Up next in 10
The Vanguard Crisis: Why $10.5 Trillion in Cyber Costs Can’t Buy Enough Talent
Oct 17, 2025
The global annual costs associated with cybersecurity are forecasted to reach a staggering 10.5 trillion by the end of 2025. Despite this immense financial backdrop, 80% of Chief Information Security Officers (CISOs) believe they operate with insufficient budgets to ensure robust security measure, contributing to an overwhelming 88% of CISOs functioning in moderate to high-stress conditions. This pressure is compounded by enterprises exacerbating the perceived talent shortage through misaligned strategies, such as offering lower average annual salaries (152.7K) and failing to adequately address burnout (or "cyber strain"), pushing professionals toward adjacent, better-compensated fields. https://www.securitycareers.help/the-ciso-vs-dpo-debate-why-security-and-privacy-must-collaborate-but-never-merge https://www.securitycareers.help/vciso-ciso-as-a-service https://www.securitycareers.help/finding-chief-information-security-officer-positions-ciso
View Video Transcript
0:00
Okay, let's unpack this. Let's do it. Today we are strapping in for well a
0:05
pretty high stakes ride. Uhhuh. We're connecting the, you know, the super fast pace of venturebacked
0:11
startups with the cold, hard realities of cyber. Yeah, it's a collision course sometimes.
0:18
Our sources for this deep dive are well quite a stack. They really are. We've got everything from detailed
0:23
penetration testing reports, uh, insider guides to VC funding mechanics,
0:28
right? all the way to the really chilling financial fallout from a major data breach and you know what's
0:35
happening with the security workforce itself. So our mission here is to really understand these critical links
0:41
exactly for you the listener maybe you're a founder gunning for that hyperrowth seed round or perhaps you're
0:47
a cso trying to lock down a Fortune 500 company. Either way, either way, you need to internalize this
0:52
idea that ambitious growth, it's fundamentally fragile if it's not underpinned by some foundational cyber
0:59
resilience because the security slip-ups that lead to those multi-million dollar disasters,
1:04
they're often incredibly basic. It's kind of shocking sometimes. It is. And the reason they keep happening, well, it points directly back
1:10
to strategic business decisions about growth, speed, and crucially talent.
1:16
That's the real tension, isn't it? That's what we're digging into. Yeah. We're looking at why, you know, a weak
1:21
password or maybe an unpatched server. The kind of mistake that seems almost trivial when you're in a 100hour coding
1:27
week, totally understandable in the moment, how that can lead directly to that multi-million dollar disaster that just
1:34
wipes out all the hard one traction. Yeah. Years of work gone. So, let's start with the numbers, the
1:39
cold, hard figures that really define this risk landscape and show exactly
1:45
what's at stake. Okay. So, if we look at the definitive cost reports, uh the ones from 2023, the message to any business
1:53
leader is just stark. Stark is a good word. The risk is accelerating. Breaches are
1:59
getting more complex. They're more damaging and definitely more expensive than ever before. The big picture numbers, they're just
2:06
sustained and frankly brutal. The average total cost of a data breach hit
2:11
an all-time high in 2023. We're talking USD $4.45 million.
2:17
Wow. $4.45 million. And that's not some weird one-off spike. It represents a pretty painful 15.3%
2:25
increase just since the 2020 report average, which was $3.86 million.
2:30
So, a steady climb. Yeah, we're seeing this sustained upward trend. It reflects, you know, both the increasing complexity of cleaning up the
2:36
mess and the growing regulatory cost of getting it wrong. And when you drill down into the sort of the granular
2:42
details, you really see why that average is so high, right? The per record cost of compromised data also hit a new high.
2:49
It's averaging $165 per record. Per record. But, and this is key, this is heavily
2:55
influenced by what kind of data gets lost. If you lose, say, generic non-sensitive stuff, the cost might be lower. But the second customer personal
3:02
identifiable information, PII, gets involved. Oh, yeah. The financial penalty just skyrockets. DII is the absolute costliest category.
