> damning indictment of the mindset of the vast ineffectual mess that is the cybersecurity industry

Cybersecurity is not about stopping issues but about compliance and liability. Attend RSA once, and you will see it yourself.

It’s not a popularly held mindset, either within the security industry or outside of it. This piece seems to be pitched at salespeople whose only job is to extract money from other companies.

Basic hygiene security hygiene pretty much removes ransomware as a threat.

Serious professionals use one or more spending models to determine budget.

My favorite is the Gordon-Loeb model[0], but there are others that are simpler and some that are more complex. Almost none that imply the budget should naively grow in lockstep with prevelence linearly.

I think TFA doesnt really mean to imply that it should, merely that there is a likley mismatch.

[0] https://en.wikipedia.org/wiki/Gordon%E2%80%93Loeb_model

This is a similar fact in government. For instance in the UK with the NHS and other services, we often look at total spending and assume that spending has to stay at least constant in real terms or grow, when in reality you want some metric of spending per outcome.

Was looking for the comment that addresses the clickbait-y headline, found this top comment by you, was not disappointed.