Practical Guide - Evaluating Security Cost Cuts Without Destroying Your Business (Copy)
This episode is brought to you by Authentrend, providing biometric FIDO2 security solutions that make MFA actually work for small businesses. Check them out at authentrend.com/smallbizcyberguy
Right, enough horror stories. Time for practical guidance.
You're facing pressure to cut security costs. Maybe your CFO is demanding 15% budget reductions. Maybe your board wants "efficiency gains." Maybe you're bootstrapping and genuinely can't afford everything.
How do you decide what to cut without accidentally destroying your business?
The Core Problem
Traditional cost-benefit analysis fails for security spending because:
Benefits are invisible when working correctly. Training that prevents breaches shows zero ROI until the breach that didn't happen. You can't measure the value of disasters that don't occur.
Costs are delayed and non-obvious. Cut training today, experience breach in eight months. The causal link is clear in hindsight but invisible at decision time.
Probabilities are uncertain. "What's the chance we'll be breached?" is unanswerable precisely. But 43% of UK businesses were breached in 2025, so claiming "it won't happen to us" is statistically suspect.
Downside costs are catastrophic. Small savings (£15,000 on training) enable large losses (£230,000 breach costs). The asymmetry makes traditional ROI calculations misleading.
We need better frameworks.
The Decision Framework
Before cutting any security cost, work through these five questions systematically.
Question 1: What's the Notional Function vs Actual Value?
Notional function: The obvious, measurable role that appears in job descriptions and budget line items.
Actual value: Everything else the thing provides beyond its obvious function.
Exercise: List both for your proposed cut.
Example: Security Training
Notional function: "Teaching people about phishing"
Actual value:
Normalises security conversations
Creates shared vocabulary
Builds institutional memory
Provides legal/regulatory cover
Establishes baseline expectations
Enables reasonable disciplinary action
Reduces incident response costs
Improves threat detection time
Lowers insurance premiums
If your "actual value" list is shorter than three items, you don't understand what you're cutting.
Stop. Research more before proceeding.
Question 2: What Happens If This Fails?
Walk through the failure scenario step by step.
Template:
We cut [COST]. Six months later, [ADVERSE EVENT] occurs because [CAUSAL MECHANISM]. This results in [IMMEDIATE CONSEQUENCES]. Then [SECOND-ORDER EFFECTS]. Total cost: [CALCULATED AMOUNT].
Example: MFA
We cut MFA implementation (saving £50,000). Three months later, an employee's credentials are phished. Without MFA protection, attackers gain full access. They deploy ransomware across our systems. Immediate cost: £180,000 recovery. Second-order effects: £50,000 ICO fine for inadequate security, £30,000 insurance premium increase, £40,000 lost revenue during downtime. Total: £300,000.
If you can't articulate a specific failure scenario, you're not ready to make this decision.
Question 3: What's the Probability?
Use available statistics to estimate likelihood.
UK Breach Statistics (2025):
43% of businesses experienced breaches in past 12 months
85% of breaches involved phishing
Ransomware doubled year-over-year (0.5% to 1%)
Average 30 incidents per business experiencing cyber crime
Medium businesses: 70% breach rate
Large businesses: 74% breach rate
Conservative estimate: 40% annual breach probability for UK businesses.
If your proposed cut increases vulnerability to common attack vectors (phishing, credential theft, ransomware), apply the 40% probability.
If your cut affects advanced threat protection, you might use lower probability (10-20%).
Be honest about which category applies.
Question 4: What's the Expected Cost?
Multiply probability by downside cost.
Formula: Expected Cost = (Probability) × (Downside Cost) × (Unknown Factor)
The "Unknown Factor" accounts for things you haven't anticipated. Use 3x as conservative estimate.
Example: Security Training Cut
Savings: £15,000 annually Downside cost (from failure scenario): £230,000 Probability: 40% (phishing is 85% of breach vectors, training directly addresses this) Unknown factor: 3x
Expected cost = 0.4 × £230,000 × 3 = £276,000
Expected cost (£276,000) exceeds savings (£15,000) by 18:1 ratio.
Don't cut this.
Question 5: Who Bears the Risk?
This is the political question that actually drives most decisions.
Who benefits from the cost cut? (Usually: CFO, budget holders, people evaluated on efficiency metrics)
Who bears the risk if it backfires? (Usually: CISO, IT staff, operations teams, customers)
If the people making the decision don't bear the risk of being wrong, expect bad decisions.
This isn't solvable with frameworks. This is organisational politics. But naming it explicitly helps.
