Strategic risk (high, medium, low): What’s the actual exposure if this control fails?Business alignment: Which functions are enabling revenue, customer trust, or compliance?No-brainers: These are redundant tools, shelfware, or “security theatre” controls that look good on paper but deliver no measurable protection.For this assessment, Mahdi brings together a cross-functional team that includes business unit leaders, security architects, threat intelligence leads, and trusted peers both inside and outside the organization. This collaborative approach not only spreads accountability but also helps uncover blind spots and align cuts with the organization’s overall risk posture.He also relies on key metrics that help him assess whether certain tools or processes are efficient, and weighs coverage versus complexity, trying to determine whether a solution is addressing a unique security challenge or merely duplicating existing efforts. Finally, he considers how quickly an investment can deliver measurable outcomes. Using this framework, CISOs can identify areas that can be scaled back without significantly increasing risk.
Where to start from: One of the first areas to evaluate is redundant tooling. “If two tools do 70% of the same job, keep the one with better integration and support,” Mahdi says. Then, CISOs can move on to legacy compliance-driven controls, which can often be rationalized. “Focus on effective controls, not checkbox ones, especially in organizations over-indexed on legacy governance, risk and compliance.”Cutting should be done carefully, though. “Compliance with applicable regulations is non-negotiable,” says Laura Gonzalez Priede, CISO of Approach Cyber. That’s why it’s essential for security leaders to have a clear understanding of their legal obligations and ensure that any adjustments to the security program don’t jeopardize compliance or the ability to meet core business needs.Not every budget decision is black and white. Some initiatives, like innovation or experimental projects, live in a grey zone; they’re valuable, but not always urgent. In times of financial pressure, these efforts can be temporarily shelved, especially if they don’t address pressing threats or compliance needs.However, to maintain team morale during a pause in innovation projects, Mahdi suggests having them work on a detailed ramp-up strategy for when budget conditions improve. This should give them a sense of purpose while also ensuring that the organization can quickly regain momentum when more resources become available.In times of cutbacks Gonzalez Priede prioritizes people and processes over tools. “While tools are important, many can be replaced with open-source or internally developed alternatives,” she says. “A strong process, supported by capable people, can often compensate for the absence of a specific tool.”When it comes to personnel cuts, Mahdi highlights the importance of looking beyond job titles or technical certifications. “Don’t assume the most technical roles are the most critical. Sometimes the people who glue security to the business are your highest-leverage assets.”
Bad decisions can cost more than you can save: Choosing where to trim a cybersecurity budget is rarely straightforward, and rushing the process only raises the stakes. That means that it’s all too easy to make cuts that seem practical in the moment but ultimately compromise resilience or introduce hidden vulnerabilities down the line.”From what I have seen, far too often, CISOs under pressure slash detection and response capabilities, incident readiness exercises, and security operations roles,” Mahdi says.They assume stronger prevention means they can spend less on what happens after a breach but that’s a risky bet. “Something always breaks! And while prevention is great, something always gets in,” he says. “When something breaks, it’s not the control count that matters. It’s your response time, containment, and ability to bounce back.”During his time as a Gartner analyst, Mahdi saw this play out. “In one scenario, a CISO cut back on IR readiness and outsourced Tier 1 SOC to save budget,” he recalls. “When a breach hit, the provider missed early signs, and without internal muscle, the organization lost critical hours before even understanding the scope.” In cases like this, the actual loss isn’t just data, it’s also credibility.Another mistake CISOs make is cutting cross-functional roles like embedded product security, governance leads, or business-aligned risk advisors. “These roles are connective tissue,” Mahdi says. “Without them, security becomes reactive, misunderstood, and sidelined.”CISOs might also go silent during cutbacks, pulling back on transparency. “They should do the opposite!,” he says. “Show what’s being protected, and what’s being risk-accepted. Own the trade-offs and be confident.”Being transparent and keeping people in mind is essential, particularly during difficult times. One common regret Gonzalez Priede sees among CISOs is underinvesting in staff and training, which can quietly erode team capabilities. “Ongoing education ensures that staff remain competent and security-aware, which is vital in a constantly evolving threat landscape,” she says. Also, cutting the wrong roles or skimping on talent often leads to inefficiencies, misaligned priorities, and higher long-term costs.Another frequent oversight is the lack of well-documented processes, which are essential for continuity, especially when key personnel leave. “Without them, organizations risk losing critical knowledge and consistency in execution, which can add risks not previously foreseen,” she says.But, counterintuitively, scaling back can also have an upside. Gonzalez Priede says it encourages security leaders to take the time to reevaluate priorities and refine processes to be more agile and outcome driven. “The transition period must be carefully managed with proper planning and monitoring.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4029274/how-cisos-can-scale-down-without-compromising-security.html
