the cost of Microsoft Copilot for Security? We were quoted $30/month/user! That’s on the levels of multiple FTEs with actual intelligence.
And I'm guessing that that doesn't include the cost of the coins to run the processing?
$30 per user? Like all the users, or just the security admins?
Probably all users.Â
Yep we were quoted the same. At 50k users, there is no way lol
I feel that security teams (and tech teams) do an awful job of explaining their value, their wins and their operational efficiency in terms that work for business people. Our inability to communicate in a way that non techies understand hurts us.
Absolutely. There are ways to spin it to execs and decision makers that show how Cyber actually results in a net positive. But very few people are able to articulate that properly in a board room.
Ascensions attack last night comes to mind. If you can establish and convey a cost metric and how an attack/temporary loss of IT infrastructure effects revenue a lot of C-suiters would change their tune rather quickly. The end-all-be-all answer for this however will be firms like McKenzie and Deloitte recognizing the value of cybersecurity staff and infrastructure because for some reason the only people execs will listed to are management consultants.
If you wait for Deloitte to come up w a framework to justify security ....then you are screwed. Deloitte makes money by saying your group sucks....we can do it better. Once they are in the door - the battle is lost
I have a unique role in GRC where I've sort of been put as a SME for security in sales discussions. We've been keeping track of all of the new business we've helped on as a justification of security budget.
Sounds like my old role. Being able to synthesize complex items down to simple terms is a key skill
We often fail at explaining risks in the same language as other SMEs. I worked at one company that had a monthly 'roll up' where every business unit explained their risks to senior management. Finance, Legal, Operations managed to do this in one or two slides. The CISO pushed out a 90 slide 'dashboard'. Guess who didn't get taken seriously?
I'm a red teamer working for a consulting firm. We're seeing a *lot* more work across the board. It looks like companies are deciding to downsize their full time teams, and shift that work off to consulting firms and MSSPs.
Interesting, I’ve been in a product company for several years but my friends who stayed in consultancies (ncc group, ioactive) are getting laid off .
Oh we're seeing the same stuff here as well. The increased workload isn't evenly divided. Our cybersecurity strategy consulting, vCISO, and auditors in some specific frameworks are seeing major slow-downs. However, our audit work in other frameworks, IR, and (surprisingly) pentesting are all seeing massive growth that's pushing the whole department to overall net growth. Our work in "mandatory" frameworks like PCI and FedRAMP have especially been a nice source of stability for our firm in this economy.
New PCI DSS drives most of new budget.
> Interesting, I’ve been in a product company for several years but my friends who stayed in consultancies (ncc group, ioactive) are getting laid off . In fairness, IOActive has always been a sh!t show; and, NCC Group has been shaky for a good 6 years now - their loss of top talent during 2015-2017 (to places like DataDog) certainly didn’t help things.
Everytime someone knowledgeable quits a company, the company is left with a knowledge gap and it's not always easy to find a replacement. Especially on small teams . The idea of an mssp is that they will always be able to provide resources to you
Something is off lately. I don't entirely get the massive layoffs in IT, Cyber Security, and the Gaming Industry lately. But I don't like it.
I'm not in the tech field. But my research suggests that the layoffs are due to excess hiring therefore trimming the fat now. My opinion, co.panies are trimming the fat to use that extra cash to invest into other investments right now. There is a huge push for military supplies globally. The agriculture sector is damaged due to Ukraine's short supply, and there seems to be a huge boom in electric vehicles manufacturing (there seems to be an arms race on EV factories right now in the US), heck oil prices are high to therefore its a no brainer to invest money into lucrative stuff related to oil and wars. my opinion is that they're betting on these things but use their excess fat to hedge while the internet stuff is not as hot right now. But hey, I'm just speculating. I could be massively wrong.
I think it's the market ebbing and flowing. Boom and bust. C suites tend to copy each other, and last year it was all about trimming the fat. High interest rates and lower valuations make it harder to justify spending and new investments. In 2021, everyone wanted to hire the best talent and keep it from competitors.
