Where is there cyber abundance?
What is cyber abundance? Where can someone spend money on cybersecurity and get more money back? Consider business development marketing where, "if you buy this service" or "implement these strategies", the ROI will be 5x, 10x, 100x! "Listen to these testimonials from clients…" That kind of messaging is warmly received because it speaks to abundance of turning 5 talents in to 10 talents.
In contrast, security is about preventing something bad from happening. If there were no threats, the ROI of cybersecurity would be zero. There is an upper limit on security ROI because you are fundamentally trying to spend less than the impact from an incident. A constant message of "more, more, more" to executives is ignored because they are listening to risk managers quoting the expected loss of an incident and eventually you are asking for more money than that. Accepting risk becomes acceptable.
Thus the problem of cybersecurity is not how do you spend more, but how do you spend better. Is there a way to spend less and alter your risk profile such that the expected loss of incidents is reduced? If so, this is a great message to business leadership because it speaks to them as a way to free up capital.
Cybersecurity professionals too often get wrapped up in "perfect" security which is warranted less than they would like to hear. I know because I was there. I was frustrated when management rejected asks for amazing security systems. I failed to realize that I was exceeding the value of security to the organization because they simply weren't that high profile of a target.
How do we find the path to spend better? Security Energy. By directly measuring the influence energy of a threat, the correct amount of security energy can be spent to mitigate the threat and free up money and attention for what really matters to the business.