Cybersecurity leaders are being asked to reduce risk in an environment where expectations continue to rise but hiring capacity does not. In the Cyber Security Tribe Annual Report, based on responses from 455 cybersecurity practitioners surveyed between December 2025 and January 2026, budget restrictions preventing hiring emerged as the leading workforce concern. That result points to a challenge many CISOs already know well: risk exposure does not pause simply because headcount approvals stall. The pressure to protect the business, support transformation, meet compliance demands, and respond to incidents remains, even when teams are expected to do more with less.
This article is part of a wider Cyber Security Tribe series based on findings from the annual report and expert conversations held at RSAC 2026 in San Francisco. Across the series, senior cybersecurity leaders and practitioners were asked to respond to key issues shaping the profession, including agentic AI, AI governance, quantum computing, employee concerns, and investment priorities. For this article, we asked a focused question tied directly to one of the report’s clearest workforce signals: If budget restrictions are preventing hiring, how can CISOs make the business case for investment when staffing is essential to reducing risk?
The responses that follow explore how security leaders can reframe the hiring discussion in terms the business is more likely to act on. They highlight the need to connect staffing and capability decisions to measurable risk reduction, operational resilience, business enablement, and return on investment. They also examine how security leaders can strengthen their case by showing where visibility gaps, response bottlenecks, and control weaknesses already carry measurable cost.
Thought leaders who contributed to the article include:
| Rock Lambros, Director of AI Security and Governance at Zenity |
Niall Browne, CEO and co-founder, AIBound |
| Michael Halabi, VP, Security and Compliance, Sumo Logic |
Darren Meyer, Security Research, Checkmarx |
| Willie Tejada, GM & SVP, Aviatrix |
Shashi Kiran, Chief GTM Officer, Nile |
Rock Lambros, Director of AI Security and Governance at Zenity
As a recovering CISO, I will say plainly that the headcount fight is often a losing one. CISOs who keep arguing for staff the same way tend to get the same answer.
Budget holders are not ignoring risk. They are comparing return on investment. A $120,000 analyst hire is difficult to justify when a $40,000 AI-augmented platform can perform large portions of tier-one triage.
Instead of arguing for headcount, CISOs should argue for capability. Show the board exactly where detection gaps exist today, quantify the potential impact of those gaps, and demonstrate how the right combination of technology and specialized human expertise closes them. One experienced threat hunter working alongside agentic AI often delivers greater measurable risk reduction than multiple junior analysts working alone. Frame the discussion around precision and impact rather than volume of staff.
Michael Halabi, VP, Security and Compliance, Sumo Logic
Businesses are moving faster and faster, and speed has a security tax. Corners get cut, deadlines override process, and risk accumulates quietly, until it doesn't. Security and GRC are thought of as chains dragging the business down, but the reality is they’re the foundation that makes scaling sane and safe. The start for any budget conversation is highlighting these risks and tradeoffs explicitly - what are the specific gaps, the exposure, what does failure here actually cost the business in dollars?
That’s table stakes for the conversation. The more persuasive one, and the one more likely to move a CFO, is framing security headcount as a revenue enabler, and then proving it.
This won't apply to every organization, but for any company where security posture is part of the value proposition, the security team has a direct role in the commercial motion. Proactive compliance, pursuing certifications and attestations that open doors in enterprise sales, is the obvious example. But there's also a more direct play: putting security practitioners in front of customers who have serious security or compliance requirements, letting them speak peer-to-peer rather than routing everything through a sales team. That shortens deal cycles and builds trust that marketing can't manufacture. Building a process around tracking growth attributable to your team is fundamental and a huge aid in having these conversations.
This requires doing some internal legwork. You have to find the sales and marketing teams struggling to close deals and insert yourself into those conversations. But once you're contributing to their pipeline, they become allies in your budget conversations upward. Security stops being a cost center asking for money and becomes a revenue function delivering it.
Willie Tejada, GM & SVP, Aviatrix
Stop asking for headcount. Start showing the board that a cloud network security platform replaces three point products and a headcount req. The budget conversation changes when security becomes a consolidation play, not an expansion request.
Security investments should be tied to measurable risk reduction, regulatory exposure, customer trust, and the ability to pursue new initiatives safely. If embedding security into the cloud fabric enables faster AI deployment or smoother entry into regulated markets, that is a growth conversation, not just a defensive one.
CISOs should demonstrate how platform consolidation at the cloud network layer offsets manual workload, eliminates redundant tooling, and improves operational efficiency. When embedding security into the cloud fabric enables faster AI deployment or smoother entry into regulated markets, that’s a growth conversation, not a defensive one.
Shashi Kiran, Chief GTM Officer, Nile
The scope of the CISO’s responsibility is increasing as security becomes more pervasive. CISOs should partner with CIOs as well as business leaders to ensure they’re putting a framework where security is everybody’s mandate instead of just the CISO, and it is baked into the organizational DNA. This alleviates one team becoming a bottleneck while giving them the authority to scale their framework for risk management and compliance with the right guardrails.
Autonomous Operations and leveraging AI appropriately will go a long way in scaling security and maximizing the impact of lean IT and security teams.
Darren Meyer, Security Research, Checkmarx
Data tends to win hiring arguments. CISOs who can identify gaps in visibility and gaps in response speed and capacity have a strong budget argument based in the need to make clear, cost-effective risk decisions. While boards increasingly favor tools and AI systems in security, even the best AI tools still need the shepherding of experienced practitioners, else they become empty investments incapable of achieving appropriate ROI. CISOs who can demonstrate a clear plan to use tools and hiring together as part of a comprehensive plan to maximize the ROI of the security budget will tend to find better receptions from their boards.
Niall Browne, CEO and Co-founder, AIBound
The old adage of "risk minus new headcount equals reduced risk" is no longer the answer the CFO is looking for. Today, before approving even one additional hire, every CFO will ask: how can we augment that headcount with AI so the company becomes more efficient?
This is not the future -- it is the present. The business case for security hiring must now be framed in terms of force multiplication, not just headcount. CISOs should present budget requests that pair people with AI-driven platforms: show how one analyst augmented by AI-powered triage, automated playbooks, and intelligent alert correlation can deliver the output of three.
Demonstrate how AI integrated into the SDLC process catches vulnerabilities earlier and cheaper than post-deployment remediation. Show how AI-driven operations can manage five-nines availability with fewer on-call engineers.
The CFO does not want to hear that more bodies reduce risk -- they want to see that the team is leveraging every available efficiency before asking for additional headcount. Frame security investment as a combination of people, AI platforms, and automation that together deliver measurably better outcomes per dollar spent. For example, teams deploying AI copilots for alert triage are reporting 80% reductions in mean time to triage -- the equivalent of adding four FTEs without a single new hire.
