Walk into most organizations and ask what they are doing about cybersecurity, and you will get a list of purchases. A firewall. An endpoint product. A scanner. A new platform someone was convinced to buy after a frightening keynote. The list is usually long, and usually expensive.
Then ask a quieter question: are you actually safer than you were last year?
The pause that follows is the whole problem.
Two different verbs
Spending and investing look identical on a budget line. The money leaves the account either way. But they are not the same act, and confusing them is the most common — and most expensive — mistake I see.
Spending is what happens when fear meets a sales cycle. Something scares you, a product promises to make the fear go away, and you buy it. The relief is immediate and the value is often gone within a quarter. You have a new tool, a new login, a new thing to maintain, and roughly the same exposure you started with.
Investing is different. An investment compounds. It makes the next decision easier, the next risk clearer, the next year cheaper to defend than the last. It builds something that is worth more over time, not less.
Spending buys you a tool. Investing buys you a capability the tool was only ever a small part of.
The tragedy is that the two feel the same in the moment. Both involve writing a check and feeling, briefly, that you have done something responsible. Only one of them is true a year later.
Where the money actually goes
In my experience, the overwhelming majority of what organizations pour into security goes toward spending, not investing — toward tools and reactions, not toward the discipline that would make those tools effective. A small fraction goes toward the things that actually compound: leadership, judgment, a way of working that gets sharper every year.
That small fraction is where real resilience lives. It is the difference between the organizations that absorb a bad day and the ones that are defined by it.
The good news is that you do not need to be in that small fraction by accident of budget. You can choose to invest deliberately, even modestly, and out-perform organizations spending many times more — because you are buying capability while they are buying relief.
How to tell which one you are doing
You do not need a consultant to diagnose this. You need three honest questions.
- Does it compound, or does it expire? A tool you will re-evaluate and re-purchase every year is a cost. A discipline your team gets better at every year is an investment. Ask which one you are funding.
- Is it built on leadership, or on alerts? Security that runs on a person making good decisions, supported by good tooling, compounds. Security that runs on a stream of alerts nobody has time to read does not. Tools should serve a leader's judgment — not replace it.
- What happens when the vendor leaves the room? If the value walks out with the salesperson, you spent. If the capability stays inside your organization, you invested.
None of this means tools are bad. The right tooling, in service of the right discipline, is essential. The point is the order: discipline first, tools in service of it. Reverse that order and you will spend forever and never feel safe.
The discipline underneath
Everything I have described comes down to having a way of working — a method for seeing risk clearly, prioritizing it honestly, and carrying it as an organization rather than as a pile of disconnected purchases. That is the work of leadership, not procurement, and it is the part that compounds.
It is the conviction behind everything we build, including AQUILA C4I — our attempt to take the operating discipline that the best-resourced security teams run on and put it within reach of any organization, not just the few who can afford to invest at scale.
But the platform is downstream of the idea. The idea is simpler, and it is free: stop spending on fear, and start investing in capability. Once a leader truly sees the difference, they rarely go back.
← All insights