3:10
It comes in at $183 per record. Employee PII is right behind it at $181 per
3:15
record. That difference is significant. It means losing that highly regulated customer
3:21
data carries a just a disproportionate financial risk compared to say losing
3:26
some internal IP. Yeah. reflects the high cost of, you know, mandatory notifications, offering
3:31
credit monitoring services, and then all the lawsuits and regulatory fines that inevitably follow.
3:37
Exactly. Right. So, think about it. For a scaling company, maybe one with a rapidly growing customer base, if you
3:44
lose 50,000 records of customer PII, okay, you are immediately looking at over $9
3:50
million in direct cost just related to that data type. 9 million which puts you way over like double the
3:56
average cost of a breach we just talked about. Wow. That staggering calculation is precisely why data categorization protection
4:03
strategies they have to be foundational like day one stuff. Okay. So let's say the worst happened the incident is active. What can an
4:10
organization actually control at that point to you know lessen the damage? Does speed really move the needle when
4:16
you're already in crisis mode? Speed is maybe the single most critical actionable variable. It really is. Okay.
4:22
The data shows a massive financial difference depending on how quickly a breach is identified and then contained.
4:27
How massive? Well, breaches resolved in less than 200 days cost on average $3.93 million.
4:34
Still a lot, but okay. But if that breach life cycle drags on beyond 200 days, the cost sheets up by
4:40
over a million to $4.95 million. A million dollar difference just based
4:45
on time. Yeah, that's a 23% increase in cost driven purely by delay. And here's the kicker. Uh oh.
4:52
The average life cycle for a breach is 277 days. Oh wow. So longer than that 200 day
4:58
mark. Way longer. So most organizations are already costing themselves that extra million dollars simply because their
5:04
security operations, their incident response procedures, they're just too slow. They're reacting, not proactively
5:10
responding. Exactly. And the problem gets worse when you look at how the organization finds out about the brute in the first place.
5:15
How do they usually find out? Well, only about onethird of incidents were actually discovered by the
5:20
organization's own internal security teams or their tools. Only a third. So, twothirds of the time.
5:27
Twothirds of the time the company is reactive. They're finding out from external third parties or even worse,
5:32
the attackers themselves. Ouch. And finding out from the attacker like getting that ransomware note,
5:38
demanding payment, and threatening to leak data. That must be the worst case scenario financially. It carries the
5:45
absolute steepest penalty. Reaches disclosed by the attacker cost significantly more, averaging 5.23
5:52
million. 5.23 million. That's nearly a million dollars more
5:58
than incidents found internally which average $4.30 million. Wow. And these attacker disclosed incidents,
6:04
they also take the longest to contain. We're talking an average of 320 days. So when the attacker controls the story,
6:10
the disclosure timeline, the victim just loses control over everything, including the financial bleeding
6:16
pretty much. And this risk profile, it's especially pronounced in what we call critical infrastructure industries.
6:21
Okay. Like what? That category includes things like financial services, technology, energy sectors,
6:26
right? The big ones. Yeah. Because of the high systemic risk, the intense regulatory scrutiny, the
6:33
complexity of their systems, data breaches for these critical infrastructure organizations exceeded $5
6:39
million on average. They came in at $5.04 million,
6:44
which is what, like $1.26 million higher than other industries. Exactly. $1.26 million higher.
6:50
That context is so important, especially when we think about smaller scaling companies. Maybe they're supplying
6:56
services to this critical infrastructure sector. Yeah, the downstream risk. And our sources show that companies with
7:01
fewer than 500 employees, they're seeing their average breach costs rise a really painful 13.4% to $3.31 million.
