LinkedIn and AI data scraping: How to opt out
Routinely review your social media privacy settings – and not just on LinkedIn.
There’s a phrase that has been haunting security leaders for the better part of three years: “Do more with less.” Once an occasional C-suite prompt, it has become a standing instruction, the implicit subtext of every budget review, every headcount freeze, every quarterly business review where security sits across the table from a CFO asking hard questions about ROI.
The difficult reality is that this pressure isn’t going away. And for CISOs caught between escalating threats, shrinking budgets, and boards that now have legal skin in the game, the ability to make a compelling, financially grounded case for security investment has become as critical a skill as any technical competency.
For years, the trend line for security budgets pointed in one direction: up. Post-pandemic investment surges, high-profile breaches, and the digitisation of everything combined to push security spending steadily higher. That period is over.
According to IANS Research and Artico Search’s 2025 CISO Compensation and Budget Study, average annual security budget growth dropped to just 4% in 2025, the lowest rate in five years, and a sharp fall from 8% growth in 2024. More striking: only 47% of CISOs reported a budget increase this year, down from 62% in 2024 and 78% in 2022. The majority — 54% — are now operating with flat or shrinking budgets.
At the same time, security’s share of total IT spend is declining. Security dropped from 11.9% of IT budgets in 2024 to 10.9% in 2025, breaking a five-year upward trend. The reason is telling: overall IT spending is growing again, but the incremental dollars are flowing toward AI infrastructure and cloud, not security. The security team is effectively competing with the organisation’s AI transformation agenda for the same constrained pool of resources.
Staffing is feeling the same squeeze. Only 45% of CISOs were able to add headcount in 2025, down from 67% just three years ago. Nearly half reported flat team sizes, and perhaps most sobering only 11% of CISOs believe their teams are adequately staffed.
The irony is that all this budget compression is happening at exactly the moment boards are more engaged with cybersecurity than at any point in corporate history. That engagement, however, is not purely supportive. It is scrutinising.
The SEC’s cybersecurity disclosure rules, fully operational since mid-2024, now require public companies to report material cybersecurity incidents within four business days and to disclose their risk management strategy and governance annually in Form 10-K. For CISOs at publicly listed organisations, cyber risk is now a mainstream topic in investor communications. The quality of what gets disclosed reflects directly on the quality of governance and on the CISO personally.
The personal liability angle cannot be overstated. The SEC’s actions against the CISOs of SolarWinds and Uber sent a clear signal: being the person accountable for cybersecurity now carries legal and financial risk that extends well beyond job loss. The New York Department of Financial Services (NYDFS) requires CISOs of covered entities to personally certify compliance with cybersecurity regulations annually. Across Europe, NIS2 imposes corporate accountability requirements across critical infrastructure sectors. The regulatory environment is converging on one message: security failures have named individuals attached to them now.
Gartner has observed that boards are increasingly focused on cutting tech stack sprawl and expensive licensing fees. Additionally, approval of security budgets now hinges on CISOs delivering measurable returns. This represents a genuine shift: from trust us, we need this to show us what we’re getting.
The CISO who survives and thrives in this environment is the one who has internalised that the board’s job is to manage business risk, not cybersecurity. That distinction changes everything about how security needs to be communicated.
Technical metrics don’t move boards. Coverage percentages, MTTR figures, and vulnerability counts communicate competence to security professionals, but they don’t help a director decide whether the organisation is carrying an acceptable level of risk relative to its appetite. What boards need is financial context.
This is exactly the problem that frameworks like FAIR (Factor Analysis of Information Risk) were built to solve. FAIR translates cyber risk into financial loss exposure giving security leaders the ability to model threat scenarios in dollar terms, compare the cost of a control investment against the expected reduction in loss. It presents risk decisions in the same language CFOs and boards use every day. This shifts the conversation from “here’s what I need” to “here’s the expected financial outcome of each option.”
The practical application goes further than methodology. CISOs who are winning the boardroom conversation in a tight budget environment are doing several things consistently:
There’s a third dimension to the budget conversation that is often missed: it’s not only about how much you spend, but how efficiently you’re spending it.
The average large enterprise runs dozens of overlapping security tools, each with its own licensing cost, operational overhead, and alert stream. Boards are increasingly asking whether this sprawl is delivering proportional protection and, in many cases, the honest answer is no. Tool consolidation isn’t just a cost-saving measure; it’s a security improvement, because reducing noise and complexity directly improves detection quality and response time.
The same logic applies to the internal vs. external provision of security operations. The full-loaded cost of an in-house SOC ie. salaries, benefits, tooling, training, 24/7 coverage, management overhead is frequently underestimated when CISOs are making the case for headcount. Yet, when that comparison is made honestly, the economics of managed security often become compelling, particularly for organisations where the board is asking why security costs are high while outcomes remain uncertain.
The most elegant answer to board-level budget pressure is not a better slide deck. It’s a security model whose cost structure is inherently defensible.
This is where a genuinely modern, human-led MSSP reframes the entire conversation. Rather than presenting a budget built from headcount, tool licenses, infrastructure, and 24/7 coverage, each line item subject to individual challenge, a managed security partnership converts that entire stack into a single, predictable, per-user subscription. That is a CFO-friendly structure. It scales with the business, it is comparable to peer organisations, and it eliminates the hidden costs that inflate in-house security programs: recruitment fees, retention risk, knowledge gaps during transitions, and the ongoing burden of keeping tooling current against a moving threat landscape.
SolCyber is built precisely for this moment. As a fully managed, human-led MSSP, SolCyber delivers a curated, enterprise-grade security stack, covering endpoint, identity, email, and cloud through a clean per-user subscription model, without the complexity, wastage, and unpredictability of a DIY security program. For a board asking what they’re getting for their security spend, SolCyber offers something most in-house programs struggle to articulate: a clear, transparent, outcomes-based service with expert practitioners who take full ownership of detection, response, and remediation.
For CISOs navigating flat budgets and heightened board scrutiny simultaneously, the managed security model doesn’t just reduce cost, it changes the nature of the conversation entirely. Instead of defending a complex internal program line by line, the security leader walks into the boardroom with a proven external partner, demonstrable coverage, and a cost structure that any CFO can understand and benchmark.
In an era where doing more with less has become a permanent condition, the CISOs who will thrive are those who find ways to decouple security effectiveness from headcount and tooling spend. That structural shift is available now and it starts with asking whether the model you’re running is the right one for the environment you’re operating in.
Want to understand what a cost-efficient, board-ready managed security model looks like in practice? Explore SolCyber’s approach to fully managed cybersecurity.
Photo by Jakub Żerdzicki on Unsplash
Routinely review your social media privacy settings – and not just on LinkedIn.
Given sufficient time, resources, and motivation, a cyber threat group can breach any organization. While prevention is important, companies should treat data breaches as inevitable and ensure that they are prepared to handle them and minimize their impact. According to the 2021 Cost of a Data Breach Report developed by Ponemon and IBM, the average cost of a data breach is $4.24 million. However, having an incident response (IR) plan in place is one of the best ways to drive […]
How your security team can mitigate BYOD risks to avoid a costly breach.
By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.
