Financial pressure is forcing cybersecurity leaders to rethink oversized security stacks, shifting the conversation from technical coverage to governance, ROI, and capital allocation.
Adrian Salas, CISO at ShiftKey, argues that security investment must start by clearly defining the problem and auditing existing people, processes, and tools.
By treating the business as the customer and prioritizing measurable outcomes over perfect coverage, Salas outlines a disciplined framework for consolidating tools, managing agentic AI, and maximizing impact with limited resources.
Financial pressure is forcing a strategic pivot in cybersecurity. Leaders are moving past tool sprawl as boards mandate a hard look at the ROI of oversized, tool-laden security stacks. The shift is reframing security, moving it from a purely technical function toward a C-suite level conversation about governance and capital allocation. Success in this new environment depends less on accumulating tools and more on adopting a disciplined, outcome-driven framework rooted in one simple principle: first, define the problem.
Adrian Salas is the Chief Information Security Officer at the healthcare staffing platform ShiftKey. With over 20 years of experience leading global security teams and managing budgets exceeding $50M, Salas built his career on scaling security programs on accelerated timelines. As Salas navigates this new terrain, he adopts a finance-first mindset. "I believe everything has to do with the financial aspect," he says. "The board is looking at how to stop burning money and start strategically allocating money where it really matters, instead of just tossing money at problems."
Pillars of prioritization: Before any new investment, Salas advises leaders to first conduct a rigorous audit of their existing capabilities across three pillars: people, process, and technology. This analysis acts as a powerful check on reactive spending by forcing an educated decision based on a simple metric of utilization. "Before any decision is made, we have to evaluate whether a tool is serving 80% of its capacity," he says. "Too often, we see layoffs happen because that analysis wasn't done first. I'm a true believer that we shouldn't invest until we understand the exact problem we are trying to solve."
The business is the customer: This analytical framework advocates for a new mindset where the security function evolves into a proactive partner, defining the business itself as its primary customer. Salas believes reorienting the department this way provides the guidance for all subsequent decisions. "The first thing I do is understand who I am serving. The security business unit exists to help the company achieve its revenue goals. The moment you understand what the business is looking for, you can support them. The business has its own customers, but the business is our customer."
Once a clear business objective is set, the focus naturally shifts to proving security initiatives are creating value. To do this, Salas recommends implementing standard business metrics to make the security program’s performance transparent and defensible. "I'm a true believer in KPIs and OKRs because they must map directly to the business," he says. "The moment we start measuring, we can see month-over-month improvement. Those metrics tell us not only if we are improving, but when we need to switch strategy. Instead of waiting a year for results, we can see the data and pivot quickly."
Maximum impact, minimum fuss: Salas believes the pursuit of 100% coverage is a strategic error that leads to the tool sprawl and confusion many leaders are now trying to escape. His philosophy redirects the goal toward achieving maximum impact with minimum effort. "If you start boiling the ocean and adding a bunch of tools, that's what creates a problem," he says. "It doesn't make sense to get a second tool just for an extra 20% of coverage when one tool gets you 80% of the way there. You have to compromise and accept that nothing is perfect. In security, if you are trying to get to 100%, that is a problem."
Manage the machine: The real test for this framework is applying it to the promises of agentic AI. Salas demystifies it by treating it as another manageable process, one that must answer to the principles of financial discipline. "We can set up KPIs for the agentic AI and make it responsible for keeping accountability of the outcome and how it utilizes its resources. For example, if an agentic AI is purchasing things for our operations, its guardrails are the budget itself. It would be given a total budget and a maximum cost per item."
Ultimately, Salas’ message is a call for pragmatism. It’s a disciplined approach that cuts through vendor hype to maintain a sharp focus on tangible value. The lesson is clear: tie security decisions back to the business, not just to survive budget cuts, but to become a strategic driver of growth and resilience. "We must solve the most critical problems with the least effort. Too often, people put resources into something that isn't worth it. Putting time and money where it truly matters is the best way to run a security program," he concludes.
