In times of economic uncertainty and downturn, many organizations look to pare costs by going after cybersecurity. But this attempt to save money at a time when the attack landscape is rapidly expanding could end up costing an organization heavily in terms of cash, reputation and compliance.
Cybersecurity pays dividends time and again by protecting organizations against breaches or attacks that get out of hand. Many organizations, however, are still locked into the mentality that sees cybersecurity as a cost to the organization instead of an enabler. And if they haven’t had a major breach, then they feel that they are doling out money without getting anything in return.
That is a shortsighted approach. As cybersecurity leaders, we aim to reduce cybersecurity debt because of the risk it poses. But in times of belt-tightening, cyber debt almost inevitably increases, adding even more risk to the organization. When funding gets reduced, security initiatives and headcount both suffer. And with everyone taking on more work, mounting pressure means staff is going to buckle under the strain, and things will slip by.
What’s more, rocky economic periods are prime time for adversaries. Doors open to malicious actors when an organization seeks to cut costs by shifting its focus away from practicing cyber hygiene, reducing security debt, and positioning cybersecurity as a key driver to the business and its goals.
Organizations therefore need nuanced conversations to think through the various risks involved in cost cuts, because cybersecurity outlays are not a yes/no conversation.
Two high-profile companies exemplify the case in point. Equifax pulled back on security and wasn’t focusing on the fundamentals of cyber hygiene. It took its eye off the ball — and that breach cost the company $1.4 billion in losses, plus an incalculable amount in reputational damage.
On the opposite end of the spectrum, IBM saw the writing on the wall and invested in cybersecurity, understanding it could be an enabler and a differentiator. Even during economic uncertainty and downturn, it stayed focused on making cybersecurity one of its largest enterprises. Today, IBM is a huge cybersecurity vendor, with $1 billion in annual revenue from that sector and trusted by Fortune 100 companies as a premier go-to for cybersecurity solutions.
As cybersecurity leaders, we understand that the question is not if a breach will occur, but when, and that’s why we’re warning against false economy. A sizable cyber incident costs $4.5 million on average, and for small companies – which constitute the overwhelming percentage of businesses – the outcome could be devastating.
And cyber insurance won’t necessarily be able to step into the breach. If the insurer determines that the cybersecurity cuts prevented the organization from taking reasonable precautions and due care, then the incident may not be covered.
Recovery from a major incident can be devastating to companies of all sizes, not only in terms of immediate financial loss, but in its lasting disruption to an organization’s momentum. It drains FTE capacity, redirects critical resources, and forces leadership to abandon strategic initiatives in favor of crisis response. Teams are pulled away from innovation and growth to focus on operational triage, prolonged investigations and rebuilding customer trust. The ripple effects can stall business goals for quarters – or even years — undermining competitiveness, morale and long-term value creation.
The urge to cut cybersecurity budgets directly conflicts with the growing regulatory pressure for stronger security practices. As investment shrinks, risk rises, putting organizations on a collision course with compliance failures. This tension between cost cutting and increased scrutiny is unsustainable, and will eventually result in missed audits, regulatory violations and costly penalties.
Over the past two years, the cybersecurity landscape has fundamentally transformed. The explosion of digital innovation – driven by AI, the proliferation of SaaS applications, the surge in IoT adoption, and the expanding web of third- and nth-party relationships – has dramatically widened the attack surface. At the center of this shift is a new kind of arms race, with both adversaries and enterprises racing to integrate AI and automation into every facet of their operations. The result is a volatile, high-stakes environment where the speed and scale of risk are unlike anything we’ve seen before.
While we on the cybersecurity side use AI to try to better protect and drive business, our adversaries are using it to mount bigger, better and faster attacks. Bad actors no longer need farms of people. Increasingly sophisticated AI-generated calls and emails have made social engineering, the easiest avenue of attack, much harder to detect. Information security has long been a challenging uphill effort, but the rapid acceleration of AI is significantly amplifying that challenge. As AI increases the scale, speed and sophistication of potential threats, the demands on security teams – and the risks to the business – are growing exponentially. What was once a manageable climb is now a steep and accelerating ascent that requires strategic investment and board-level attention.
The rapid proliferation of SaaS applications across enterprises has introduced significant security risks. Many of these tools are onboarded without proper configuration, oversight, or alignment to the organization’s security policies. Without a clear owner to manage and maintain them, these applications often become blind spots – leaving sensitive data exposed and increasing the risk of data exfiltration, misconfigurations and compliance failures.
In today’s resource-constrained environment, managing the growing array of security risks has become increasingly difficult. Lower-priority items on the risk register – such as third-party vendors, often receive less attention, yet they frequently become the very pathways adversaries exploit. Without consistent oversight and rigorous security assessments, third- and nth-party relationships can introduce hidden vulnerabilities that undermine even the most mature security programs.
While cost cutting is an unfortunate reality during times of economic uncertainty, cybersecurity should not be the first place to trim. As CISOs, we continuously evaluate how to streamline, simplify and optimize our environments. But reduction in security investment must be approached with nuance – not as blanket cuts, but as risk-based decisions rooted in the realities of the evolving threat landscape. These conversations must go beyond “cut or not” and involve leadership across the business, with CISOs at the table. Security leaders are uniquely positioned to help identify areas where efficiencies can be gained without compromising protection. Key opportunities include driving automation with InfoSec oversight, streamlining manual processes, and eliminating tool sprawl through platform consolidation, Additionally, revisiting underperforming contracts and reducing duplicative third-party engagements can yield meaningful savings while maintaining control and visibility.
Cybersecurity, when embedded strategically, is a force multiplier – not a cost center. It protects operational resilience, builds trust with customers and investors, and enables the business to move faster and more confidently in a volatile market. That’s why security leaders must be part of every strategic business discussion – not just to defend the budget, but to help shape the future.