29 min read
By: Andrew Hale
Summary:
You already know the argument. You've known it for years.
The challenge is convincing the people in the room who don't live this every day. The CFO who sees a cost center. The CEO who's heard "we've never had an incident" and quietly wonders if that's still true. The board member who wants to know why security keeps asking for more when every other department is being asked to do more with less.
This is the brief you hand them. These are the numbers they respond to. This is the argument built in their language.
Full Article:
Frame It as Risk, Not Cost
The first reframe you need to make in any budget conversation is moving the discussion from cost to risk. Finance leaders understand risk quantification. They use it every day. Your job is to make the risk of underinvestment as legible as any other business risk on the table.
Start with this number: the average cost of recovering from a ransomware attack is approximately $4.75 million, according to IBM's Cost of a Data Breach Report 2024. That figure covers recovery alone. It excludes regulatory fines, litigation from affected customers, breach notification requirements, and the reputational damage that follows an organization for years. When you factor those in, the real cost of a serious incident at a mid-market company can easily reach multiples of that figure.
Put your managed security investment next to it. The math is favorable by a significant margin. The annual cost of a comprehensive managed security program represents a fraction of what a single incident response and recovery effort would require. Ask your CFO to model it as insurance, because that's exactly what it is. Like any insurance, the premium feels most visible right before you need it.
The Asymmetry Argument: Why Cutting Now Costs More Later
The argument that tends to land with financially sophisticated executives is this: cutting security investment defers cost while increasing exposure. When the eventual spend happens reactively, under duress, after an incident, it costs dramatically more than continuous investment would have.
This plays out in a predictable pattern. Budgets shrink during lean years. Detection capabilities erode. Institutional knowledge walks out the door. Response playbooks go stale. A compromised credential, a successful phishing campaign, ransomware on a poorly monitored segment, and the budget opens wide. At that point, you're paying incident responders at emergency rates, paying lawyers, paying notification vendors, and potentially paying regulators.
The organizations that fare best after an incident are the ones that maintained their investment in prevention, because a resilient security program requires continuity. Pausing it means rebuilding it later, and rebuilding is more expensive than maintaining.
Make this concrete for your CFO: security programs are built in layers over time. Detection tuning, runbook development, tool integration, alert logic- these capabilities compound. Reducing investment means losing the institutional knowledge that made the program functional. When you reinvest, you're rebuilding in an environment that has changed, with coverage gaps nobody documented, often after something has already gone wrong.
What Adversaries Know About Economic Downturns
Threat actors pay attention to economic conditions. Periods of organizational distraction, reduced staffing, and stretched IT teams are historically associated with increased attack activity. Adversaries are rational actors who target organizations that look like easier wins.
A security program that is visibly under-resourced, with slower response times, wider coverage gaps, and lapses in monitoring, becomes a more attractive target. A difficult economy is a reason to ensure your organization can absorb a shock, precisely because the cost of absorbing one while under-resourced is significantly higher. The organizations most exposed during a downturn are the ones that reduced the controls that would have contained an incident.
The Staffing Math Your Leadership Needs to See
When cost-cutting conversations move toward headcount, the operational reality is worth putting on the table directly.
Security operations does not scale linearly with staff. A team of two or three analysts protecting thousands of endpoints, managing hundreds of users, and fielding alerts across EDR, SIEM, identity, and email is already operating at or beyond functional capacity on a normal day. Studies consistently show that the majority of security teams never review a large portion of the alerts their tools generate. The volume is structurally unmanageable without the right automation, tuning, and support infrastructure in place.
Removing one analyst from a small security team can translate to a 50% reduction in functional coverage, depending on how responsibilities are distributed. When presenting this to a CFO, translate it into operational terms: what stops getting reviewed, what response times look like, and what the team stops being able to detect. Make the risk tangible and specific to your environment.
This is the operational gap that managed detection and response is designed to fill.
A service like RedLegg MDR provides 24x7x365 analyst coverage, automated alert enrichment, and continuous detection tuning, functions that would otherwise require multiple dedicated hires to sustain, and that degrade quickly when headcount is reduced.
The Regulatory Landscape Has Changed. Budget Cuts Are Now a Documented Decision
One dimension of this conversation that often gets underweighted in budget discussions is regulatory exposure, and it has shifted significantly in the last two years in ways your CEO and CFO may not have fully absorbed.
In July 2023, the SEC finalized its cybersecurity disclosure rule, which took effect for most public companies in December of that year. The rule requires organizations to disclose material cybersecurity incidents within four business days of determining they are material. It also requires annual disclosure of how the company manages cybersecurity risk, what role management plays in that oversight, and how the board is engaged. This is a legal reporting obligation with enforcement teeth, not a best practice recommendation. (SEC.gov)
What this means practically is that a decision to reduce security investment is now a documentable governance choice. The SEC has signaled clearly that it is examining whether leadership actively engaged with cybersecurity risk, asked the right questions, and allocated sufficient resources. According to enforcement analysis published by Clifford Chance, the SEC is scrutinizing the diligence of leadership, not just the technical failures of security teams. A failure to properly resource security functions is now a direct pathway to personal liability for executives. (Clifford Chance, 2024)
The practical implication for your CEO and CFO is this: if a breach occurs in the 12 months following a decision to cut security investment, that decision will be reviewed. The question of whether leadership allocated sufficient resources to manage cybersecurity risk will be asked by regulators, by plaintiff attorneys, and potentially by shareholders. Documenting a budget cut is straightforward. Defending it after an incident is considerably harder.
