How much should we be spending on cybersecurity?

And behind that questions there is usually a deeper executive concern about whether they are under-spending or over-spending.

No CEO wants to be seen as reckless and allow unnecessary risk, but at the same time no one CEO wants to be seen wasting budget that could be spent on revenue generating functions. And it is this tension that makes the above question so commonplace.

Let me know if you are interested in learning how I answer the question: