5 ways to make cybersecurity a top priority

COMMENTARY: We hear this more and more from clients: “We’re unable to forecast,” or “Our budgets are frozen.”

Meanwhile, the need for cybersecurity education hasn’t gone away. If anything, it’s growing. So, how do we protect our people and organizations during a volatile economic climate?

This conversation represents a broader trend. As global economic headwinds persist, many organizations have tightened their belts and put plans on hold. Tariffs on imported technology, inflationary pressures and unpredictable market conditions have forced CFOs to freeze or slash budgets and postpone purchases.

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

Unfortunately, cybersecurity, and particularly workforce training and enablement, often viewed as a cost center rather than a strategic imperative, tends to feel the squeeze first.

But here’s the hard truth: cybercriminals don’t wait for the economy to stabilize. While many organizations feel frozen, the criminals are poised to thrive.

The hidden cybersecurity cost of economic barriers

Economic measures influencing technology imports have a direct and indirect impact on cybersecurity posture. Here’s how:

Increased cost of security infrastructure: Additional costs on critical hardware components like servers, firewalls and networking equipment raise the expenses of upgrading or expanding security infrastructure. Organizations may delay critical refresh cycles, leaving outdated systems vulnerable.

Supply chain disruptions: Challenges in global supply chains can lead to delays in acquiring essential security tools or replacement parts. This can extend the lifecycle of insecure legacy systems.

Vendor consolidation and reduced competition: Economic barriers may force smaller cybersecurity vendors out of the market or limit their ability to compete, reducing innovation and increasing reliance on a few large providers.

Budget reallocation: As companies absorb additional costs in other areas, such as manufacturing or logistics, they may reallocate funds away from IT and cybersecurity, particularly security awareness training to cover operational shortfalls.

Economic Uncertainty: A breeding ground for cyber risk

Broader economic uncertainty compounds the problem. When organizations freeze budgets, they often:

Delay security projects: Initiatives such as zero-trust implementation or cloud security upgrades are postponed.

Reduce headcount: Security teams are downsized or asked to do more with less, increasing burnout and reducing effectiveness.

Ignore emerging threats: With limited resources, organizations focus only on known threats, leaving them exposed to new and evolving attack vectors.

Neglect the human element: The workforce, the last line of defense in cybersecurity, gets deprived of the crucial training they need to effectively do their part. This creates a perfect storm. Cybercriminals are opportunistic. They know that during economic downturns, organizations are distracted, under-resourced and more likely to have exploitable vulnerabilities. Ransomware gangs, phishing scammers and nation-state actors don't take economic breaks -- they double down.

The risk of standing still

It’s always dangerous for companies to decide that it’s “good enough” to maintain last year’s cybersecurity plan. Threats evolve rapidly. Attackers innovate constantly. What protected the company in 2024 may be obsolete in 2026.

Imagine skipping an annual flu shot just because last year’s winter wasn’t bad. That’s what postponing cybersecurity education and training feels like in today’s environment.

So, where do we go from here? How can we stay secure without breaking the bank? Here are five strategies that can help, and most don’t require a massive investment:

1. Reframe cybersecurity as risk management.

Cybersecurity isn’t just IT’s job — it’s everyone’s business. Frame investments in terms of risk reduction, regulatory compliance, and brand protection. A single breach can cost millions in fines, downtime and reputational damage, far more than the cost of proactive defense.

2. Focus on high-impact, low-cost initiatives.

Not all security improvements require massive investments. Prioritize the following:

Employee training: Phishing remains the top attack vector. Regular, engaging training drastically reduces risk.

Multifactor authentication (MFA): A low-cost, high-impact control that blocks many credential-based attacks.

Patch management: Ensure systems are up-to-date. Many breaches exploit known vulnerabilities.

3. Leverage existing tools more effectively.

Many organizations underutilize the tools they already own. Conduct a security stack audit to identify overlapping capabilities, unused features or opportunities to consolidate vendors.

4. Adopt a risk-based approach.

Not all assets are equally critical. Use a risk-based framework to prioritize protection for the company’s most valuable data and systems. This ensures resources are allocated where they matter most.

5. Consider Cybersecurity-as-a-Service.

Managed security services can offer enterprise-grade protection at a fraction of the cost of building in-house capabilities. This model offers flexibility and scalability, especially useful during uncertain times.

In tight times, training and enablement are often deprioritized or overlooked, but now’s exactly when employees need support the most. Uncertainty breeds anxiety and stress, increasing the likelihood of mistakes.

Smart organizations see security awareness and role-based training not as optional, but as an essential layer of defense. Whether through simulated phishing, targeted education or just-in-time microlearning, building a cyber-aware workforce helps compensate for gaps in tools or staffing.

In other words, empowering people remains one of the most cost-effective ways an organization can strengthen its security posture, especially during uncertain times. It’s not possible to eliminate every risk, so build a workforce that knows how to spot trouble and stop it in its tracks.

A call to action for leadership

CISOs and IT leaders must become storytellers and communicate the value of cybersecurity by framing it within the context of business continuity and financial outcomes. Use real-world examples, threat intelligence and risk assessments to make the case for continued investment.

At the same time, boards and executives must embrace cybersecurity not as an option, but a core business function. It’s foundational. Cutting corners here isn't savings -- it's deferred risk. Just as we wouldn’t stop locking our doors during a recession, companies can’t afford to pause their cyber defenses.

Where we go from here matters.

Yes, economic pressures are real. But let's not let short-term uncertainty create long-term damage. Cybersecurity helps us keep our people, systems, and future business growth protected.

That’s why we need to make it a top priority.

Holly Fuemmeler, manager of cybersecurity education; Tiffany Shogren, director of services enablement and education, Optiv

SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.