Every day, week, month and year that goes by, it feels like breaches are becoming more and more commonplace. Looking back at how 2022 wrapped up in the shadow of the LastPass breach debacle, 2023 saw the MOVEit and T-Mobile breaches, 2024 had Ticketmaster, AT&T, and Snowflake suffer breaches and just 4 hours ago (at the time of this post), Coinbase filed an 8-K about a “Material Cybersecurity Incident” that occurred on May 11, 2025 — these are all reminders that no organization — regardless of size, maturity, or brand — is immune. The uncomfortable truth is that breaches will continue to happen for several reasons:
First and foremost, the adversary operates on a continuum of time that defender’s cannot (mostly) hope to. Attackers have the luxury of persistence, patience, and surprise. At best, defenders can hope to detect and respond faster than the attacker can achieve their objective — but we rarely get to dictate the terms of the engagement.
Secondly, the macroeconomic climate is not doing us any favors. As market conditions tighten, companies are focused on maximizing ARR while reducing cash burn. That often translates into frozen budgets, downsized teams, and canceled tools. For security teams, this greatly impacts their ability to execute on roadmaps proactively hunt for threats, or mature critical capabilities — making most security organizations a mere compliance checkbox function.
In this environment, ruthless prioritization isn’t optional — it’s essential.
Security investments should align with real, measurable risk. That means cutting through the noise and hype, and asking hard questions about where your program is today, what your organization can realistically support, and where you’ll get the most return of investment on your resourcing and effort.
What This Means for CISOs
For CISOs accustomed to operating with generous budgets and large teams, this is a season of restraint. That often means:
Pausing security maturity initiatives that aren’t tied to urgent risk reduction
Holding off on upgrades or swapping paid tooling for free/open source tools that deliver smaller incremental benefits rather than needle moving capabilities at a higher cost
Reevaluating tooling overlap and consolidating vendors where possible
For CISO’s that are already operating on a shoe-string budget trying to build foundational practices and capabilities with a lean team, this means exercising creativity and ruthless prioritization. Where this becomes tricky is when you have large gaps in your program and need to shore them up with talent (headcount) and tooling. If you find yourself in this situation, you have to ask yourself the following questions:
What near-term must do’s can be reasonably executed by your team and which ones can you reduce scope on to reasonable execute in a phased approach
What must do’s can be de-prioritized until later in the year so your team can focus on the main priorities
Can you find stakeholders that will be impacted by your priorities; either positively if they succeed, or negatively if they won’t, that are willing to provide budgetary aid, or resources to execute on the plan with you
What risks do these priorities address (or won’t), and can you assign real-world data to them (such as average cost of a breach in your industry or annual loss expectancy versus security control costs) to convince stakeholders and gain senior leadership support for any exception requests you may have to ask for
This isn’t easy work, but it’s work of a modern CISO navigating an era of economic headwinds, adversary advantage, and a growing attack surface.
The security leaders who succeed in this environment won’t be the ones who chase perfection — they’ll be the ones who deliver meaningful risk reduction with ruthless efficiency.