Years ago, David Mahdi, now a CISO advisor at Transmit Security, found himself in a situation no security leader wants to face: abrupt, mid-year budget cuts, with no option to delay. “It was an uncontrollable convergence of internal issues, legacy tech debt, market pressure, and geopolitics, all coming together at once,” he says. The financial squeeze forced him to make painful trade-offs, fast.
“Given the rapid pace at which these cuts were required, we recognized that the process wouldn’t be flawless and would inevitably create gaps,” he tells CSO.
That experience shaped how he approaches financial constraints. He now urges CISOs facing similar challenges to set clear priorities and make intentional, well-considered decisions about what to scale back and what to protect at all costs. “Beware the false economy of slicing thin across everything. It creates invisible fragility. Nobody feels the cut until something breaks.”
Preserving security while reducing resources can feel like an impossible task. Every decision comes with trade-offs, and the margin for error is slim.
How to trim without breaking things
The days of double-digit growth in cybersecurity spending may be behind us. One in eight CISOs reported budget cuts in 2024, while about a quarter of them said their budgets have remained flat, according to the Security Budget Benchmark Report by IANS Research and Artico Search. Even among the majority who did receive more funding, most reported only modest bumps — typically between 1% and 5%. Unsurprisingly, nearly a third of CISOs said their current budgets fall short of what’s needed.
When breaking down spending, the largest portion (37%) goes to staff and compensation. Off-premises software accounts for 23%, followed by smaller allocations to outsourcing, on-premises tools, and specific projects. Only 5% goes to hardware and 4% of budgets are directed toward training and development. Finally, just 3% are reserved for discretionary spending.
This lean allocation means that when budget cuts strike, security leaders are left making tough calls, often with no clear options. Choosing what to protect, what to scale back, and how to do it without exposing the organization to risks requires strategic thinking. But just as important is the mindset. “When budgets shrink, I see it as an opportunity to validate previous risk assumptions, challenge legacy spend, and align security investments with business-critical outcomes,” Mahdi says.
He uses a structured approach that’s built around three dimensions:
- Strategic risk (high, medium, low): What’s the actual exposure if this control fails?
- Business alignment: Which functions are enabling revenue, customer trust, or compliance?
- No-brainers: These are redundant tools, shelfware, or “security theatre” controls that look good on paper but deliver no measurable protection.
For this assessment, Mahdi brings together a cross-functional team that includes business unit leaders, security architects, threat intelligence leads, and trusted peers both inside and outside the organization. This collaborative approach not only spreads accountability but also helps uncover blind spots and align cuts with the organization’s overall risk posture.
He also relies on key metrics that help him assess whether certain tools or processes are efficient, and weighs coverage versus complexity, trying to determine whether a solution is addressing a unique security challenge or merely duplicating existing efforts. Finally, he considers how quickly an investment can deliver measurable outcomes. Using this framework, CISOs can identify areas that can be scaled back without significantly increasing risk.
Where to start from
One of the first areas to evaluate is redundant tooling. “If two tools do 70% of the same job, keep the one with better integration and support,” Mahdi says. Then, CISOs can move on to legacy compliance-driven controls, which can often be rationalized. “Focus on effective controls, not checkbox ones, especially in organizations over-indexed on legacy governance, risk and compliance.”
Cutting should be done carefully, though. “Compliance with applicable regulations is non-negotiable,” says Laura Gonzalez Priede, CISO of Approach Cyber. That’s why it’s essential for security leaders to have a clear understanding of their legal obligations and ensure that any adjustments to the security program don’t jeopardize compliance or the ability to meet core business needs.
Not every budget decision is black and white. Some initiatives, like innovation or experimental projects, live in a grey zone; they’re valuable, but not always urgent. In times of financial pressure, these efforts can be temporarily shelved, especially if they don’t address pressing threats or compliance needs.
However, to maintain team morale during a pause in innovation projects, Mahdi suggests having them work on a detailed ramp-up strategy for when budget conditions improve. This should give them a sense of purpose while also ensuring that the organization can quickly regain momentum when more resources become available.
In times of cutbacks Gonzalez Priede prioritizes people and processes over tools. “While tools are important, many can be replaced with open-source or internally developed alternatives,” she says. “A strong process, supported by capable people, can often compensate for the absence of a specific tool.”
When it comes to personnel cuts, Mahdi highlights the importance of looking beyond job titles or technical certifications. “Don’t assume the most technical roles are the most critical. Sometimes the people who glue security to the business are your highest-leverage assets.”
Bad decisions can cost more than you can save
Choosing where to trim a cybersecurity budget is rarely straightforward, and rushing the process only raises the stakes. That means that it’s all too easy to make cuts that seem practical in the moment but ultimately compromise resilience or introduce hidden vulnerabilities down the line.
“From what I have seen, far too often, CISOs under pressure slash detection and response capabilities, incident readiness exercises, and security operations roles,” Mahdi says.
They assume stronger prevention means they can spend less on what happens after a breach but that’s a risky bet. “Something always breaks! And while prevention is great, something always gets in,” he says. “When something breaks, it’s not the control count that matters. It’s your response time, containment, and ability to bounce back.”
During his time as a Gartner analyst, Mahdi saw this play out. “In one scenario, a CISO cut back on IR readiness and outsourced Tier 1 SOC to save budget,” he recalls. “When a breach hit, the provider missed early signs, and without internal muscle, the organization lost critical hours before even understanding the scope.” In cases like this, the actual loss isn’t just data, it’s also credibility.
Another mistake CISOs make is cutting cross-functional roles like embedded product security, governance leads, or business-aligned risk advisors. “These roles are connective tissue,” Mahdi says. “Without them, security becomes reactive, misunderstood, and sidelined.”
CISOs might also go silent during cutbacks, pulling back on transparency. “They should do the opposite!,” he says. “Show what’s being protected, and what’s being risk-accepted. Own the trade-offs and be confident.”
Being transparent and keeping people in mind is essential, particularly during difficult times. One common regret Gonzalez Priede sees among CISOs is underinvesting in staff and training, which can quietly erode team capabilities. “Ongoing education ensures that staff remain competent and security-aware, which is vital in a constantly evolving threat landscape,” she says. Also, cutting the wrong roles or skimping on talent often leads to inefficiencies, misaligned priorities, and higher long-term costs.
Another frequent oversight is the lack of well-documented processes, which are essential for continuity, especially when key personnel leave. “Without them, organizations risk losing critical knowledge and consistency in execution, which can add risks not previously foreseen,” she says.
But, counterintuitively, scaling back can also have an upside. Gonzalez Priede says it encourages security leaders to take the time to reevaluate priorities and refine processes to be more agile and outcome driven. “The transition period must be carefully managed with proper planning and monitoring.”