For years, I was fortunate to live many years, earning enough budget to deploy cybersecurity programs. I worked the same playbook: run a risk assessment, show a few quick wins, build a business case and the budget would follow. It took effort, but after a few cycles, the process almost felt predictable.
One recent experience changed everything. A new boss, a senior VP, came to me and said when I arrived to the role, “We need to be financially efficient. We need to reduce current-year expenses by 10%, absorb next year’s inflation, capture efficiencies that will materialize in the next year’s spending by 5% and do it in a way that creates efficiencies to self-fund new initiatives.”
I thought back to all the industry reports from Gartner, IDC and others consistently pointing to year-over-year increases in cybersecurity spending, often in the high single or double digits. Then, I was being told to cut, not grow. At first, I pushed back. Then I saw the chance to do something different. Instead of fighting the numbers, I started looking for ways to make the team more effective with less. That shift opened up new options I had never considered before.
When we talk about security, we usually don’t think about reducing controls, costs or teams, so we see anything that isn’t directly related to the “risk mitigation mission” as a distraction. We are trained to add, not subtract. When money is easy, we pile on tools, grow teams and chase every new risk. But abundance hides waste. I have seen controls that no one uses, vendors that no one checks, dashboards that gather dust and teams that overlap. The moment the budget tightens, all that clutter stands out. That’s when you find out what really matters and where management earns its keep.
Efficiency as a leadership language
Under financial constraints, the CISO’s mandate shifts from acquisition to capital allocation, where the central question becomes which actions materially reduce risk exposure and how efficiently he is doing his job, while considering financial discipline.
The security roadmap should be managed as a portfolio of investments, with each control evaluated for its cost, efficiency and loss avoidance. To improve clarity and aid decision-making, consider mapping controls onto a simple cost-versus-effectiveness matrix, with the size of each element indicating the risk the control removes from the overall portfolio. This visualization highlights which investments deliver meaningful risk reduction per dollar and which ones consume resources with limited impact.
Credibility is established not by defending every control, but by making informed choices and prioritizing those that deliver measurable risk reduction. Redirecting resources from lower-impact initiatives to those with higher risk reduction is an act of stewardship. When we articulate trade-offs in financial terms and demonstrate the impact on loss exposure and cash flow earns trust more rapidly than one who simply requests additional funding.
How to do more with less
1. Review contracts, renegotiate them or change the operations to a new partner
Scope, service-level agreements and performance metrics should be revisited because many contracts were established under different risk profiles, urgency and pricing conditions. Modernizing contracts to focus on outcomes rather than activities, revalidating pricing and service assumptions where competition exists and trading scope for measurable performance can generate structural savings. Locking multi-year terms when pricing and dependency risk are favorable, or using shorter renewals when market leverage is present, further supports efficiency gains.
I remember sitting with the team, looking at a contract that had been signed right after a major cyber event. Over the years, it had grown fatter with eleven amendments, each one a quick fix for the latest emergency. We went back to the beginning, checked what risks we had in mind, how the service was actually used and what we were really getting. It turned out we were paying for much more than we needed. By going through the details together, we found we could get a better level of protection while still funding an upgrade to a new-generation SIEM platform. In other cases, we just reviewed contracts and kept the same partner with scope changes.
2. Automate the routine
Time is often the most constrained resource in cybersecurity. Automating routine processes such as triage, ticketing, patch workflows, gap analysis, report creation and standard response playbooks reduces unit cost per incident and frees up skilled talent for higher-value work. Automation should be a deliberate effort to eliminate repetitive manual tasks and increase consistency at scale.
We started with the basics: automating the reports and coordination work that always seemed to eat up our time. Instead of building every report by hand, we set up simple flows with tools like Power Automate and Power BI. Suddenly, report generation that had taken hours was completed in minutes and mistakes dropped off. Our playbooks handled the routine incident responses. The real win was seeing our analysts freed from basic tasks, able to devote their energy to real threats and decisions that required their judgment.
3. Cut administrative and non-core spend
Efficiency is not limited to tools and vendors. Administrative spend, travel, low-value recurring activities, duplicative reporting and non-essential services can quietly accumulate and inflate the cost baseline. By establishing a quarterly review of non-core expenses and making explicit decisions to discontinue low-value activities, organizations can capture not only immediate cost savings but also significant cumulative throughput gains. These small cuts, when aggregated over a year, can free up substantial sums, underscoring their strategic importance.
We looked past the obvious places—vendors and tools—and took a hard look at the small, recurring costs that quietly add up. Some subscriptions and services had made sense once, but now just sat there, barely used. I remember reviewing a code-scanning service and realizing we were paying for more than we needed. By trimming it back to match what we really used, we saved money right away, without adding risk. It was a reminder that sometimes, the biggest gains come from quiet, careful housekeeping, not dramatic cuts.
4. Restructure teams and outsourcing around value
Security organizations tend to evolve in silos, shaped by technology domains, incidents or vendors rather than by the risks they are meant to manage. Reviewing the target operating model involves deliberately reorganizing teams and partners around value domains, not tools. Value domains, or clusters of related risks, prioritize risk management alignment over technological segmentation. Consolidating overlapping functions, such as incident response, vulnerability management and threat intelligence across IT, OT and data protection, reduces handoffs, eliminates duplication and improves speed of execution. The objective is not headcount reduction, but the release of capacity and the better allocation of scarce expertise to the most material risks.
When we pulled teams together, we didn’t cut headcount. We just stopped letting groups like incident response and vulnerability management work in isolation. By focusing everyone on the same risks, we made it easier to respond and to deploy our experts where they had the greatest impact. We also took a hard look at outsourcing, combining SOC and MDR for OT, IT and data protection into one operation. That move cut costs, improved efficiency and lowered risk.
5. Consolidate tools
Many large organizations maintain multiple solutions that address the same risk domain. Vendor consolidation, rather than expansion, reduces vendor overlap, lowers cost and streamlines operations. The discipline is to standardize on fewer platforms, decommission redundant tooling and ensure the remaining stack is actively used and measured.
We tend to buy a new tool for every new risk we find in the portfolio and in many cases, we look for the best of breed solutions for every different risk we find, which could also be ineffective, so many tools from different vendors, usually not integrated among them and creating a huge amount of work to try to keep it managed and well operated.
The future belongs to the disciplined
I learned that leading with less means every choice counts. Deciding what to stop is as important as what to start. When we restructured teams, renegotiated contracts and automated routine work, we found real efficiency without losing capability. These moves were about discipline, not just cutting costs. Looking ahead, the leaders who can show risk reduction per dollar spent will set the standard. Efficiency is now a mark of leadership.
The next generation of security leaders will not be measured by how much they spend, but by the clarity and impact of their decisions. In the boardroom, trust comes from showing your trade-offs and sticking to them, not from chasing bigger budgets. This is not about cutting for the sake of it. It is about leading with discipline. Where in your environment can you test one of these moves this quarter and measure the outcome?
This article is published as part of the Foundry Expert Contributor Network.
Want to join?