The Internet is just 10 to 15 years old in terms of its impact on enterprise security. Security data is by and large outlier data because outbreaks that cause significant harm are still pretty rare. Fortune 500 companies who take the approach of managing an enterprise risk portfolio have had the best measure of success in understanding and controlling their risk with limited resources. The most rational approach at the executive level is to identify your desired risk posture and budget for security operations, but set aside an emergency fund to handle those years when the barbarian makes it into the keep.”]
Source: https://www.csoonline.com/article/2122229/the-risk-portfolio.html