Information security dogmas - long live the echo chamber

A short time ago I saw another one of those commonly held InfoSec wisdoms that states that as your organisation’s information security matures so your budget changes from mostly spending on prevention technologies to detection and response technologies. In other words, “we’re not mature so we are spending 90% on prevention and the remaining 10% on detection and response”. The immaturity is in the approach, not the capability. Majority of the budget on prevention You spend a lot of time and money on controls to keep the bad actors out.