They think they are saving money and don't understand the risk profile of the company.
Business leaders likely understand the overall risk of the business better than cyber resources do. There's more to risk than just cyber risk. If it comes down to "downsize x or you go out of business" which do you think wins?
There is more risk than cyber risk in a company risk profile, understanding the complete risk is key to managing properly.
This! Companies are just figures for CXOs: Income, spending, risk, taxes, etc If the GRC teams is doing a good job, the CEO has a good picture of the risk they are facing and can take decisions based on those figures.
Because companies don't do what makes sense during economic downturns. They make decisions based on costs and cyber teams are expensive. They expect that others will shoulder the load to make up for cuts. And if the IT structure reports to the CFO or worse a CTO who is clueless they will often cut until there is nothing left of the original defense framework as it has been matured because not only will they cut people they also cut software and hardware. So security appliances and software licenses get tossed out with the bathwater as well. And then they come back and ask why spam has suddenly increased or why you can't remediate their inbox for them, etc.Â
There is a permanent skills gap in cyber because so many people burn out. So unless you are burning out I wouldn’t worry about any “coming layoffs”. Seems cyclical. There’s a whole army of AI based cyber startups that will keep all of us employed for the next 10 years.
they stopped paying for training and told us to use our PTO/salary if we want to attend class...on proprietary enterprise software. i'm not dropping 10k and burning 1/3 of my leave to take a class on DTEX.
When trying to do more with less they look to those making more money and bringing in less revenue(cost centers) tech folks/cyber/IT generally will fit the bill in orgs that don’t truly value security or IT and dont see it as an integral part of how the business makes money. These are especially those that know how to revert to the old carbon copy credit card imprinter to take money.
Tech improves so less employees can do more. Instead of constantly improving capabilities, companies are okay with having their capability being flat for a year or two while this blows over. This isn’t limited to tech, a lot of fields are seeing this.
To most people the guy fixing their computer or an application in front of them is the essence of IT. They don't see what has to happen in the background to keep everything running and secure. Cyber security is like insurance. You don't see the return on investment until you need it. Somebody needs to relay the cost of downtime, data loss or public perception for them to make an educated decision on how much to invest in security.
Our company just sold off 50 percent of the business.Nedless to say there is less need for infosec operators. They did not cut us. They just did not increase the salaries and left part of the team to wither on the vine. The parts based in the expensive locations. To that end in 2 months 30 percent of the team will be gone. In my country if you make somone redundant that is 4 gross salaries at the least as a parting gift so they prefer you leave on your own accord. That said finding work is not hard. Legitimately I just fliped my linked in to looking for opportunities. Week later I had a job offer. Week an 2 days I had a good job offer. So I took it. I do detection engineering, threat hunting,IR and some forensics. There where no jobs for me an year ago. Now there is like a lot.
It's all the above. I'm my opinion, having people on a team to do cyber security is one thing, having people who care and are good at their jobs is another. In an era of people working remote, many leaders and employers haven't seen the payback to allowing it. They thought throwing more people at the problem would help. And normally it doesn't. That then turns into a bad culture. Bad culture turns into no stability / revolving door of talent. I've also seen a lot of IT and Security leaders are not good leaders. At one point, they were promoted because they were technically strong, but have no idea how to build a good team culture that fosters accountability and production. They tend to gang up with people who think like them, and hope they make it past the next review cycle. Rinse and repeat.
Many companies don’t want to properly fund/maintain their CS framework because it is viewed as an expense that can be cut…until they experience a data breach. Realized losses are an amazing teacher that executives listen to.
One of my clients is in the physical security sector, and companies from large venues to commercial buildings provide the bare minimum physical security required by their insurance companies. Schools would rather send a janitor on a school trip than a trained security guard. I see the same approach to cyber security with my business clients. Also, as more businesses move to cloud based infrastructure, they see less of a reason to staff an entire on site IT dept when they can outsource maintenance and monitoring for much less.
