{"id":2372,"date":"2025-03-18T06:00:00","date_gmt":"2025-03-18T06:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2372"},"modified":"2025-03-18T06:00:00","modified_gmt":"2025-03-18T06:00:00","slug":"not-all-cuts-are-equal-security-budget-choices-disproportionately-impact-risk","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2372","title":{"rendered":"Not all cuts are equal: Security budget choices disproportionately impact risk"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Inadequate security budgets to support technology upgrades, security training, and business initiatives have a disproportionate impact in making businesses more susceptible to attacks, according to new research.<\/p>\n<p>A survey of 600 CISOs in Europe, the US, Australia, and Japan commissioned by Splunk found a language and priority gap between boards and security leaders. CISOs are under pressure to rein in spending and outsource functions while demonstrating the business value of security initiatives.<\/p>\n<p>The survey by the Cisco-owned security visualization firm found that cutting back in some areas \u2014 such as staff training and postponed technology upgrades \u2014 is more likely to lead to a material security incident than others.<\/p>\n<p>Such insights from their surveyed peers could help CISOs shape a more compelling risk-oriented argument when pushing back against proposed cuts from the board \u2014 or, worst case, inform their own investment choices when faced with budget constraints.<\/p>\n<p><strong>Impact of inadequate security budgets<\/strong> <\/p>\n<div class=\"overflow-table-wrapper\"><strong>Cost-cutting measure<\/strong><strong>Experienced due to<br \/>inadequate budget<\/strong><strong>Resulted in a successful<br \/>breach or attack<\/strong>Postponed technology upgrades52%62%Reduced security solutions and tools50%19%Imposed security hiring freeze40%29%Scaled back\/eliminated security training36%45%Failed to support a business initiative18%64% <\/div>\n<p>[Source: Splunk]<\/p>\n<h2 class=\"wp-block-heading\">Postponed upgrades<\/h2>\n<p>As cyber threats evolve at an unprecedented pace, delaying essential technology upgrades can severely impact an organization. The newest technological updates are introduced to enhance an organization\u2019s security offerings and directly address recently identified challenges.<\/p>\n<p>\u201cOutdated systems lack new features and functionality that allow for more sophisticated offerings, like moving to the cloud,\u201d Kirsty Paine, a Splunk spokesperson told CSO. \u201cWithout newer security features, moving information to the cloud could leave room for vulnerabilities.\u201d<\/p>\n<p>Postponed technology upgrades can also leave organizations relying on outdated legacy systems, thereby subject to increasing security debt.<\/p>\n<p>CISOs reported that postponing upgrades, the most common cost-cutting measure, resulted in a breach 62% of the time.<\/p>\n<h2 class=\"wp-block-heading\">Scaled back security training<\/h2>\n<p>When budgets get cut, many organizations feel pressure to scale back or completely eliminate training programs, leaving employees unprepared to identify potential threats.<\/p>\n<p>This often becomes a problem because human error \u2014 such as misconfiguring software or infrastructure \u2014 often lead to downtime and lost business revenues. Moreover, cutting back on <a href=\"https:\/\/www.csoonline.com\/article\/3604803\/security-awareness-training-topics-best-practices-costs-free-options.html\">security awareness training<\/a> can result in a lax security culture across the organization.<\/p>\n<p>\u201cSecurity training is crucial for reducing human error, and empowering employees to identify phishing attacks, so by eliminating trainings, organizations are more susceptible to a breach,\u201d Splunk\u2019s Paine said.<\/p>\n<p>More than a third of CISOs (36%) reported training cuts due to budget constraints, with 45% experiencing a successful attack as a result.<\/p>\n<h2 class=\"wp-block-heading\">Failure to support business initiatives<\/h2>\n<p>Security teams are not always allocated sufficient staff, time, or other resources necessary to support the evolution or growth of their company, resulting in a mismatch between security capabilities and the business initiatives they are meant to secure.<\/p>\n<p>This can often occur with digital initiatives undertaken for expediency, such as the recent rush to adopt AI, which has resulted in many organizations <a href=\"https:\/\/www.csoonline.com\/article\/3529615\/companies-skip-security-hardening-in-rush-to-adopt-ai.html\">skipping traditional security hardening measures<\/a> in favor of quick wins and widespread experimentation.<\/p>\n<p>\u201cBusiness initiatives could be new products or features, or a different way of working [working from home],\u201d Splunk\u2019s Paine explained. \u201cWhatever the initiative is, without support from security, these initiatives are often designed without security in mind.\u201d<\/p>\n<p>Paine added: \u201cTrying to \u2018add security in afterwards\u2019 has been known for a long time to be a worse approach than \u2018security by design.\u2019\u201d<\/p>\n<p>Few CISOs (18%) received inadequate funding to support business initiatives, according to the survey, but nearly two-thirds of those (64%) suffered a breach as a result.<\/p>\n<h2 class=\"wp-block-heading\">Communication disconnect<\/h2>\n<p>Splunk\u2019s study \u2014 entitled <a href=\"https:\/\/www.splunk.com\/en_us\/pdfs\/gated\/ebooks\/ciso-report-2025.pdf\">The CISO Report<\/a> \u2014 reveals a disconnect between CISOs and boards regarding security funding, with 41% of boards deeming their security budgets sufficient, compared to only 29% of CISOs.<\/p>\n<p>\u201cThis disparity often stems from boards viewing security budgets as a tactical concern, rather than considering their broader impact on the business,\u201d Paine said. \u201cTo shift this perspective, CISOs must explain the value of their work in terms of business outcomes, such as the revenue that\u2019s being protected and the brand reputation they\u2019re saving.\u201d<\/p>\n<p>Boards protect profitability while CISOs are focused on protecting data and systems. To bridge this gap, board members and CISOs need to identify areas of near or equal importance for their respective stakeholders, Splunk advises.