{"id":4180,"date":"2025-07-30T07:00:00","date_gmt":"2025-07-30T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=4180"},"modified":"2025-07-30T07:00:00","modified_gmt":"2025-07-30T07:00:00","slug":"how-cisos-can-scale-down-without-compromising-security","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=4180","title":{"rendered":"How CISOs can scale down without compromising security"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Years ago, David Mahdi, now a CISO advisor at Transmit Security, found himself in a situation no security leader wants to face: abrupt, mid-year budget cuts, with no option to delay. \u201cIt was an uncontrollable convergence of internal issues, legacy tech debt, market pressure, and geopolitics, all coming together at once,\u201d he says. The financial squeeze forced him to make painful trade-offs, fast.<\/p>\n

\u201cGiven the rapid pace at which these cuts were required, we recognized that the process wouldn\u2019t be flawless and would inevitably create gaps,\u201d he tells CSO.<\/p>\n

That experience shaped how he approaches financial constraints. He now urges CISOs facing similar challenges to set clear priorities and make intentional, well-considered decisions about what to scale back and what to protect at all costs. \u201cBeware the false economy of slicing thin across everything. It creates invisible fragility. Nobody feels the cut until something breaks.\u201d<\/p>\n

Preserving security while reducing resources can feel like an impossible task. Every decision comes with trade-offs, and the margin for error is slim.<\/p>\n

How to trim without breaking things<\/h2>\n

The days of double-digit growth in cybersecurity spending may be behind us. One in eight CISOs reported budget cuts in 2024, while about a quarter of them said their budgets have remained flat, according to the Security Budget Benchmark Report<\/a> by IANS Research and Artico Search. Even among the majority who did receive more funding, most reported only modest bumps \u2014 typically between 1% and 5%. Unsurprisingly, nearly a third of CISOs said their current budgets fall short of what\u2019s needed.<\/p>\n

When breaking down spending, the largest portion (37%) goes to staff and compensation. Off-premises software accounts for 23%, followed by smaller allocations to outsourcing, on-premises tools, and specific projects. Only 5% goes to hardware and 4% of budgets are directed toward training and development. Finally, just 3% are reserved for discretionary spending.<\/p>\n

This lean allocation means that when budget cuts strike, security leaders are left making tough calls, often with no clear options. Choosing what to protect, what to scale back, and how to do it without exposing the organization to risks<\/a> requires strategic thinking. But just as important is the mindset. \u201cWhen budgets shrink, I see it as an opportunity to validate previous risk assumptions, challenge legacy spend, and align security investments with business-critical outcomes,\u201d Mahdi<\/a> says.<\/p>\n

He uses a structured approach that\u2019s built around three dimensions:<\/p>\n

Strategic risk (high, medium, low):<\/strong> What\u2019s the actual exposure if this control fails?<\/p>\n

Business alignment<\/strong>: Which functions are enabling revenue, customer trust, or compliance?<\/p>\n

No-brainers<\/strong>: These are redundant tools, shelfware, or \u201csecurity theatre\u201d controls that look good on paper but deliver no measurable protection.<\/p>\n

For this assessment, Mahdi brings together a cross-functional team that includes business unit leaders, security architects, threat intelligence leads, and trusted peers both inside and outside the organization. This collaborative approach not only spreads accountability but also helps uncover blind spots and align cuts with the organization\u2019s overall risk posture.<\/p>\n

He also relies on key metrics that help him assess whether certain tools or processes are efficient, and weighs coverage versus complexity, trying to determine whether a solution is addressing a unique security challenge or merely duplicating existing efforts. Finally, he considers how quickly an investment can deliver measurable outcomes. Using this framework, CISOs can identify areas that can be scaled back without significantly increasing risk.<\/p>\n

Where to start from<\/h2>\n

One of the first areas to evaluate is redundant tooling. \u201cIf two tools do 70% of the same job, keep the one with better integration and support,\u201d Mahdi says. Then, CISOs can move on to legacy compliance-driven controls, which can often be rationalized. \u201cFocus on effective controls, not checkbox ones, especially in organizations over-indexed on legacy governance, risk and compliance.\u201d<\/p>\n

Cutting should be done carefully, though. \u201cCompliance with applicable regulations is non-negotiable,\u201d says Laura Gonzalez Priede<\/a>, CISO of Approach Cyber. That\u2019s why it\u2019s essential for security leaders to have a clear understanding of their legal obligations and ensure that any adjustments to the security program don\u2019t jeopardize compliance or the ability to meet core business needs.<\/p>\n

