I talk to a lot of security leaders, and every time the economy gets shaky, the same conversation starts showing up in my calls. Revenue is soft, the CFO is hunting for percentage points, and someone in finance has decided the security line item has gotten too comfortable. The ask is always polite. “Can you find 10 to 15% in your budget for next year?”
The honest answer is yes, you can find it. The harder answer is what it actually costs you.
I’m not writing this to argue that security should be exempt from scrutiny. Every line item should be defensible. But the math behind “trim security to weather the storm” is worse than most boards realize, and I think it’s worth putting on the table before the spreadsheet wins the argument.
Threats Don’t Care About Your Operating Plan
Here’s the first uncomfortable fact. Adversaries are not running the same playbook your finance team is. In recent CISO research, 80% of security leaders said they noticed a growing number of threats coinciding with the declining economy. Total reported cybercrime losses hit $20.9 billion in 2025, a 26% jump year over year. Ransomware crews don’t furlough operators during a recession. They hire them. Initial access brokers see a softer perimeter as opportunity, not sympathy.
Meanwhile, 72% of organizations dealt with a ransomware attack in the prior 12 months, and the average recovery cost landed at $4.5 million. The U.S. average cost of a data breach in 2025 hit a record $10.22 million, up 9% year over year, even as the global average dropped to $4.44 million on the back of faster, AI-assisted containment. Read that twice. Containment got better, and U.S. costs still set a record. The downside is moving faster than the upside.
A 15% budget cut doesn’t make any of that go away. It just makes the next incident more expensive when it lands.
The Cuts You Don’t See on the P&L
The most expensive cut isn’t the line item finance circles. It’s the second-order effect.
IBM’s 2025 Cost of a Data Breach report puts a specific number on understaffing. Organizations with security staffing shortages experience breach costs $1.76 million higher than well-staffed peers. In 2025, 36% of organizations cut cybersecurity budgets and 24% laid off security staff . Translate that. Roughly one in four security teams is now operating with a structural penalty of nearly two million dollars baked into their next incident.
The same dynamic plays out in tooling. When a SIEM contract gets renegotiated downward, the missing coverage doesn’t show up as a savings. It shows up 241 days later as a breach lifecycle that nobody caught in time. That’s the mean time to identify and contain in IBM’s latest data, and it’s the best it’s been in nine years . Cutting visibility resets that clock.
Cuts to detection, response, and testing don’t reduce risk. They relocate it. Off the spend column. Onto the incident response column. Where it tends to arrive with legal fees, regulatory exposure, and a board meeting attached.
“We’ll just delay the pentest” is the Most Expensive Sentence in Security
When budgets tighten, one of the first things to slip is offensive security work. I see it constantly. Annual testing becomes “every 18 months.” The next assessment gets descoped. Retesting after remediation gets deferred because the vendor charges extra for it.
The problem is what happens in the gap. Most organizations test once a year and spend the other 345 days hoping nothing changed. In a normal year, plenty changes. Cloud assets, third-party integrations, M&A, shadow IT. In a downturn, change accelerates. Layoffs leave forgotten subdomains. Vendors get swapped for cheaper ones. Infrastructure consolidations create new exposure. Offboarding hygiene suffers because the people who managed it just got cut too.
You don’t get to choose whether your attack surface evolves during a downturn. You only get to choose whether you’re looking at it.
What Actually Defends a Budget Review
The CISOs I see win these conversations aren’t pleading. They’re reframing the question. Instead of “how much can we cut,” they’re asking “what does each dollar buy, and what does each dollar saved actually cost?” A few moves consistently land with a skeptical CFO.
Quantify the staffing penalty. IBM’s $1.76 million number is the most useful sentence you can bring into a budget meeting because it’s specific, sourced, and recent. Pair it with the U.S. average breach cost and the math on a single avoided incident usually pays for the headcount under discussion several times over.
Show the 345-day problem. If your company is doing annual pentests, the board is implicitly buying 20 days of validated coverage and 345 days of assumption. That ratio is hard to defend even in good times. It’s the easiest argument for continuous testing in a downturn, because continuous models scale with change instead of with a procurement cycle.
Consolidate before you cut. Most security stacks have redundant tools. A meaningful number have shelfware. A budget review is a good excuse to reclaim 15% by retiring overlap, not by retiring controls. CFOs respond to “I cut 15% and improved coverage” a lot better than they respond to “I cut 15% and we’ll hope.”
Move from coin-operated to continuous. If your pentesting vendor charges per test, per retest, and per scope change, your security spend is structurally biased toward doing less when budgets tighten. Which is exactly when you need to do more. Continuous models flip that incentive. Coverage scales with your environment, not with your purchase order.
The Boring Truth
There’s no clever framing that makes cutting security in a downturn safe. The threat landscape doesn’t pause. The breach math doesn’t soften. The staffing penalty is now a quantified, published number. The organizations I watch come through a hard cycle in good shape aren’t the ones that cut hardest. They’re the ones that cut smart, consolidated honestly, and replaced calendar-based assumptions with continuous visibility.
The board doesn’t need security to be sacred. It needs security to be defensible. That’s a different argument, and it’s one you can win with the numbers already on the table.
Sprocket Security is a technology-powered continuous penetration testing platform that eliminates the blind spots created by annual testing. Starting with free attack surface visibility, we continuously monitor your environment and trigger expert-driven testing the moment something changes, so your security posture reflects today, not last year.
Sources
• IBM, "2025 Cost of a Data Breach Report." https://www.ibm.com/reports/data-breach
• Help Net Security, "Average global data breach cost now $4.44 million." https://www.helpnetsecurity.com/2025/08/04/ibm-cost-data-breach-report-2025/
• CyberScoop, "Research shows data breach costs have reached an all-time high." https://cyberscoop.com/ibm-cost-data-breach-2025/
• Splunk, "CISO Research Reveals 90% of Organizations Suffered At Least One Major Cyber Attack in the Last Year." https://www.splunk.com/en_us/newsroom/press-releases/2023/ciso-research-reveals-90-of-organizations-suffered-at-least-one-major-cyber-attack-in-the-last-year-83-report-ransomware-payments.html
• SDxCentral, "How Economic Downturn Adds Complications to CISO Role." https://www.sdxcentral.com/analysis/how-economic-downturn-adds-complications-to-ciso-role/
• TechTarget, "Cybersecurity budgets lose momentum in uncertain economy." https://www.techtarget.com/searchsecurity/feature/Cybersecurity-budget-trends
• SecurityWeek, "Cyber Insurance Data Gives CISOs New Ammo for Budget Talks." https://www.securityweek.com/cyber-insurance-data-gives-cisos-new-ammo-for-budget-talks/
• Deepstrike, "Cybersecurity Statistics 2026: Key Trends, Costs, and Insights." https://deepstrike.io/blog/cybersecurity-statistics
• Elisity, "Cybersecurity Budget 2026: Benchmarks & Spending Trends." https://www.elisity.com/blog/2026-cybersecurity-budget-complete-enterprise-planning-guide
• IT Pro, "Ransomware attacks carry huge financial impacts." https://www.itpro.com/security/ransomware/ransomware-attacks-carry-huge-financial-impacts-but-ciso-worries-still-arent-stopping-firms-from-paying-out
