In the world of cybersecurity, there is a pervasive lie that we tell Boards of Directors: Safety is a linear function of spend. We’ve been conditioned to believe that if we just keep adding zeroes to the ledger, the risk will eventually drop to zero. Having sat at both ends of the spectrum—managing a high-maturity budget exceeding €100M for a Global Systemically Important Financial Institution (G-SIFI) and later securing a global manufacturing footprint on less than 1% of revenue—I can tell you that the opposite is often true.

When you have everything, you often solve nothing. When you have nothing, you are forced to solve for the truth.

1. The €100M Paper Tiger: The Abundance Trap

At the enterprise level, especially within the crosshairs of European Central Bank regulations, money is often used as a tool for “compliance theater.” When a regulator demands maturity, the instinctual response is to throw capital at the problem until it goes away.

But abundance creates a specific type of rot: The Implementation Gap.

In a high-budget environment, procurement becomes the goal rather than the means. Tools are purchased not because they elegantly close a risk gap, but because the purchase itself serves as evidence of “taking security seriously.” The result is a “Paper Tiger”—a massive portfolio of “Best-of-Breed” tools that are only 10% deployed, sitting on top of multiple, overlapping security frameworks that nobody actually follows.

When money is no object, you lose the ability to prioritize. You buy the legacy giant’s suite because it’s the “safe” choice for the audit, even if that suite is a bloated, 20-year-old codebase that slows down the business and provides a false sense of security. Complexity is the enemy of security, and nothing breeds complexity like an unlimited checkbook.

2. Surgical Security: The Power of the Constraint

Contrast this with the “lean” environment. When you operate in the bottom percentile of cybersecurity spend relative to revenue, you don’t have the luxury of being wrong. You cannot afford “Paper Tigers.”

In this world, every Euro must be a bullet aimed at a specific threat. At the manufacturing level, this forced a radical prioritization. We couldn’t do everything, so we did the three non-negotiables with absolute intensity:

1. Endpoint Security (The perimeter is gone; the host is the battlefield).

2. OT Security (The lifeblood of the business).

3. Active Monitoring via SOC (If you can’t see it, you can’t stop it).

The most surprising discovery? Scarcity led us to better technology. We found that by ditching the legacy giants for modern, cloud-native challengers, we didn’t just save money—we gained capability. For non-critical compliance functions, we found leaner services that were more suited to a modern stack than the expensive, “prestige” brands. We weren’t just “making do”; we were optimizing.

3. The Trust Sequence: Securing the Culture

One of the hardest lessons in a resource-constrained environment is that you cannot secure what the business doesn’t trust you to touch.

In manufacturing, OT (Operational Technology) is the holy grail. It is too critical to fail and culturally protected by engineers who view “Security” as a synonym for “Downtime.”

The strategy here wasn’t financial; it was political. We built a robust IT security program first—not because it was the highest risk, but because it was the training ground. By proving we could secure the office without breaking the business, we earned the “Social Capital” required to step onto the factory floor. In a lean environment, your leadership and your ability to build trust are more valuable than any firewall you can buy.

4. The “Goldilocks” Philosophy: Finding the Efficiency Frontier

The ideal cybersecurity budget is a paradox. It must be sufficient to fund your non-negotiable risks, but it should remain low enough to be painful.

I call this the Efficiency Frontier. You want a budget that “challenges” the team.

When a team is slightly underfunded, they stop looking for the most expensive tool and start looking for the most elegant solution. They automate because they can’t afford more headcount. They find modern, cheaper replacements because they can’t justify the “Legacy Tax.” They prioritize because they have to.

If you are a CISO, stop asking for “more.” Start asking for “enough to be dangerous.”

The Executive Takeaway:

• Spend does not equal Safety. An un-implemented €2M tool is a liability, not an asset.

• Modernity over Brand. High-cost legacy tools often carry “Technical Debt” that a leaner, newer competitor has already solved.

• Embrace the Constraint. The most resilient architectures are born from necessity, not from abundance.