Inadequate security budgets to support technology upgrades, security training, and business initiatives have a disproportionate impact in making businesses more susceptible to attacks, according to new research.
A survey of 600 CISOs in Europe, the US, Australia, and Japan commissioned by Splunk found a language and priority gap between boards and security leaders. CISOs are under pressure to rein in spending and outsource functions while demonstrating the business value of security initiatives.
The survey by the Cisco-owned security visualization firm found that cutting back in some areas — such as staff training and postponed technology upgrades — is more likely to lead to a material security incident than others.
Such insights from their surveyed peers could help CISOs shape a more compelling risk-oriented argument when pushing back against proposed cuts from the board — or, worst case, inform their own investment choices when faced with budget constraints.
Impact of inadequate security budgets
| Cost-cutting measure | Experienced due to inadequate budget | Resulted in a successful breach or attack |
| Postponed technology upgrades | 52% | 62% |
| Reduced security solutions and tools | 50% | 19% |
| Imposed security hiring freeze | 40% | 29% |
| Scaled back/eliminated security training | 36% | 45% |
| Failed to support a business initiative | 18% | 64% |
Postponed upgrades
As cyber threats evolve at an unprecedented pace, delaying essential technology upgrades can severely impact an organization. The newest technological updates are introduced to enhance an organization’s security offerings and directly address recently identified challenges.
“Outdated systems lack new features and functionality that allow for more sophisticated offerings, like moving to the cloud,” Kirsty Paine, a Splunk spokesperson told CSO. “Without newer security features, moving information to the cloud could leave room for vulnerabilities.”
Postponed technology upgrades can also leave organizations relying on outdated legacy systems, thereby subject to increasing security debt.
CISOs reported that postponing upgrades, the most common cost-cutting measure, resulted in a breach 62% of the time.
Scaled back security training
When budgets get cut, many organizations feel pressure to scale back or completely eliminate training programs, leaving employees unprepared to identify potential threats.
This often becomes a problem because human error — such as misconfiguring software or infrastructure — often lead to downtime and lost business revenues. Moreover, cutting back on security awareness training can result in a lax security culture across the organization.
“Security training is crucial for reducing human error, and empowering employees to identify phishing attacks, so by eliminating trainings, organizations are more susceptible to a breach,” Splunk’s Paine said.
More than a third of CISOs (36%) reported training cuts due to budget constraints, with 45% experiencing a successful attack as a result.
Failure to support business initiatives
Security teams are not always allocated sufficient staff, time, or other resources necessary to support the evolution or growth of their company, resulting in a mismatch between security capabilities and the business initiatives they are meant to secure.
This can often occur with digital initiatives undertaken for expediency, such as the recent rush to adopt AI, which has resulted in many organizations skipping traditional security hardening measures in favor of quick wins and widespread experimentation.
“Business initiatives could be new products or features, or a different way of working [working from home],” Splunk’s Paine explained. “Whatever the initiative is, without support from security, these initiatives are often designed without security in mind.”
Paine added: “Trying to ‘add security in afterwards’ has been known for a long time to be a worse approach than ‘security by design.’”
Few CISOs (18%) received inadequate funding to support business initiatives, according to the survey, but nearly two-thirds of those (64%) suffered a breach as a result.
Communication disconnect
Splunk’s study — entitled The CISO Report — reveals a disconnect between CISOs and boards regarding security funding, with 41% of boards deeming their security budgets sufficient, compared to only 29% of CISOs.
“This disparity often stems from boards viewing security budgets as a tactical concern, rather than considering their broader impact on the business,” Paine said. “To shift this perspective, CISOs must explain the value of their work in terms of business outcomes, such as the revenue that’s being protected and the brand reputation they’re saving.”
Boards protect profitability while CISOs are focused on protecting data and systems. To bridge this gap, board members and CISOs need to identify areas of near or equal importance for their respective stakeholders, Splunk advises.
“For example, instead of focusing on the mean time to resolve (MTTR) [problems], CISOs should prioritize risk reduction and communicate to the board the importance of mitigating risks which lead to higher ROI, which are terms they are more familiar with,” Paine concluded.
Knowing how to sell the board on security funding is an art CISOs must master. As is ensuring mutual respect on expectations in order to create a two-way street between board and CISO needs.
Justifying security spending
Independent experts quizzed by CSO agreed with the report’s conclusions that proper funding is essential for cyber defense. CSOs faced with the pressure to scale back security spending or training need to fight their corner and justify security spending commitments in business (rather than technical) terms.
Jonathan Lee, UK cybersecurity director at Trend Micro, said that enterprises still often regard security expenditure as a cost that can be cut in the pursuit of profit rather than as an investment that supports growth.
“Management of organizations being reactive to threats that hit is not acceptable,” Lee argued. “With only around a third of organizations having a board member with cybersecurity knowledge, it’s time to cut through the optimism bias that can prevail at the top levels and strategically underpin the aims of the organization with security measures that significantly reduce vulnerabilities that lead to being breached in the first place.”
Trey Ford, CISO for the Americas at bug bounty platform Bugcrowd, accepts that tough economic conditions mean that budgets are tight but argues that cutting security spending to support previously agreed projects would be perilous.
“Budget cuts affect every aspect of security planning, strategy, and operations — all of which are a complex tapestry orchestrated across the business in alignment with the risk committee,” Ford told CSO.
Frozen headcount is more than frustrating for operational security teams — it accelerates alert fatigue, on-call rotations, and burnout. Lost funding for tooling and projects may exacerbate gaps in visibility — restricting logging coverage, monitoring and alerting, or testing and tracking of vulnerabilities in systems and applications.
“Security initiatives losing funding are rarely in the ‘nice to have’ category — they’re almost always tied to addressing risk items and control gaps that have been prioritized by the risk committee,” Ford said. “The risk being treated, and projects being de-funded, will need fresh risk-acceptance, and may require reporting back to the board of director’s risk committee.”
Align and communicate on risk
Ilia Kolochenko, CEO of application security testing vendor Immuniweb, argues that security leaders need to formulate a coherent cybersecurity strategy.
“Numerous organizations tend to have overlapping and thus redundant solutions from different vendors, while allocating from little to no time to do proper triage of security alerts and incident response,” Kolochenko said.
“Worse, an alarmingly small percentage of organizations have a well-defined, long-term oriented, and holistic cybersecurity strategy, which would encompass such crucial areas as third-party risk management, misconfigurations, and broken IAM in a multi-cloud environment, container security, or emerging gen AI risks, including over-reliance of software engineers on synthetic code from gen AI bots that frequently contains vulnerabilities or even backdoors,” Kolochenko said.
CISOs and boards need to align their priorities and agree on a communication style where cyber risk can be understood, articulated, and mitigated on a constant basis.
“This will help ensure that decision-making and investments are made on an informed basis,” Lee said. “This should enable budget to be spent in the right areas, which in turn will make sure that regulatory compliance is adhered to, and services keep running.”
Foundational elements such as training, system updates, disaster recovery planning, incident response, and compliance monitoring are essential to maintaining a strong security posture, according to Alan Radford, field strategist at identity security vendor One Identity.
“Business-enabled cybersecurity is not about buying the most expensive tools but aligning technology, processes, and people to reduce risk effectively,” Radford told CSO. “Security leaders must communicate to the board that risk reduction is not just a matter of tools but of operational resilience. Investing in people, training, and operational readiness yields higher returns than any single technology purchase.”