How to Spend Smarter on Cybersecurity

ByNeil Richardson 6 minute read
Person holding a bill

When I speak to clients about cybersecurity, one theme comes up again and again – they’re spending a lot… and often in the wrong places.

Not because they’re careless, but because the cybersecurity industry has made it very easy to invest in shiny tools that promise a lot and deliver very little unless properly configured and managed.

It’s understandable. The security landscape is complex, fast-moving, and full of pressure to “stay ahead”. But too often, that pressure leads to reactive spending rather than strategic investment.

Cybersecurity spend can spiral. But it doesn’t have to.

In fact, with a bit of clarity and focus, most businesses can reduce their long-term security costs, while actually becoming more secure in the process.

Where Cyber Budget Gets Wasted

Here’s where things often go wrong.

1. Buying Tools Without a Plan

I’ve seen companies drop six figures on tools like Darktrace, then barely log in to the dashboard. No one configured it. No one knew what the alerts meant. And when they got breached? All the signals were there, but no one was watching.

It’s not the tool’s fault. It’s a failure of process and ownership.

If you’re buying something expensive, ask yourself:

  • Who’s going to configure it?
  • Who’s going to monitor it?
  • Who’s responsible for actioning the insights?

If the answer to any of those is “I’m not sure”, you’re not ready to buy it.

2. Pen Tests With No Follow-Up

We do penetration testing – and I’ll be honest, I think we’re pretty good at it. But if you get a report, stick it in a drawer, and don’t fix anything… What was the point?

I’d rather see a client do one pen test every two years and action everything, than do one every quarter and ignore it.

Good security isn’t just about knowing where the gaps are. It’s about closing them.

3. Cyber Insurance as a Substitute for Strategy

Cyber insurance has its place. It can help with recovery costs and legal fallout. But it won’t protect your reputation. It won’t prevent a breach. And it definitely won’t stop your customers walking away if their data ends up on the dark web.

Worse, some companies treat it like a get-out-of-jail-free card: “Don’t worry, we’ve got insurance.”

I’ve seen those policies. Most of them don’t pay out unless you’ve demonstrated descent controls and a lack of negligence in the first place.

So if your approach to security is “we’ll let the insurer handle it”, you’re in for a shock.

The Hidden Costs That Add Up

Not all waste is obvious. Some of it is death by a thousand cuts:

Overlapping licences

  • Got traditional antivirus, plus an xDR solution, plus a vulnerability scanner that also does endpoint protection? 
  • You might be paying three times for the same function.

Shadow IT 

  • Teams spinning up their own tools without telling central IT – naughty 
  • You end up with two different vulnerability tools running in parallel, and no one’s coordinating.

Log hoarding

  • Keeping absolutely everything “just in case” and racking up huge storage bills with no plan to review or use it.

Password reset treadmill

  • If your helpdesk is spending half its time on forgotten password requests, that’s real money. 
  • Modern IAM solutions can help reduce this pain, but again, only if someone owns the process.

None of these will bankrupt you on their own. But together? They drain resources, distract your team, and make your setup harder to manage.

Image 6 - how to spend smarter on cybersecurity

Where the Money Should Go

Now, I’m not saying you shouldn’t invest in tech. Of course you should – the right tools, in the right hands, can do a brilliant job.

But here’s the thing: you don’t need a cutting-edge AI threat engine to make meaningful progress. Most of the time, it’s about doing the basics well and consistently. That’s where the real value is.

Here’s what I consider proper, high-impact spend – the kind of foundational stuff that improves security and makes financial sense.

1. Phishing-Resistant MFA

Let’s start with MFA (Multi-Factor Authentication).

Yes, I know almost every business has it. But in reality? It’s often partial, inconsistent, or trivially easy to bypass.

Phishing-resistant MFA means exactly that – it’s resistant, and can’t be fooled by a dodgy login screen or tricked by someone clicking a bad link. You’re using things like hardware tokens or authenticator apps with proper protections in place.

More importantly: it needs to be everywhere. Not just on your email accounts. Not just for senior management. If there’s a system someone can log into, MFA should be on it. No exceptions. No “we’ll roll that out later”, edge cases are your attackers delight. 

It’s one of the simplest and most effective defences you can implement, and the cost is tiny compared to what it prevents.

2. Security Awareness Training That Actually Works

Most security training is too brief.

A video, a few tick boxes at the end, maybe a passive-aggressive reminder if you fail a phishing test. That’s not education. That’s box-ticking.

What actually works is real engagement. Sit down with people. Talk to them. Show them how phishing works in the real world. Make it relevant to their role, make it human.

We’ve run workshops where someone’s said, “I’ve seen that exact email in my inbox!” That moment of recognition? That’s where behaviour starts to change.

3. Automated Patching and Configuration Management

This is the unglamorous stuff. The bits no one wants to talk about because it sounds technical and dull.

But make no mistake, it’s one of the biggest difference-makers in security.

Most breaches don’t happen because hackers are geniuses. They happen because a known vulnerability wasn’t patched, or because someone had admin rights when they shouldn’t have.

Setting up a good patching regime, automated where possible, means you’re closing off the obvious routes in. Same goes for keeping configurations clean and standardised. No random open ports, no misconfigured permissions, no “temporary” access left in place for three years.

4. Reliable Backups and Tested Recovery Plans

Everyone says they have backups.

But when something goes wrong and you ask, “Great, how quickly can we restore?”, that’s when the silence kicks in.

Having backups is step one. Testing them regularly, knowing how long it takes to recover, and having a plan for who does what – that’s a real security strategy.

Because in the middle of a ransomware attack or system failure, you won’t have time to figure it out. You need a clear, rehearsed process that gets you back up and running with minimal disruption.

What to do next?

You don’t need to spend millions to be resilient.

You just need to spend wisely – focusing on what actually reduces risk, rather than what looks impressive in a presentation.

Here’s what I’d recommend:

  • Review your tools. Are they being used? Configured? Actively improving your security posture?
  • Look at your people. Do they have the time, skills and support to act on the outputs?
  • Think longer term. Are you building a sustainable setup or just reacting to the latest scare?
  • Ask yourself: What’s actually making us safer?

And if you’re not sure where to start, or what to keep, Cyber Alchemy can help.

We’re not here to push more tools or add extra complexity. In fact, quite the opposite. We work with you to strip things back, focus on what matters, and actually get value from what you’ve already got.

You don’t have to choose between secure and affordable. You can have both.

So if you’re sitting there thinking, “Are we actually getting our money’s worth?” – let’s have a proper chat. We’ll help you make sense of it all.

Contact us today. 

Avatar of neil richardson

I am the co-founder and partner of Cyber Alchemy LTD and an associate lecturer in the computing department at both Sheffield Hallam University and The University of Warwick.

Similar Posts