How Much Cybersecurity Is Enough? Perspectives from Across the Digital Landscape
Cyber attacks have grown exponentially in complexity and danger, now leveraging AI-driven automation and nation-state backing to infiltrate even well-defended networks with devastating speed and precision. And yet, debates rage in boardrooms across the world: How much cybersecurity is enough? The answer, it turns out, depends on who is answering.
But let’s back up for a moment before we get into the answers. First, a question: why is there such a diverse range of answers in the first place? Doesn’t everyone want their businesses to be safe? It just makes sense that you would want to protect the investments you’ve made in your customers, your employees, your future.
Of course that’s true. The problem comes from two things:
The overwhelming pace of change. In less time than it takes a kid to go from their first day of kindergarten to college graduation, the entire digital landscape has blown wide open. Twenty years ago, if you had a firewall, you were taking a solid approach to cybersecurity. Today, a firewall is the most basic of security appliances.
The relative nature of the meaning of “secure.” What each person perceives as risk differs widely. Risk can feel vague and far away if you’ve never experienced a breach, or if, at the very least, you don’t know someone who has experienced one.
Okay, I said “two things,” but we all know there are many issues that make it hard to answer “how much cybersecurity is enough.” Most budgets aren’t unlimited. Everyone is working with a staff of varied digital experience. Technology continues to evolve at an ever-increasing speed. AI singularity is just around the corner.
So the bottom line is this: it’s complicated. When a complicated topic requires examination, one good way to approach it is to gather a lot of different perspectives, so let’s take a look at some of the diverse viewpoints shaping this conversation in 2025.
The Security Professional’s View: JSCM Group’s Engineers Weigh In
We recommend thinking of cybersecurity as an ongoing project rather than an all-at-once big spend. To put it simply, the right cybersecurity plan is the one that works for your organization, both where it is today and in ways that can grow with you.
These days, almost every business has a digital backbone. Having IT infrastructure is a lot like having a car. Even if that car is not the core of what you do, it will certainly help you get where you’re going more efficiently. But do you like everything about your car? Could it have better pickup? A tighter turning radius? Does it have useless features that just complicate everything? In the same way, there are probably some things you’d really prefer to level up in your IT system, particularly your cybersecurity stance.
These are the kinds of questions we like to discuss with new clients. What cybersecurity measures do you have in place? What annoys you about those measures? What slows your business down or drives your employees crazy? These are the perfect opportunities to make improvements. When you improve a process or streamline a cumbersome task, not only will your employees be happier and more productive, but also, you can make your cybersecurity posture safer.
The Business Leader’s Dilemma: How Much Should We Spend?
For executives, most decisions come down to balancing all of the different business priorities within the budget. Some companies cut corners and get breached and then cannot recover. But at the same time, if you don’t reserve enough budget to make and deliver your product or service, you have no need for cybersecurity in the first place. It’s a balancing act.
Cybersecurity spending has soared. Forrester Research’s Global Tech Forecast 2024-2029 predicted that total IT spend will reach US$4.9 trillion in 2025, spurred by enterprise and government investment in cybersecurity solutions and AI technology. Yet, there’s no universal benchmark or accounting method for what constitutes “enough” cybersecurity spending.
Boston Consulting Group warns that spend isn’t the only crucial question to consider. They recommend that, beyond just considering budget, company leaders, including CISOs, must coordinate closely to ensure that all security measures are carefully coordinated and woven into a company’s culture and processes. Regarding budget, they encourage company leaders to consider three key questions: What is our risk tolerance? Where will our investments have the greatest impact? How do we make those investments work?
The User’s Experience: Can’t we just do our jobs?
Security fatigue is very real, and when users start looking for ways to work around cumbersome processes, risk goes through the roof. It’s a fact: end users frequently feel overwhelmed by cybersecurity measures. When bombarded by constant warnings and complex authentication steps, they can begin to cut corners, not read carefully ... click things without thinking it through. Since 75 percent of targeted cyber attacks start with an email, your users are always your biggest weakness and your first line of defense.
“Humans have always been a big part of the computing picture, but for some reason, we always thought only technology solutions alone can fix or prevent issues … That is not a workable strategy.”
From “Users are not stupid: Six cyber security pitfalls overturned”
The Government and Policy Perspective: Best Practices and Continuous Improvement
Government agencies like CISA advocate for strong “cyber hygiene” practices—using strong passwords, keeping software updated, and enabling multi-factor authentication—as foundational for both individuals and organizations. They stress that cybersecurity is an ongoing process, requiring tailored plans, continuous monitoring, and adaptation to new threats. The goal is operational resilience, not just compliance.
All of that makes sense, but if you’re simply checking boxes, rather than building a resilience plan based on your company’s specific needs that is carefully integrated into your company processes and culture, it won’t be “enough.” And not to repeat ourselves, but your plan must include processes that are workable and frictionless for your employees.
Conclusion: Surprise! There Is No One-Size-Fits-All Answer
How much cybersecurity is enough? It depends on your role, your risk tolerance, and your resources.
Security professionals urge continuous improvement and layered defenses.
Business leaders weigh costs against risks and compliance needs.
Users seek simplicity and relief from “security fatigue.”
Policymakers advocate for best practices and resilience.
Ultimately, it comes down to the structure of your cybersecurity plan, rather than the “amount.” The most successful cybersecurity plan is one that
Provides a layer of protection around every vulnerability
Underpins every one of those layers with another layer, so that there is no single point of breach without a backstop.
Ultimately, the right amount of cybersecurity is a plan that keeps your data, operations, and people safe—without grinding productivity to a halt or breaking the bank. The journey to “enough” is ongoing, and it’s shaped by the unique needs and perspectives of everyone involved.
Let’s talk about your company’s needs! Set up a free consultation with our team today, and we can start shaping a plan that hits the right balance for your organization.