“The drop in post-breach spending suggests a split mindset: Some companies rely on cyber insurance to absorb the impact, while others have already built resilience through frameworks like NIST CSF [Cyber Security Framework]. In those cases, breaches drive lessons learned and fine-tuning rather than new investments,” says Elliott Franklin, CISO of reinsurance firm Fortitude Re.
Complexity and broken processes
Todd Thorsen, CISO at data recovery vendor CrashPlan, said that some breach victims may conclude that they were more exposed to the complexity of their IT environment rather than insufficient investment.
“Complexity can be as big a problem as underinvestment in security — duplicative systems, poorly managed integrations, shelf-ware, etc.,” he says. “This may lead to some organizations simplifying their environments in the wake of a breach and focusing on the right tools, optimization, and consolidation.”