<\/p>\n<p>\u201cFor example, instead of focusing on the mean time to resolve (MTTR) [problems], CISOs should prioritize risk reduction and communicate to the board the importance of mitigating risks which lead to higher ROI, which are terms they are more familiar with,\u201d Paine concluded.<\/p>\n<p>Knowing how to <a href=\"https:\/\/www.csoonline.com\/article\/656230\/how-to-ask-the-board-and-c-suite-for-security-funding.html\">sell the board on security funding<\/a> is an art CISOs must master. As is <a href=\"https:\/\/www.csoonline.com\/article\/3829678\/what-cisos-need-from-the-board-mutual-expectations-respect.html\">ensuring mutual respect on expectations<\/a> in order to create a two-way street between board and CISO needs.<\/p>\n<h2 class=\"wp-block-heading\">Justifying security spending<\/h2>\n<p>Independent experts quizzed by CSO agreed with the report\u2019s conclusions that proper funding is essential for cyber defense. CSOs faced with the pressure to scale back security spending or training need to fight their corner and justify security spending commitments in business (rather than technical) terms.<\/p>\n<p>Jonathan Lee, UK cybersecurity director at Trend Micro, said that enterprises still often regard security expenditure as a cost that can be cut in the pursuit of profit rather than as an investment that supports growth.<\/p>\n<p>\u201cManagement of organizations being reactive to threats that hit is not acceptable,\u201d Lee argued. \u201cWith only around a third of organizations having a board member with cybersecurity knowledge, it\u2019s time to cut through the optimism bias that can prevail at the top levels and strategically underpin the aims of the organization with security measures that significantly reduce vulnerabilities that lead to being breached in the first place.\u201d<\/p>\n<p>Trey Ford, CISO for the Americas at bug bounty platform Bugcrowd, accepts that tough economic conditions mean that budgets are tight but argues that cutting security spending to support previously agreed projects would be perilous.<\/p>\n<p>\u201cBudget cuts affect every aspect of security planning, strategy, and operations \u2014 all of which are a complex tapestry orchestrated across the business in alignment with the risk committee,\u201d Ford told CSO.<\/p>\n<p>Frozen headcount is more than frustrating for operational security teams \u2014 it accelerates alert fatigue, on-call rotations, and <a href=\"https:\/\/www.csoonline.com\/article\/3631614\/cybersecurity-is-tough-4-steps-leaders-can-take-now-to-reduce-team-burnout.html\">burnout<\/a>. Lost funding for tooling and projects may exacerbate gaps in visibility \u2014 restricting logging coverage, monitoring and alerting, or testing and tracking of vulnerabilities in systems and applications.<\/p>\n<p>\u201cSecurity initiatives losing funding are rarely in the \u2018nice to have\u2019 category \u2014 they\u2019re almost always tied to addressing risk items and control gaps that have been prioritized by the risk committee,\u201d Ford said. \u201cThe risk being treated, and projects being de-funded, will need fresh risk-acceptance, and may require reporting back to the board of director\u2019s risk committee.\u201d<\/p>\n<h2 class=\"wp-block-heading\">Align and communicate on risk<\/h2>\n<p>Ilia Kolochenko, CEO of application security testing vendor Immuniweb, argues that security leaders need to formulate a coherent cybersecurity strategy.<\/p>\n<p>\u201cNumerous organizations tend to have overlapping and thus redundant solutions from different vendors, while allocating from little to no time to do proper triage of security alerts and incident response,\u201d Kolochenko said.<\/p>\n<p>\u201cWorse, an alarmingly small percentage of organizations have a well-defined, long-term oriented, and holistic cybersecurity strategy, which would encompass such crucial areas as third-party risk management, misconfigurations, and broken IAM in a multi-cloud environment, container security, or emerging gen AI risks, including over-reliance of software engineers on synthetic code <a href=\"https:\/\/www.csoonline.com\/article\/3633403\/how-organizations-can-secure-their-ai-code.html\">from gen AI bots that frequently contains vulnerabilities<\/a> or even backdoors,\u201d Kolochenko said.<\/p>\n<p>CISOs and boards need to align their priorities and agree on a communication style where cyber risk can be understood, articulated, and mitigated on a constant basis.<\/p>\n<p>\u201cThis will help ensure that decision-making and investments are made on an informed basis,\u201d Lee said. \u201cThis should enable budget to be spent in the right areas, which in turn will make sure that regulatory compliance is adhered to, and services keep running.\u201d<\/p>\n<p>Foundational elements such as training, system updates, disaster recovery planning, incident response, and compliance monitoring are essential to maintaining a strong security posture, according to Alan Radford, field strategist at identity security vendor One Identity.<\/p>\n<p>\u201cBusiness-enabled cybersecurity is not about buying the most expensive tools but aligning technology, processes, and people to reduce risk effectively,\u201d Radford told CSO. \u201cSecurity leaders must communicate to the board that risk reduction is not just a matter of tools but of operational resilience. Investing in people, training, and operational readiness yields higher returns than any single technology purchase.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Inadequate security budgets to support technology upgrades, security training, and business initiatives have a disproportionate impact in making businesses more susceptible to attacks, according to new research. A survey of 600 CISOs in Europe, the US, Australia, and Japan commissioned by Splunk found a language and priority gap between boards and security leaders. CISOs are [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":2373,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2372","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2372"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2372"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2372\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2373"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2372"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2372"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2372"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}