I feel like threats get worse during a recession though just like regular theft.
Any management of risk can eventually result in less belief in the risk….
cause cyber programs cost money and big wigs dont care until something happens
They justify it by saying the money saved in salaries can be used to purchase cyber insurance. Now, they've addressed the issue of risk so to hell with your data or any other impact caused by an incident. /s
Well,security teams don't generate the money for the company directly. They're often viewed as a liability until something goes wrong.
Am seeing increased persistent threats. Have data to back it up, back log of projects and can’t fill an open position due to budget constraints. Hard times right now.Â
Part of it is they do not see it as value add. More than likely what you are seeing is very different than what is happening. These layoffs are happening because security is being outsourced to MSPs(Who use other MSSPs), MSSPs, and Enterprise security. The budget/time sink for in-house security staff and developing out a security program is typically much greater than outsourcing somewhere. So while these layoffs appear to be a bad move(which I'm sure for some companies it is), it's more than likely they are moving laterally to save money. Then they will keep some key security staff around to manage the partnership between the organization and security provider.
Once white turns redđź¤
People are getting laid-off? Man I can’t even get an entry level job because it’s not enough experience. Is it too much to ask for more than $35/hr to do support. Fml bruh
It’s because businesses are extremely poor at assessing risk. Additionally, they don’t generally think they have to “outrun the tiger, but just run faster than others”. These issues combined mean that waning security posture, lack of regular employee training, cost of living and insider threat, plus advances in AI are making companies more vulnerable than ever. The perceived savings in layoffs pale in comparison to the financial risks.
Crazy when all you see in the news is security breaches you’d think it would be the other way around
Why the companies like AT&T which puts millions of Americans in trouble As they were hacked claims no financial responsibility? Shouldn’t they pay people for damages they cause because of by not hiring expert cybersecurity employees in the first place?
How common is this and is it just with a down market? Are you referencing any particular company?
The layoffs are mostly a correction from a hiring bubble from 2020-2021 where companies were willing to take risks on less experienced workers because of freely available cash and low interest rates. They’re probably factoring in the risk of threats vs. how much they’re funding their security team in these decisions. How well they’re actually quantifying that risk is not certain and might depend on the maturity of their InfoSec teams.
Sorry but this isn't a correction from overhiring. It costs money to get money again.
Two L takes in this thread. Time to hang it up, my guy.
The problem with security is how do you quantify the money spent vs. what you earned spending that money. If you can't tell me for certain your ROI I'm going to just assume it's zero. In other words, you can spend a million and get hacked, or you can spend zero to get hacked. The big monster on the horizon for cyber is businesses willingness to continue to spend money on things that don't work. We're just patching patches at this point.
true but your risks are much lower with strong security controls in place
the risk depends on the sys admins, network engineers and developers doing their job well. Cyber guys are just highlighting the problem or supporting the wider business.
this is very accurate. Why is it getting downvoted. I could sum up the post with "Security isn't profitable" but that is maybe too simplistic.
Security isn't profitable but also when was the last time spending on security actually prevented a breach. I thought ransomware and insurance would scare/force companies into spending on security. Instead insurance gave them a way out. And if they get ransomed they just pay or recover
Most prevention based professions unfortunately fall into this area too. Im a Dietitian, where we would excell is in prevention vs reaction. But most of the time we are viewed as an added cost thats not worth the FTEs for clinics and offices, because we are poorly reimbursable for insurance. Its also a lengthy process to counsel and you don't often have measurable outcomes. So I think what you're saying is totally accurate. I've been working on trying to pivot to cyber for about a year now. Comparisson is a bit apples to oranges, but I've always seen the parallel between the two.
THIS!
You can also pay cash for a house and then refuse to buy fire insurance because it is an “expense” that you can cut and will probably “never need.”
Guess what? I can buy cyber insurance and fire all my security guys.
How about a better analogy. Would you buy a $2M home and not invest in a security system to help prevent/discourage a break-in? Penny wise, pound foolish!