7:10
3.3 million for a small company. For a small organization that maybe just took on some seed funding, that $3.31
7:16
million is often just catastrophic. It's a company ending event. Yeah. For a small business, $3.31
7:21
million isn't just a high cost. Very often means bankruptcy. plain and simple, it really shows that even if they're
7:27
only handling a tiny fraction of the data compared to a Fortune 500 company, the relative risk exposure is just way
7:33
greater. It is. And this whole financial reality, it confirms exactly why security
7:39
leaders, CISOs, they need reliable resources. They need strategic guidance, clear visibility into best practices
7:45
right from the beginning. Absolutely. Which is why we're really thankful for the support of our sponsors who are dedicated to supporting security
7:51
leaders navigating this incredibly complex environment. www.sisomarketplace.com
7:57
and also www.sisomarketplace.services. Yeah, it's clear that without reliable
8:03
resources for CISOs and their teams, the odds are just stacked against timely detection and containment.
8:10
Okay, so let's pivot now. We've seen the cost of failure. Let's talk about the intense pressure of high growth that
8:16
often leads companies to frankly ignore this necessary foundation. Right? So when we look at the startup
8:22
world, especially in that high-tech, high growth space, the entire operational focus is just relentless.
8:28
It's feature velocity, market penetration, scale, scale, scale, get big fast, get big fast. And this imperative often
8:33
clashes directly with the, you know, the more cautious, deliberative mindset you need for robust cyber security.
8:39
Let's start right at the beginning of that, the preede phase. Okay, this stage is all about being scrappy, growing fast, proving an idea is even
8:47
viable, right? Initial funding sources, they're usually bootstrapping, maybe some angel investors, friends, family, other
8:53
entrepreneurs kicking in. Yeah, the friends, family, and fools round sometimes. Yeah, the money is used strictly for
9:00
just basic operations, maybe setting up a rudimentary accounting system, creating that proof of concept.
9:07
And legally, what's the advice there? Well, the sources generally advise founders to structure as CC core pretty
9:13
early on. CC Corp. Okay. Why? It's not really about immediate taxes. It's mostly about maximizing flexibility
9:21
for future fundraising from institutional investors like VCs. They almost exclusively prefer to invest in
9:27
ccore. Gotcha. So, it sets you up for later rounds. Exactly. The main goal here is just minimizing how much equity you give away
9:34
initially while you're proving the market actually wants your thing. And there's a key financing tool often used
9:39
here, right? The safe note. Ah, yes. The safe note. Simple agreement for future equity.
9:46
It's popular because it kind of kicks the can down the road on the difficult conversation about valuation until a
9:52
later bigger funding round. Let's the founder focus on building, right? But there's a real sort of
9:58
technical warning flag with these notes. Founders have to use safe notes pretty cautiously because they often introduce
10:03
something called a valuation cap. Valuation cap. Yeah. What does that do? Well, if the company does way better
10:09
than expected between getting that Safe Note money and raising its series A round, right, that cap limits how much the early
10:16
investors valuation actually increases. So, this decision made when the company is maybe barely an idea can actually
10:24
limit future fundraising options and create complexity that VCs will definitely scrutinize later on. Interesting. Okay. So, the company
10:30
survives preede. They develop a minimum viable product, an MVP. Yeah. That shows some early positive signals
10:36
in the market that signals they're ready for the seed round. Yeah, that's generally the trigger. This is the first time that formal venture
10:43
capital firms, often those specialized seed funds really start paying close
10:48
attention. Though, you know, crowdfunding is also an option here, too. But there's a huge pitfall highlighted
10:53
in our sources here. Something described as almost always fatal by veteran
10:59
founders. Yeah, this one's critical. Taking seed money before achieving genuine product market fit.
11:06
Why is that so bad? Because investors expect that seed funding is going to accelerate a model
11:11
that's already showing signs of working, not fund the search for a working model.
11:17
Ah, okay. If you take that money and then spend the next 18 months just floundering trying to figure out what sticks, the pressure to produce results
11:24
becomes so intense that security is inevitably the first thing that gets cut or delayed indefinitely.
11:30
So that seed round milestone, it forces a pretty significant shift in corporate maturity then. Absolutely. Because now VCs are
11:36
performing serious due diligence. The startup needs like a good attorney. They need errors and emissions insurance.