Your Cyber Insurance Policy May Not Cover What You Think It Does
Cyber insurance is often treated as a fallback in budget conversations. The assumption is that even if something happens, the policy covers it. There are two problems with that assumption in the current market, and both are worth putting in front of your CFO directly.
The first is that insurers have fundamentally changed what they require before issuing coverage. The days of a simple questionnaire and a policy are over. According to the National Association of Insurance Commissioners, the U.S. cyber insurance market reached $11.2 billion in direct written premiums in 2024, and insurers have responded to years of costly claims by moving to rigorous, verifiable underwriting standards. (NAIC, 2025)
Insurers now require documented proof of specific security controls as a baseline for insurability. Those controls include 24/7 monitoring through a security operations center, MFA enforcement across all accounts and remote access, endpoint detection and response, and regular security training with phishing simulations. These are operational capabilities that require sustained investment to maintain.
According to Coalition's 2024 Cyber Threat Index, 82% of denied claims involved organizations that lacked multi-factor authentication. Marsh McLennan's 2024 research found that 41% of cyber insurance applications were denied on first submission, with missing MFA and inadequate endpoint protection as the top two reasons. (MoneyGeek, citing Coalition and Marsh McLennan, 2024)
The second problem is the exclusion language. Most policies include a "failure to maintain security standards" exclusion. If a breach occurs and forensic review finds that the organization was not maintaining the controls it attested to in its application, the insurer has documented grounds to deny the claim. Analysis attributed to Deloitte found that 21% of cyber insurance claims were denied or partially denied in 2025, up from 15% in 2023, with 34% of those denials attributed to failure to maintain attested controls. (Legacy Leap, citing Deloitte analysis, 2026)
The takeaway for your CFO is direct: if your organization cuts the security investment that supports the controls your insurer requires, you may be paying premiums on a policy that will not pay out when you need it. S&P Global projects 15 to 20% market-wide premium growth for 2026.
Organizations that can demonstrate security maturity are positioned for better coverage at lower cost. Organizations that cannot are facing higher premiums, reduced coverage limits, and in some cases denial of renewal. (Legacy Leap, citing S&P Global, 2026) The cost of maintaining your security program and the cost of your insurance premium are connected. The total picture is more financially favorable for sustained investment than a line-item review of either one alone suggests.
The Questions Worth Putting in Front of Your CEO
A targeted set of questions can be more effective than a formal presentation for reframing how leadership is thinking about the decision.
"What would it cost us to recover from a serious breach right now, in dollars, downtime, and customer trust?"
Most CEOs have not done this math. Walking through it together changes the conversation.
"If we reduce this investment and something happens in the next 12 months, how do we explain that decision to the board?"
Accountability framing matters to executives. It makes the budget cut a decision with a named owner and documented consequences.
"What is the cost of rebuilding this program after reducing it, compared to maintaining it now?" Continuity is almost always cheaper. Rebuilding after atrophy, with all the recruitment, retraining, re-tuning, and re-integration that involves, costs more than sustaining the program through a lean period.
"Does our current security posture meet the baseline controls our cyber insurer requires, and what happens to our coverage if it does not?"
Most CFOs have not connected these two conversations. This question does that directly.
What You're Actually Protecting
The essential argument is this: an organization that can absorb a security incident during a period of economic pressure is in a fundamentally stronger position than one that reduced its defenses to save on short-term costs.
The cost of a breach extends well beyond the financial. It includes operational continuity, the ability to serve customers during a recovery period that can last months, regulatory standing in industries with mandatory reporting obligations, and the confidence of a board that trusted leadership to manage risk responsibly.
Those consequences do not show up as a line item in next year's budget. They show up in every conversation after an incident that a sustained investment could have prevented.
You already know all of this. This is the language to make sure the rest of the room does too.
RedLegg provides managed detection and response, security operations, and continuous threat exposure management to mid-market and enterprise organizations. If you're navigating a budget conversation and want a clear picture of your current coverage and risk, we're a good place to start.
Frequently Asked Questions:
Security automation involves using workflows, orchestration, integrations, and automated response actions to reduce manual security tasks and improve operational efficiency.
SOAR automation uses Security Orchestration, Automation, and Response platforms to automate workflows, enrich investigations, coordinate remediation, and integrate security tools.
Automation often fails when workflows are not continuously refined or aligned to real analyst processes and operational requirements.
Automation only delivers long-term value when workflows support how analysts actually investigate incidents and coordinate response processes.
Security investigations frequently span SIEM, SOAR, vulnerability management, ticketing, and threat intelligence systems. Cross-platform integration reduces operational friction and improves workflow consistency.
Automation workflows must evolve alongside infrastructure, APIs, operational priorities, and analyst workflows to remain effective over time.
Automation centralizes workflows, reduces repetitive investigation tasks, improves response consistency, and allows analysts to focus on higher-value operational decisions.
SIEM visibility remains critical because organizations still require centralized telemetry, workflow visibility, and correlation across multiple operational systems.
Security workflow automation involves automating repetitive investigation, enrichment, validation, and remediation tasks across multiple security platforms and operational processes.