Evaluation Matrix
Use this matrix to score proposed cuts on a 1-5 scale:
Downside Clarity: How well do we understand what could go wrong?
1 = Complete uncertainty
5 = Specific, documented failure modes
Downside Cost: How expensive is failure?
1 = Minor inconvenience
5 = Existential threat to business
Probability: How likely is failure?
1 = Rare, requires sophisticated attacker
5 = Common, targets of opportunity
Alternative Options: Do cheaper alternatives exist?
1 = No alternatives available
5 = Multiple cheaper options
Reversibility: Can we reverse this decision quickly?
1 = Permanent or very expensive to reverse
5 = Easily reversible
Score interpretation:
If (Downside Cost × Probability) > 15: Don't cut this If (Downside Cost × Probability) < 5: Relatively safe cut Between 5-15: Requires detailed analysis
Specific Evaluations
Let's work through the five common cuts from the doorman fallacy framework.
Security Training
Notional function: Teaching about phishing Actual value: 8+ additional functions (see above) Failure scenario: Breach via phishing, £230,000 cost Probability: 40% (phishing is 85% of breaches) Expected cost: £276,000 Savings: £15,000
Matrix scores:
Downside Clarity: 5 (well-documented)
Downside Cost: 4 (significant but not existential)
Probability: 5 (phishing is dominant vector)
Alternative Options: 3 (can do cheaper training, but quality matters)
Reversibility: 4 (can restart training relatively easily)
Recommendation: Don't cut training. If forced to reduce costs, move to quarterly instead of monthly, but maintain some cadence.
MFA Implementation
Notional function: Adding authentication step Actual value: 7+ protective functions Failure scenario: Credential theft → ransomware, £300,000 cost Probability: 40% overall breach rate Expected cost: £360,000 Savings: £50,000
Matrix scores:
Downside Clarity: 5 (British Library documented this)
Downside Cost: 5 (potentially existential)
Probability: 4 (credentials are primary attack vector)
Alternative Options: 2 (some cheaper MFA exists, but integration matters)
Reversibility: 1 (very expensive to implement post-breach)
Recommendation: Don't defer MFA. This is non-negotiable baseline security. Find budget elsewhere.
Cyber Insurance
Notional function: Paying out when breached Actual value: 9+ services and protections Failure scenario: Breach without coverage, £75,000 uncovered costs Probability: 43% (overall breach rate) Expected cost: £96,750 Savings: £8,000 annually
Matrix scores:
Downside Clarity: 4 (well-understood but complex)
Downside Cost: 4 (significant financial exposure)
Probability: 5 (43% breach rate)
Alternative Options: 1 (insurance is unique product)
Reversibility: 2 (difficult to get post-breach, premiums triple)
Recommendation: Don't cancel insurance. If budget-constrained, increase deductible to lower premiums, but maintain coverage.
IT Staff ("Dave")
Notional function: Password resets, backups Actual value: 10+ institutional knowledge functions Failure scenario: Loss of institutional knowledge, £130,000 first year + £80,000 annually Probability: 100% (this is certain, not probabilistic) Expected cost: £130,000+ (guaranteed) Savings: £33,000 annually
Matrix scores:
Downside Clarity: 3 (hard to quantify institutional knowledge)
Downside Cost: 4 (significant ongoing costs)
Probability: 5 (certain to occur)
Alternative Options: 2 (MSPs exist but don't have institutional knowledge)
Reversibility: 1 (institutional knowledge is permanently lost)
Recommendation: Don't replace Dave. If forced to reduce costs, reduce other IT spending, upgrade cycles, etc. Institutional knowledge is irreplaceable.
Vendor Relationships
Notional function: System maintenance per SLA Actual value: 8+ relationship and context functions Failure scenario: Loss of context, £35,600 net cost Probability: 80% (relationship degradation is highly probable) Expected cost: £85,440 Savings: £14,400 annually
Matrix scores:
Downside Clarity: 3 (relationship value is hard to quantify)
Downside Cost: 3 (moderate ongoing impact)
Probability: 4 (relationship degradation is common)
Alternative Options: 4 (multiple vendors available)
Reversibility: 2 (relationship damage is hard to repair)
Recommendation: Don't switch purely on price. If forced to switch, ensure comprehensive handover period, document tribal knowledge, maintain relationship with exiting vendor during transition.