11:42
You know, yeah. And crucially establish books and accounting systems. They need to
11:47
demonstrate a clear track record of operational and financial health. The informal winging it phase is definitely
11:54
over. Okay, this brings us to the core of it, right? The venture capital mindset. This is the engine driving that speed over
12:00
security trade-off we talked about. Exactly. And here's where it gets really interesting. Way out on us.
12:05
VCs are fundamentally not interested in creating a nice small profitable
12:10
business. That's not the goal. No lifestyle businesses for them. Nope. They are looking exclusively for
12:17
the moonshot, the outlier, the home run. So, let's say you're running a bootstrap software business. You're pulling in
12:23
consistently maybe $10,000 in monthly recurring revenue. MR sounds pretty
12:28
good, right? You're a bootstrapper. Fantastic. But to a VC, that proves basically nothing. Why not?
12:33
That success is too incremental. The question VCs ask isn't is this operationally efficient or profitable
12:39
today. It's can this company realistically hit at least $und00 million in annual recurring revenue ARR
12:46
hundred million ARR and eventually achieve you know a multi-billion dollar valuation can it
12:52
become a unicorn right the whole VC model is built on betting on these extreme outliers because they
12:58
know going in that nine out of 10 of their investments will probably fail or return very little.
13:04
So they need that one huge win to cover all the losses. Exactly. They view the money they inject
13:10
not really as capital for measured steady growth, but more as a mechanism for survival.
13:16
Survival. Yeah. To become default alive, as they sometimes say, to have enough cash to
13:21
survive while the company aggressively chases that big vision moonshot. And that big vision. Yeah. Big vision demands speed, rapid
13:29
deployment, often involves complex, quickly evolving technology that might not even be monetized right away. So
13:35
this intense pressure to just scale scale scale means founders often deliberately choose feature velocity
13:41
over fixing technical debt makes perfect sense from their perspective. Sometimes they push code out that they know contains vulnerabilities because the
13:47
perceived cost of fixing it now means delaying a critical market opportunity or maybe missing a key fundraising
13:53
milestone. The business imperative to scale just overrides the security imperative to slow down and make things secure. And
14:00
that creates the absolute perfect environment for those simple preventable technical failures we're about to look
14:06
at next. Right. So, we've established the frankly staggering cost of failure and the
14:12
intense pressure to grow that just makes the risk worse. Yep. Now, let's look at the actual labors
14:18
organizations can pull to try and mitigate those costs. And then let's examine the fundamental technical flaws
14:24
that keep showing up in the real world. Okay, let's start with the positive. the strategic cost mitigators.
14:30
The sources actually quantify the financial benefits of having strong security practices, right? Showing that
14:37
certain investments can claw back millions in potential losses. They do and the figures are pretty compelling. The largest measurable cost
14:44
difference was tied to how deeply an organization adopted a dev sec ops approach. Devsecops shifting security left.
14:50
Exactly. It showed a staggering $1.68 68 million difference in breach costs between companies with high level
14:56
adoption versus low-level adoption. Wow. Nearly $1.7 million in savings just
15:02
by integrating security checks earlier in the development pipeline. Incredible, isn't it? Yeah. And it's not just about tools,
15:08
right? It's about having a process. Absolutely. Strong incident response or IR planning combined with regular
15:15
testing of that plan that delivered a massive $1.49 million difference in cost
15:20
mitigation. So, planning and practicing actually pays off big time. Huge payoff. And maybe most
15:27
surprisingly, even something as seemingly basic as dedicated employee training,
15:32
security awareness training. Yep. That accounted for a $ 1.5 million difference. It really shows that the
15:38
technical fixes, the preparation, and the human awareness element are all equally vital pieces of the puzzle.
15:43
Okay. So, planning, training, dev sec ops, what else moves the needle? Well, we
15:48
cannot overlook the sheer power of modern technology, specifically in addressing that speed problem we
15:54
identified earlier. Remember the 277day average life cycle? Yeah. And the extra million dollar cost
15:59
for going over 200 days, right? Organizations that made extensive use of security, AI, and automation saw
16:05
$1.76 million in cost savings compared to those who used none.
