When the budget axe falls, security leaders face an impossible-sounding task: reduce risk with fewer resources. But as a recent CISO Series AMA revealed, some of the field’s sharpest minds have not only survived budget cutsโthey’ve used them as forcing functions for smarter security.
Five security leaders gathered on r/cybersecurity to share stories and practical wisdom from the trenches.
- Gary Hayslip (u/Shaynei), vp and senior security advisor at Halcyon
- David Cross (u/MrPKI), CISO at Atlassian
- Nick Espinosa (u/NickAEsp), host of The Deep Dive Radio Show
- Will Gregorian (u/wgregorian), former senior director of technology operations and security at Galileo Medical
- Edward Frye (u/krypt0_ed), head of security at Luminary Cloud
What emerged was a masterclass in strategic thinking, operational creativity, and the art of making constraints work in your favor.
Stop talking about dollars, start talking about outcomes
When asked how to communicate security’s value to leadership, Nick Espinosa cut straight to the core problem: security teams are speaking the wrong language.
“My view here is to make it about the ‘correct’ dollar figure. I tend to frame it as defensible ranges tied to business outcomes. Why are we even focusing on impact to business processes, not threats? For each critical process, we typically estimate the financial resource against a narrow set of outcomes, like things like revenue disruption, customer trust, recovery and remediation costs, contractual penalties, long-term reputational damage, etc.” โ Nick Espinosa (u/NickAEsp)
The shift is subtle but powerful. Instead of justifying a firewall upgrade with threat statistics, frame it around what happens if invoice processing goes down for two days. Nick’s approach focuses on creating defensible ranges rather than false precision, acknowledging uncertainty while still giving leadership the business context they need to make decisions.
The operational value proxy: When hard dollars don’t exist
Will Gregorian took a different angle, one born from the reality of lean security teams without enterprise budgets.
“‘Dollar value of impact’ is usually a mirage, not a real number, and that’s OK. In practice, I avoid using false precision. I try to give leadership an order-of-magnitude view that’s good enough for comparing options and making decisions. What has worked well for me is the operational value as a proxy for when hard dollars aren’t concrete or measurable: time saved, fewer escalations, incidents, fire drills, faster audits, and fewer surprises.” โ Will Gregorian (u/wgregorian)
This reframe is liberating. You don’t need a spreadsheet proving your EDR prevented $4.7 million in losses. You need to show that your team isn’t firefighting at 2 AM anymore, that audits close faster, and that executives aren’t blindsided by breach notifications. Operational improvements are measurable, defensible, and immediately understood by leadershipโeven when precise dollar figures remain elusive.
The “best-in-context” awakening
Edward Frye shared a transformation story that many security leaders will recognize: the moment they realize their shiny enterprise tools are solving yesterday’s problems.
“Moving from ‘Best-in-Name’ to ‘Best-in-Context’: When I arrived, the previous team had been buying ‘Best-in-Class’ solutions without looking at our context. We were a small team paying handcart to monitor Microsoft Defender for endpoint on a $80/ea Mac shop. We had near-zero setup and adoption. The Risk Reduced: We created a massive velocity gap where malware could run wild on OSX through the ‘windows-centric’ gaps. Wiz (from ~20% visibility to 99%) and Mean Time to Detect (MTTD): We went from ‘never knowing’ to ‘knowing in a matter of hours.'” โ Edward Frye (u/krypt0_ed)
The fix? Contextual thinking. Edward’s team adopted solutions that matched their unique environment and constraints: a Mac-focused EDR, moving to Wiz for cloud visibility (20% visibility to 99%), and abandoning the “never knowing” approach for Mean Time to Detect (MTTD). The result wasn’t just cost savings; it was a fundamental improvement in security posture achieved by matching tools to reality rather than chasing vendor marketing.
The AI question: Constraint as control
Few topics generate more heat than AI governance right now. When asked about blocking or constraining AI usage, David Cross offered the voice of reason.
“Definitely the latter is the best and most reasonable choice to guide organizations and it is not as constraining as many believe it will be on experimentation.” โ David Cross (u/MrPKI)
Edward added a crucial point about organizational dynamics: teams trying to block technology adoption become the “no, and…” department, a losing position. The winning move is guidance toward controlled processes, not blanket prohibition.
Budget reallocation: The “best-in-name” tax
Gary Hayslip cut to the chase when asked about measuring reduced risk after budget cuts.
“For example, are you currently using ‘Best in Class’ tools that are meaningfully helping you or are they ‘Best in Class’ tools that are too expensive and you cannot operationalize them.” โ Gary Hayslip (u/Shaynei)
This question exposes the dirty secret of enterprise security: tool shelfware. Gary advocates for ruthless assessment. If tools aren’t operationalized, they’re not reducing risk regardless of their Gartner rating. Better to have three tools your team actually uses than ten that sit idle because they’re too complex or expensive to deploy properly.
IAM: The cybersecurity leverage point
Will made a compelling case that identity and access management delivers outsize returns, especially under budget constraints.
“Letting IAM/SSO/RBAC (IdP policies) is usually high leverage and relatively low spend. It’s there already; nothing really changes. Identity and access management/compliance avoids dozens of email fires. Having the right least-privilege baseline in business apps is a nice-to-have budget conversation that makes you realize the sunk-cost fallacies.” โ Will Gregorian (u/wgregorian)
The beauty of IAM investment is that it’s already there in most organizations. The work isn’t buying new tools; it’s implementing discipline around who has access to what, enforcing least privilege, and automating compliance reviews. These efforts deliver ongoing returns without requiring new budget lines.
The Real Win: Constraints Force Clarity
Perhaps the most valuable insight from the AMA wasn’t any single tactic, but the meta-lesson running through every response: budget constraints force security leaders to think clearly about what actually matters. When you can’t buy everything, you have to prioritize ruthlessly. When you can’t staff a 24/7 SOC, you have to automate intelligently. When you can’t afford “best in class,” you have to choose “best in context.”
The panelists demonstrated that budget cuts don’t have to mean security cuts. Sometimes, they mean security gets better because you’re finally forced to stop doing security theater and start doing security that matters. Whether it’s framing impact in business outcomes, leveraging existing IAM infrastructure, or swapping expensive shelfware for tools that fit your environment, the path forward is about discipline, context, and creative problem-solving.
Join us again for our next Reddit AMA starting Sunday, February 22:
โI’ve been a CISO more than once. Ask me anything about how the job differs between organizations.โ