Cybersecurity on a Budget

What to do when money is tight

Helen Patton
7 min readAug 21, 2022


I haven’t met a Chief Information Security Officer (CISO) yet, who hasn’t had to deal with tight budgets. It’s a normal state of affairs for security leaders. Even in industries that seem to throw a lot of money at cybersecurity, there are limits to how much money is available to spend, and no limit to the cybersecurity needs of an organization.

A stack of US twenty dollar bills

Being able to deal with the ups and downs of budgets is an important skill for security and business leaders. Because money is just math, it’s time to sharpen your pencil and get down to really understanding two things: how to increase the amount of money you get, and how to reduce the amount you spend.

Increasing Cybersecurity Income

Finding enough money to run a program the way you want can be a full-time task for even the most talented cybersecurity leader. No one has full control of their income stream, and the changeable nature of our risk profiles, industry influences, laws and regulations, and culture, can all influence what is available, and when. Consider:

Traditional Budgets

Most of us walk into a cybersecurity leadership role with some kind of budget, usually tied to the ongoing operations of the team we inherit. The budget is usually made up of a lot of staff, some vendor spend, maybe some internal company cross charges, and perhaps some random training/expenses line. Some companies require you to justify all that spend every year (“zero based budgeting”) , others give you next year what you spent this year, others let you make the case for whatever you need.

Regardless, you must get to know how that process works, who can influence the inputs into your budget, and how to maximize getting the most you can. Here is where you have conversations with CFOs and other leaders, making a business case for all the things you need. Consider hiring an ex-finance person directly into your team — their experience knowing where to find pots of money can be invaluable, and worth more than the cost of their compensation package.

This whole process can take up most of your time, but there are other sources of funds to consider.

Charge Backs and…



Helen Patton

Cyber Security, Technology Ethics, and Humanity. What else? I can be found at or on Twitter @CisoHelen or on Mastodon

Recommended from Medium


See more recommendations