16:11
$1.76 million from AI and automation. How? Crucially, that automation delivered its value by accelerating the
16:18
breach life cycle by over a 100 days. Over 100 days faster. Yeah. That speed translates directly
16:23
into saving that $ 1.02 million penalty for slow containment we talked about. So if the average breach takes 277 days
16:32
and automation can shave off more than a hundred of those, that really is the difference between catastrophe and well
16:38
manageable mitigation. It absolutely is. That ability to rapidly triage, contain, and analyze an incident is just
16:45
invaluable in those critical moments right after an attack hits. These insights really underscore the need for smart automated tools for
16:51
security professionals, especially since we know they're often manually drowning in thousands of alerts a day. Totally. Which is why we appreciate the
16:58
support of sponsors like www.microsec.tools, which helps organizations integrate
17:03
these necessary efficiencies and hopefully reduce some of that crippling alert volume for the analysts. Okay,
17:08
good stuff. Now, let's transition from the macro strategy to the microlevel failures. Let's use those specific
17:16
anonymous case studies from the penetration test report you mentioned. Right. These are the kinds of
17:21
preventable errors that when you combine them with rapid growth and maybe poor management lead directly to those
17:27
multi-million dollar breaches. Okay. Case study number one, the system charmingly named Lazy Sadman.
17:34
Yeah. Yeah. This one is a perfect illustration of how just sheer simplicity leads to total compromise.
17:40
I'd have to get in. Full admin access was gained initially by exploiting weak or even non-existent credentials on an SMB server. Basic
17:47
stuff. Okay. But the moment of complete security collapse, the real face Paul moment came
17:52
from finding plain text credentials literally password 1 2 3 4 5 Ness
17:58
exposed in a file named deets.txt just sitting right there on the web server route. Oh my god. deets.txt.
18:03
Deets.txt. Yeah, it's astonishing, right? This isn't some complex zeroday exploit. This is a catastrophic failure of basic
18:10
operational hygiene and change control. Unbelievable. And the resulting fix needed was well,
18:15
excruciatingly simple. Remove null or guest authentication from the SMB server. Immediately delete that
18:21
deets.txt file. Please delete the deets.txt file and revoke full pseudo access from the
18:27
user named Teddogi who armed with password 1 2 3 4 5 was easily able to escalate to root privileges. This case
18:33
just perfectly shows that the $4.45 million average breach often starts with something laughably cheap and easy to
18:40
fix. If only someone had looked. If only. Okay, next case. Lemon squeezy.
18:45
Lemon squeezy. Okay, this one demonstrates the compounding disaster that happens when rapid feature
18:51
development leads to a massive buildup of technical debt. How did this one start? Initial access was gained via brute
18:57
forcing weak credentials. Again, weak credentials, this time using the enabled XML RPC interface on an outdated
19:04
WordPress instance, specifically version 4.8.9. WordPress 4.8.9. Isn't that ancient?
19:10
Practically fossilized. It hasn't been supported for years and years, right? Relying on this kind of unpatched, obsolete software is a direct
19:17
consequence of that startup environment prioritizing new features over basic maintenance. So, they got in through WordPress. Then
19:23
what? It was a chain reaction. Once inside, the attacker found another set of weak credentials hidden in a draft blog post.
19:30
Seriously, another process failure. Yep. Which then allowed them to access
19:35
PHP MyAdmin where they were able to write a web shell onto the server. Okay, so webshell means they have code
19:41
execution. Pretty much game over at that point. But there was a final insult. What was that? Privilege escalation. Getting root
19:47
access. This was achieved by exploiting a known vulnerable Linux kernel,
19:53
specifically CVE 201716995.
19:58
A known kernel vulnerability from 2017. Yes. So you see the cascade. Yeah. Vulnerable system leads to credential
20:05
exposure which leads to arbitrary code execution which leads to total root compromise via an unpatched kernel from
20:11
years ago. It's just a perfect storm of technical neglect compounded by a failure to patch basic critical flaws.
