Stressor No. 10: I Have a Major Incident, but My Security Budget Is Maxed Out
There are three ways to alleviate this stress.

First, eparate incident response costs from core security spending during the budgeting process.

An incident should not have to make you choose between core services and handling a critical incident.

Core services should remain more or less fixed, while an incident budget should be treated as a rainy day fund and have flexibility should an incident occur.
Second, work flexibility into your supplier contracts.
If your budget is truly fixed, then you will have to move around dollars with existing suppliers. Make sure you have the contractual flexibility to delay projects, remove project scope and scale down services. Many suppliers say they scale, but usually they only mean upward, so make sure you can remove services and scale downward as well.

Third, add cyber-insurance coverage.

A proper cyber-insurance policy will allow for incident response and forensics services once a deductible is met. — Michael Patterson, vice president of strategy, Rook Security