Not every budget decision is black and white. Some initiatives, like innovation or experimental projects, live in a grey zone; they\u2019re valuable, but not always urgent. In times of financial pressure, these efforts can be temporarily shelved, especially if they don\u2019t address pressing threats or compliance needs.<\/p>\n

However, to maintain team morale during a pause in innovation projects, Mahdi suggests having them work on a detailed ramp-up strategy for when budget conditions improve. This should give them a sense of purpose while also ensuring that the organization can quickly regain momentum when more resources become available.<\/p>\n

In times of cutbacks Gonzalez Priede prioritizes people and processes over tools. \u201cWhile tools are important, many can be replaced with open-source or internally developed alternatives,\u201d she says. \u201cA strong process, supported by capable people, can often compensate for the absence of a specific tool.\u201d<\/p>\n

When it comes to personnel cuts, Mahdi highlights the importance of looking beyond job titles or technical certifications. \u201cDon\u2019t assume the most technical roles are the most critical. Sometimes the people who glue security to the business are your highest-leverage assets.\u201d<\/p>\n

Bad decisions can cost more than you can save<\/h2>\n

Choosing where to trim a cybersecurity budget is rarely straightforward, and rushing the process only raises the stakes. That means that it\u2019s all too easy to make cuts that seem practical in the moment but ultimately compromise resilience or introduce hidden vulnerabilities down the line.<\/p>\n

\u201cFrom what I have seen, far too often, CISOs under pressure slash detection and response capabilities, incident readiness exercises, and security operations roles,\u201d Mahdi says.<\/p>\n

They assume stronger prevention means they can spend less on what happens after a breach but that\u2019s a risky bet. \u201cSomething always breaks! And while prevention is great, something always gets in,\u201d he says. \u201cWhen something breaks, it\u2019s not the control count that matters. It\u2019s your response time, containment, and ability to bounce back.\u201d<\/p>\n

During his time as a Gartner analyst, Mahdi saw this play out. \u201cIn one scenario, a CISO cut back on IR readiness and outsourced Tier 1 SOC to save budget,\u201d he recalls. \u201cWhen a breach hit, the provider missed early signs, and without internal muscle, the organization lost critical hours before even understanding the scope.\u201d In cases like this, the actual loss isn\u2019t just data, it\u2019s also credibility.<\/p>\n

Another mistake CISOs make is cutting cross-functional roles like embedded product security, governance leads, or business-aligned risk advisors. \u201cThese roles are connective tissue,\u201d Mahdi says. \u201cWithout them, security becomes reactive, misunderstood, and sidelined.\u201d<\/p>\n

CISOs might also go silent during cutbacks, pulling back on transparency. \u201cThey should do the opposite!,\u201d he says. \u201cShow what\u2019s being protected, and what\u2019s being risk-accepted. Own the trade-offs and be confident.\u201d<\/p>\n

Being transparent and keeping people in mind is essential, particularly during difficult times. One common regret Gonzalez Priede sees among CISOs is underinvesting in staff and training, which can quietly erode team capabilities. \u201cOngoing education ensures that staff remain competent and security-aware, which is vital in a constantly evolving threat landscape,\u201d she says. Also, cutting the wrong roles or skimping on talent often leads to inefficiencies, misaligned priorities, and higher long-term costs.<\/p>\n

Another frequent oversight is the lack of well-documented processes, which are essential for continuity, especially when key personnel leave. \u201cWithout them, organizations risk losing critical knowledge and consistency in execution, which can add risks not previously foreseen,\u201d she says.<\/p>\n

But, counterintuitively, scaling back can also have an upside. Gonzalez Priede says it encourages security leaders to take the time to reevaluate priorities and refine processes to be more agile and outcome driven. \u201cThe transition period must be carefully managed with proper planning and monitoring.\u201d<\/p>\n

Further reading:<\/p>\n

Blown the cybersecurity budget? Here are 7 ways cyber pros can save money<\/a><\/p>\n

How much should you spend on security?<\/a><\/p>\n

How CISOs can forge the best relationships for cybersecurity investment
<\/a><\/p>\n

><\/p><\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Years ago, David Mahdi, now a CISO advisor at Transmit Security, found himself in a situation no security leader wants to face: abrupt, mid-year budget cuts, with no option to delay. \u201cIt was an uncontrollable convergence of internal issues, legacy tech debt, market pressure, and geopolitics, all coming together at once,\u201d he says. The financial […]<\/p>\n","protected":false},"author":0,"featured_media":4160,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-4180","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4180"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4180"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4180\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/4160"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4180"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4180"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4180"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}