20:17
Exactly. Okay. Third case, the Mercy system. Mercy sounds ominous. This one is a masterclass in
20:23
configuration failure. Access started yet again with incredibly weak credentials. This time the user que with
20:28
the password on an SMB server. Password. Mhm. Okay. But that initial trivial access exposed
20:34
something interesting. A port knocking configuration file. Port knocking. That's kind of old
20:39
school. It is. But when the attacker successfully executed the sequence described in the file, it opened up SSH
20:47
and also a new HTTP server on port 80 that wasn't open before.
20:52
Wow. So they use the configuration documentation that was meant to secure the system to actually bypass the
20:58
security controls. Precisely clever, but also points to a fragile setup. What do they do next? The attacker then
21:04
found a local file inclusion vulnerability, an LFI, some software called RIPS running on that new web
21:11
server that just opened up. OFI, this is another classic web vulnerability. Allows reading local files, right? It's a basic input validation
21:18
failure, super common in rapid development environments using older frameworks. This LFI allowed them to
21:23
read the Tomcat users configuration file. Okay. And what was in there? Application manager credentials.
21:28
Ah, game over again. Pretty much with those application credentials, they could upload a malicious war file, get a
21:35
shell. But even that wasn't the final step to root access. There's more. One more step. Final privilege
21:41
escalation came from a file misconfiguration. A script running as the root user.
21:47
Okay. Was inexplicably writable by a lowprivilege user named Fluffy.
21:52
Fluffy. A user named Fluffy could write to a root script. I kid you not, Fluffy. This allowed the
21:58
attacker running as Fluffy to just inject arbitrary code into that root run script, achieving a root shell.
22:04
Well, these three examples just hammer it home. Multi-million dollar costs are so frequently triggered by these
22:10
preventable basic failures rooted in poor security policies, weak access controls, and just chronic patching
22:16
failures. The deep irony here listening to those examples is that every single technical flaw we just discussed,
22:22
patching that kernel, implementing strong credentials, cleaning up a damn deets.txt txt file correcting the
22:28
permissions on a script owned by Fluffy. Basic blocking and tackling. Exactly. It's the core job function of a
22:34
security professional. Yet, when we look at the state of the cyber security workforce, we see this
22:39
massive strategy gap that seems to prevent enterprises from actually fixing these fundamental issues.
22:46
This really is the crux of the whole problem. I think we talk about a severe talent crisis, but the source material
22:51
strongly suggests it's largely self-inflicted by the hiring organizations themselves,
22:57
especially the Fortune 100 companies, the ones holding the most sensitive data. So, where does it start?
23:02
Let's start with what the report calls the remote paradox. The remote paradox. Okay. The demand for highly skilled security
23:08
professionals is absolutely immense. Everyone agrees on that. Yet only 8% 8%
23:14
of enterprise cyber security roles currently offer remote work. Only 8% in security. That seems crazy
23:20
low post pandemic. It is. And this policy is actively demonstrabably limiting the talent pool
23:26
for often no good defensible reason. And do candidates actually want remote roles? The preference is undeniable. Our data
23:33
shows that 43% of those few remote job listings attracted over a 100 applicants each. Huge interest. Okay, so demand is
23:40
there from candidates. Massive demand, but now look at the time to fill metric. On-site only positions
23:46
are taking nearly three times longer to fill than remote or even hybrid roles. Three times longer.
23:52
So by demanding unnecessary physical presence, companies are strategically handicapping themselves in the war for
23:58
talent. They're ensuring that critical positions stay open longer and the backlog of essential fixes like patching
24:05
those ancient kernels just keeps growing. So inflexibility is hurting them. What else? This inflexibility is compounded by what
24:12
we're calling cyber strain. The profound burnout that's impacting the workforce. Uh burnout. Yeah, we hear a lot about
24:18
that in SOC's. SOC analysts are just drowning. They're manually triaging alert volumes that in
24:25
some reports reach over 11,000 alerts per day per analyst. 11,000 alerts a day. How is that even
24:32
possible to manage? It's not. To put that in perspective, 11,000 alerts means an analyst has less than 20 seconds to review, investigate,
24:39
and triage each potential threat, assuming they work 24/7. It's physically impossible.
