Having seen how some CISOs "beg for resources", I pretty fundamentally believe most of this money is wasted anyway.
The only way you can really get better security at a company is to have an ingrained security culture. I.e. developers are continually educated on secure coding practices and new threats, code reviews include security checklists, corporate security training includes continual social engineering tests and an atmosphere of continual improvement.
And yes, that stuff does cost money, but that's rarely the resources I see CISO's fight for. Instead, they fight for lots of expensive software, things like useless, shitty WAFs or poorly built "network monitoring" software (which can be a huge threat vector in itself, just see the SolarWinds fiasco).
Like many other comments here, I don't believe security is something you can "bolt on" at a company. Yes, there are specialized roles that a dedicated security team needs to fill, but unless everyone at the company has a true understanding of the value and importance of security vigilance, you're screwed.
To your point about security culture vs. buying security appliances, you need both. They address different aspects of security. If you're only doing one of them, you're in trouble. Likewise for checkbox ticking security-by-compliance.
I strongly agree though that you can't really bolt on security, it needs to be designed in and part of the culture as much as possible. You'll never get everyone to understand the value though (I wish!).
The only way you can really get better security at a company is to have an ingrained security culture. I.e. developers are continually educated on secure coding practices and new threats, code reviews include security checklists, corporate security training includes continual social engineering tests and an atmosphere of continual improvement.
And yes, that stuff does cost money, but that's rarely the resources I see CISO's fight for. Instead, they fight for lots of expensive software, things like useless, shitty WAFs or poorly built "network monitoring" software (which can be a huge threat vector in itself, just see the SolarWinds fiasco).
Like many other comments here, I don't believe security is something you can "bolt on" at a company. Yes, there are specialized roles that a dedicated security team needs to fill, but unless everyone at the company has a true understanding of the value and importance of security vigilance, you're screwed.