J ust a few years ago, CISOs were operating with growing mandates and relatively generous budgets. That era is over. Security leaders are now being asked to do more with less, managing expanding digital estates while facing flat or shrinking budgets. In the UK, for example, companies are spending just 9 % of their IT budgets on cybersecurity – barely enough to match growing threats and compliance demands.
This tightening has been especially painful in highrisk sectors like healthcare and financial services, where regulatory pressure and cyberattacks are both increasing. At the same time, CISOs must juggle rising threat volumes, compliance reporting and security oversight – all with minimal new funding. One recent study even found that 12 % of CISOs saw budget declines heading into 2024.
The hidden costs of budget constraints
Security leaders are being held accountable for avoiding breaches while making tough decisions on where to allocate limited resources. One contributing factor is the perception that cybersecurity is a cost centre with unclear ROI. Even when new tools are deployed, they can overwhelm teams with noise – generating hundreds of alerts without helping teams act effectively. This erodes trust in security leadership, especially when incidents still occur despite past investments.
Burnout is another symptom. CISOs and security teams report mounting stress, with many attributing past breaches directly to underfunding. The gap between what they are responsible for and what they’ re resourced to manage continues to widen.
Kevin Gallagher, President, Invicti
Security leaders are being held accountable for avoiding breaches while making tough decisions on where to allocate limited resources.
With budgets tightening, Chief Information Security Officers( CISOs) face difficult decisions regarding cybersecurity investments and strategy, writes Kevin Gallagher, President, Invicti.
Risk surface grows while budgets shrink
Compounding the issue is the expanding attack surface driven by rapid development, modern frameworks, and API proliferation. Faster deployment cycles often prioritise speed over security, leaving behind exploitable vulnerabilities. Add in growing regulatory requirements and increasingly automated attackers and it’ s clear that traditional tooling and reactive postures are no longer enough.
Modern software development demands proactive and continuous protection that extends into runtime. Yet many AppSec programmes still overindex on static checks and ignore what’ s happening in production.
WWW. INTELLIGENTCISO. COM 25