24:44
Yeah, no wonder they're overwhelmed. More than half of analysts report feeling overwhelmed. And this vicious
24:49
cycle creates this category the report calls tired rock stars. Tired rock stars.
24:54
Yeah. 59% of highly engaged, top performing security professionals are experiencing severe exhaustion and are
25:02
at high risk of just leaving the industry entirely. Wow. Losing almost 60% of your best
25:07
people to burnout. And yet, when enterprises post these incredibly demanding, high strain jobs,
25:13
they show a stunning disregard for the root cause of why people are leaving. How so? Only 10% of cyber security job listings
25:21
even mention mental health or burnout support programs. Only 10%. Compare that to 70% of the same listings that mention basic health
25:27
insurance. So, they acknowledge physical health, but ignore the mental and operational strain that's driving people away.
25:34
Exactly. Enterprises seem focused on treating the symptoms like turnover rather than addressing the
25:39
self-inflicted crisis causing the burnout in the first place. Okay. So, inflexibility, burnout.
25:45
What about pay? Is that a factor? This lack of strategic investment in employee well-being is mirrored
25:50
perfectly by a lack of investment in compensation. And yes, it actively drives top talent away to adjacent
25:56
fields. The compensation gap is undeniable. How big is the gap? Cyber security roles in Fortune 100
26:02
companies average around $152,700 annually. Okay. But adjacent roles that need very
26:09
similar technical skills. Think IT security, dev sec ops, they average $160,800.
26:16
And the emerging field of observability averages $165,400.
26:21
So that's a difference of what? $8,000 to over $12,000 in average salary right there.
26:26
Minimum difference. And that doesn't even touch long-term incentives like stock options or equity. Equity. How does that compare?
26:31
Only 4% of those cyber security job postings mentioned equity compensation. Compare that to 15% for observability
26:38
roles. 15% versus 4%. That's a huge difference in potential upside. Massive. So think about it from the
26:44
candidates's perspective. observability roles which often deal with performance monitoring, data ingestion. They offer
26:51
better base pay, significantly more equity potential, and often less acute life or death stress than say incident
26:58
response. So top talent is just choosing the field that offers better pay, better quality of life, and better long-term wealth
27:05
creation potential. It's rational, isn't it? The observability field is attracting people partly because its goals often seem more
27:11
clearly aligned with business continuity and performance metrics. Their contribution feels less like a pure cost
27:17
center and more like a revenue enabler compared to traditional security roles. Okay. So this lack of support for the
27:23
rank and file connects upwards right to maturity issues at the leadership level. The strategy gap starts at the top.
27:29
It absolutely does. Our sources reveal that 19% almost one in five of Fortune 500 companies, 94 major corporations
27:37
still do not have a dedicated CISO, chief information security officer. Still in 2023,
27:43
still in many of these firms, the CIO, the chief information officer takes on the combined CIO role.
27:49
And security experts don't like that setup. They heavily criticize it. Yeah. Because it creates an inherent and often
27:55
insurmountable conflict of interest. How so? The CIO's primary mandate is driving IT
28:01
delivery, getting projects done on time, maximizing budget efficiency for IT operations.
28:07
Okay. So, when the security side demands, say, a multi-million dollar investment in a
28:12
new alert triage platform like that AI automation we just discussed that saves $1.76 million in the long run,
28:19
right? The CIO who might be focused on a massive ERP system migration may just
28:25
sideline that security request because it competes for budget and resources with their primary IT goals.
28:30
So the CIO is effectively the fox watching the hen house as the saying goes.
