Immediate threats or long-term security? Deciding where to focus is the modern CISO’s dilemma

Cybersecurity has become a high-stakes balancing act — the modern CISO is under constant pressure to protect their organization from the latest threats, including ransomware and phishing, while also developing long-term security strategies and reporting to the C-suite and board.

This means juggling immediate needs, such as patching vulnerabilities and responding to cyber incidents, with long-term goals, including adopting emerging technologies and developing a skilled cybersecurity team.

This challenge is made worse by limited budgets and the need to justify the value of security investments to the business.

Consequently, CISOs must figure out how to prioritize spending, allocate resources, and make data-driven decisions to meet both short-term and long-term security needs, which require a strategic balance between proactive and reactive approaches, Lisa Hall, CISO at SafeBase, tells CSO.

Conducting thorough risk assessments to understand the likelihood and impact of potential threats is essential for this, she says. This helps CISOs decide where to focus security efforts and ensure that spending on security aligns with their companies’ goals.

“Moreover, investing in people is crucial; while tools and technologies are important, skilled personnel are necessary to implement, manage, and maintain these solutions — making human capital a pivotal element in a robust cybersecurity strategy,” Hall says.

Balancing immediate threat response with long-term vision

The rapid growth of new technology, such as AI, along with complex laws, global conflicts, and economic worries, is making it difficult for companies to ensure they’re protected from cyberattacks, says Harpreet Sidhu, Accenture’s North America cybersecurity lead.

“Amidst this backdrop, CISOs must carefully balance addressing immediate threats, such as ransomware attacks, with long-term security needs, such as infrastructure upgrades,” he says.

To protect their companies from cyberattacks, IT security leaders should focus on the highest of risks, according to Sidhu.

This means constantly checking the company’s security, finding weaknesses, and prioritizing investments accordingly, he says. It’s also important to work with other departments, such as IT and finance, to ensure that security initiatives help the entire company reach its goals.

“By proactively addressing both immediate threats and long-term security needs, CISOs can effectively balance protecting their organizations from cyberattacks and ensure business continuity,” Sidhu says.

James Robinson, CISO at Netskope, says his strategy is based on a balanced approach that’s tied to the annual planning process. The key is ensuring that the budget funds proactive security measures and quick responses to threats but also aligns with corporate goals.

“What this looks like is that we’re prepared to address urgent threats like ransomware while simultaneously investing in governance and preventative measures to reduce our attack surface and incorporate emerging technologies,” he says.

For Robert Hughes, CISO of RSA Security, the key for any security team is balancing day-to-day tasks with long-term planning. The amount of time spent handling routine issues depends on the company’s business and the security team’s responsibilities.

“You need to understand that and look for efficiencies because security leaders need to focus enough time to be diligent about strategic planning,” Hughes adds.

If a CISO is constantly putting out fires, they can’t focus on strategic planning, Hughes says.

“And if a CISO is spending all their time firefighting, the question is are those really fires or can they wait awhile for you to put some of the right structure, documentation, and processes in place that reduce risk and get to the appropriate level of the security team’s involvement,” he says.

Demonstrating security ROI for short- and long-term projects

Bryan Willett, CISO at Lexmark International, says that prioritizing security spending requires a delicate balancing act. “We must constantly assess the risk landscape, weighing the potential impact and likelihood of both immediate threats, [such as] ransomware and long-term vulnerabilities, [such as] outdated infrastructure,” he says.

It’s often hard to get funding for security when the company hasn’t suffered any cyberattacks because it feels abstract to decision-makers, Willett says.

“A key skill for any CISO is the ability to communicate effectively, turning technical terms into business language,” he says.

This involves explaining how a security issue could disrupt operations, harm the company’s reputation, or cause financial losses, Willett says.

“Use examples of real incidents from the industry to make your point,” he says. “By showing how security investments can prevent these risks, you can create a strong case for both short-term and long-term projects.”

Robinson says that the Log4J zero-day vulnerability was an event that challenged him to balance that immediate threat with his long-term security investments because addressing it required a major initiative from his team to identify, respond to, and mitigate the threat quickly.

“To do this effectively meant I had to reallocate resources from long-term projects,” he says. “This experience really underscored for me the importance of dual focus in security investments that enhance overall resilience.”

Budget allocation: immediate vs long-term security

CISOs need to balance their budgets between immediate threat responses and long-term investments in cybersecurity infrastructure, says Eric O’Neill, national security strategist at NeXasure and a former FBI operative who helped capture former FBI special agent Robert Hanssen, the most notorious spy in US history.

While immediate threats require attention, CISOs should allocate part of their budgets to long-term planning measures, such as implementing multi-factor authentication and phased infrastructure upgrades, he says.

“This balance often involves hiring incident response partners on retainer to handle breaches, thereby allowing internal teams to focus on prevention and detection,” O’Neill says. “By planning phased rollouts for larger projects, CISOs can spread costs over time while still addressing immediate vulnerabilities.”

Clare Mohr, US cyber intelligence lead at Deloitte, says a common approach is for CISOs to allocate 60 to 70% of their budgets to immediate threat response and the remainder to long-term initiatives –although this varies from company to company.

“This distribution should be flexible and reviewed annually based on evolving threats,” she says. “Longer term should be thought of like R&D — where in order to stay current on trends in threats and technology — time and money need to be invested to test and validate what new capabilities could provide a meaningful return on investments.”

Nicholas Kathmann, CISO at LogicGate, says that when resource planning, it’s a good idea to have a certain percentage of staff time (30% is a good rule of thumb) dedicated to long-term projects vs the day-to-day work keeping the lights on. This makes it possible to respond to immediate threats effectively, with only minimal risk of impacting project timelines.

“Most immediate threat response involves config changes, patch management, compensating controls, etc., which don’t require an immediate spend on new tooling or capabilities,” he says. “That said, there should always be a percentage of the budget set aside for digital forensics and incident response, with the intention of tapping into cyber insurance for anything that exceeds that amount.”

A real-world example of balancing immediate threats and long-term security

“I worked with a CISO of a midsize financial services company, who faced a challenging situation when a new, sophisticated phishing campaign began targeting their industry,” says AJ Yawn, partner in charge of product and innovation at Armanino.

This immediate threat required significant resources to bolster the company’s email security and employee training programs, he says. However, they were also in the middle of a crucial long-term project to implement a zero-trust architecture, which was essential for their overall security posture and future compliance needs.

Yawn says that to balance these competing priorities, they decided the best approach was to:

• Conduct a rapid risk assessment to quantify the potential impact of the phishing threat vs the risks of delaying the zero-trust implementation.
• Implement a phased approach, allocating additional resources to immediate phishing defenses while continuing the zero-trust rust project at a slightly reduced pace.
• Negotiate with the company’s email security vendor to obtain advanced anti-phishing tools at a discounted rate, bundled with commitments for other security solutions needed for the zero-trust architecture.
• Use a managed security service provider to temporarily augment security operations center capabilities, freeing up in-house employees to continue work on the zero-trust implementation.
• Communicate transparently with the board about the trade-offs and risks associated with this approach, securing a 15% budget increase to support both initiatives.
• Accelerate the implementation of multi-factor authentication across all systems as part of the zero-trust project, which served both immediate phishing defense and long-term security improvement goals.

The result of implementing this approach to balancing immediate threats and long-term security was a 70% reduction in successful phishing attempts and a 40% improvement in overall security posture within six months, Yawn says.