The "Don't Cut" List
Based on this analysis, here's what UK SMBs should never cut:
Never cut:
MFA on administrator accounts
MFA on remote access
Endpoint protection on all devices
Backup systems (including offline copies)
Core IT staff with institutional knowledge
Cut very carefully: 6. Security training (reduce frequency, not eliminate) 7. Cyber insurance (increase deductible, maintain coverage) 8. Vulnerability scanning (reduce frequency, not eliminate) 9. Vendor relationships (ensure proper transition) 10. Incident response planning (delay updates, not eliminate)
Relatively safe cuts: 11. Optional certifications beyond Cyber Essentials 12. Advanced threat intelligence subscriptions 13. Redundant monitoring tools 14. Cosmetic security improvements 15. Non-essential security conferences/training
When You Must Cut Costs
If you're genuinely budget-constrained and must reduce security spending:
Option 1: Reduce frequency, not capability
Monthly training → Quarterly training
Weekly vulnerability scans → Monthly scans
Annual penetration tests → Biennial tests
Option 2: Choose simpler implementations
Enterprise MFA solution → Basic MFA solution
Full-featured SIEM → Basic log monitoring
Managed detection → Self-managed tools
Option 3: Defer nice-to-haves
Advanced certifications → Basic Cyber Essentials only
Sophisticated tools → Basic implementations
Proactive improvements → Reactive only
Option 4: Find non-security cuts
Delay hardware refreshes
Reduce travel budgets
Defer office improvements
Cut discretionary spending
The Business Case
When defending security spending against cuts:
Frame it as insurance, not cost. "This isn't spending, it's insurance against £200,000+ breach costs."
Use specific probabilities. "43% of UK businesses were breached last year. That's not paranoia, that's statistics."
Cite comparable cases. "The British Library saved £50,000 by not implementing MFA. It cost them £7 million. We're considering the same decision."
Calculate expected costs explicitly. "Expected cost is probability times downside. 40% chance of £200,000 breach = £80,000 expected cost. We're proposing £15,000 to prevent this."
Shift risk assessment. "If we're wrong about cutting this, what's the cost? If we're wrong about keeping it, what's the cost? Asymmetry favours keeping it."
Red Flags
If you hear these phrases in budget discussions, push back hard:
"We haven't been breached, so clearly we don't need this." Response: "43% of UK businesses were breached last year. Survivor bias isn't strategy."
"Security is too expensive." Response: "Breaches are more expensive. Average UK breach costs £3,550. This costs £15,000 to prevent £140,000 in expected costs."
"This is just paranoia." Response: "British Library thought MFA was paranoia. £7 million later, they've changed their minds."
"We can implement this later if we need it." Response: "By the time you know you need it, you've already been breached. Prevention must precede need."
"Our industry is different." Response: "Phishing works identically across industries. Credentials are credentials. Ransomware doesn't care about your sector."
Decision Template
Use this template for any security cost cut:
PROPOSED CUT: [Specific item and amount]
NOTIONAL FUNCTION: [What it obviously does]
ACTUAL VALUE: [Everything else it provides]
1. ...
2. ...
3. ...
FAILURE SCENARIO: [Specific narrative of what goes wrong]
DOWNSIDE COST: [Calculated cost of failure scenario]
PROBABILITY: [Evidence-based estimate]
EXPECTED COST: [Probability × Downside × 3]
SAVINGS: [Annual cost of current approach]
RATIO: [Expected cost ÷ Savings]
MATRIX SCORES:
- Downside Clarity: [1-5]
- Downside Cost: [1-5]
- Probability: [1-5]
- Alternative Options: [1-5]
- Reversibility: [1-5]
RECOMMENDATION: [Cut / Don't Cut / Modify]
JUSTIFICATION: [Specific reasoning based on above]Work through this template systematically. If expected cost exceeds savings, don't cut.
Final Reality Check
The businesses that cut security costs to "improve efficiency" will spend the next 12-18 months learning expensive lessons about invisible value.
Don't be one of them.
Use these frameworks. Calculate actual risks. Understand what you're cutting. Question narrow definitions of function. Assess invisible value explicitly.
The doorman does more than open doors.
And your security spending does more than its obvious function.
Calculate properly before cutting. Your business survival depends on it.
This case study is based on a real incident involving a Manchester-based SME. Names, identifying details, and exact business specifics have been changed to protect client confidentiality. Costs, timeline, and lessons are factually accurate as documented in post-incident review.
| Source | Article |
|---|---|
| Gov.UK | Cyber Security Breaches Survey 2025 |
| British Library | Learning Lessons from the Cyber-Attack: Cyber Incident Review |
| IBM Security | Cost of a Data Breach Report 2025 UK Findings |
| NCSC | Cyber Essentials Scheme Requirements |