28:35
That's the argument. Their primary agenda for operational efficiency often competes directly with the needs of
28:41
robust, often budget intensive security and risk management. This structure almost guarantees that security is
28:47
perpetually viewed as a technical cost center, not as a critical business enabling function. And there's one final piece to this
28:53
leadership puzzle, right? A gap related to AI. Yeah, this one is really telling. There's a massive critical gap in
29:01
leadership competency regarding the very tools AI and automation that are proven
29:06
to help solve the burnout problem and save money. What's the gap? We saw that AI and automation deliver
29:12
huge cost savings. They accelerate containment by over a 100 days. It's clearly important, right?
29:18
While 46% of rank and file hands-on cyber security roles now mention needing AI experience, 0% zero of director level
29:28
or higher leadership jobs require it. 0% of leadership roles require AI experience while almost half the
29:34
practitioner roles do. Exactly. That disparity is just a profound strategic failure. The people
29:40
responsible for setting the security strategy, allocating those multi-million dollar budgets, approving the large-scale technology investments, they
29:47
lack the foundational knowledge of the key technology they are supposed to be leveraging to reduce alert volume,
29:52
combat analyst burnout, and achieve those potential $1.76 million cost savings.
29:58
Wow. So, it's a management failure to keep pace with the technical demands and opportunities of the current risk landscape. #howtr.
30:05
So, yeah, we have covered a huge amount of ground today. We've analyzed the intense pressure high growth companies
30:11
are under and the absolutely devastating financial consequences when security fails. We really have. We've seen that the
30:17
average cost of data breach is at an all-time high, over $4.45 million.
30:23
And that speed of detection, often supercharged by automation, is just critical to mitigating that cost. And we
30:30
saw how the pressure of chasing that $1 billion moonshot pushes scaling companies to prioritize feature velocity
30:36
over those foundational security measures, right? And critically the resulting technical failures. I mean, from plain
30:42
text passwords in deets.txt to ancient unpatched kernels and trivial misconfigurations like a script named
30:48
Fluffy having root permissions. Never forget Fluffy. Never forget Fluffy. They revealed that these multi-million dollar costs are so
30:55
frequently triggered by basic preventable errors, errors that shouldn't be happening.
31:00
And the core issue, the connection we wanted to draw is that the talent crisis, which is driven by low relative compensation, high cyber strain,
31:07
inflexibility about remote work, and often poor leadership structure. That crisis directly prevents
31:14
enterprises from hiring and retaining the professionals they need to fix those foundational security issues in the
31:20
first place. So the organization fails to support its people which results in persistent basic and
31:25
increasingly expensive technical vulnerabilities. It's a vicious cycle. Okay. So what does this all mean for you
31:31
listening right now? Whether you're trying to secure a startup or leading security at a large enterprise. Here is
31:37
the final provocative thought we want to leave you with today. Go for it. The perceived cyber security talent
31:43
shortage. It isn't really a lack of available people or skills out there in the world.
31:49
It is fundamentally a profound strategic and largely self-inflicted failure of
31:55
organizational management. That's a strong statement, but I think the data backs it up. Enterprises are
32:00
failing to align compensation things like long-term incentives, equity, and just basic quality of life factors,
32:07
specifically addressing cyber strain and inflexible work models. They're failing to align those with the truly
32:13
missionritical value that these security professionals deliver every single day. And the consequence
32:18
if you don't support your people, if you don't value them appropriately, they will inevitably leave. They'll go to
32:24
adjacent fields like observability or dev sec ops that offer better pay, healthier work environments, and frankly
32:30
more respect, leaving your organization fundamentally vulnerable to those basic, expensive,
32:36
and entirely preventable errors like password 1 2 3 4 5 in deeds.txt.
32:42
Exactly. Solving a technical challenge really begins with solving the talent challenge. It's about people and strategy first.
32:48
A perfect note to end on. A huge thank you to our listeners for joining this deep dive. Yeah, thanks everyone.
32:54
And we want to thank our sponsors one last time for supporting our exploration of these critical challenges. www.comoarketplace.com,
33:01
www.cedtoarketplace.services, and www.microssec.tools.
33:06
Their support is invaluable. Absolutely. We'll see you on the next deep dive.