• A Forrester Consulting survey of U.S. government cybersecurity leaders found that limited resources are leading to higher security risks.
• Agencies are recommended to leverage AI and automation to help close the gap and allow leaner teams to focus on the more complex threats.
• To stay resilient, even under pressure, agencies will need to consolidate their security tools and prioritize high-risk areas.

In December 2025, Carahsoft and Broadcom commissioned Forrester Consulting to survey 212 U.S. Government cybersecurity decision makers about the state of public sector security operations following the budget and headcount reductions of early 2025. 

What they found was a sector under sustained pressure, actively searching for smarter, more resilient ways forward. The findings provide a candid, realistic assessment of where agencies stand today and the steps needed for them to strengthen their cybersecurity posture in an era of constrained resources.

The budget crunch in government cybersecurity 

Budget instability remains widespread, with 38% of agency budgets still classified as mostly or completely fiscally unstable, according to the Forrester study. About one in five agencies reported no change since the initial cuts were enacted. The result is a cybersecurity landscape where teams are being asked to protect increasingly complex digital environments with fewer people, fewer tools and less financial runway than they had a year ago. 

Over half of the respondents reported that budget constraints have moderately or significantly impacted their ability to maintain core security operations. Perhaps most telling, just 38% of cybersecurity leaders expressed confidence in their agency’s security posture following headcount reductions.

The study found that the areas most exposed under current resource limitations are network security, data protection and incident response. Roughly a third of respondents also flagged concerns around endpoint security, visibility, analytics and compliance. For agencies already navigating a complex threat  and regulatory environment, these vulnerabilities represent more than operational friction—they signal genuine risk to mission-critical systems and the sensitive data agencies are entrusted to protect. 

As leadership teams map out  investments for the year ahead, two priorities rise to the top: strengthening critical infrastructure against bad actors and integrating AI and cybersecurity capabilities.  

When resources shrink but risks don’t

Understanding today’s risk landscape is the first step toward addressing it effectively. According to the findings, 86% of respondents anticipate an increase in potential compromises or breaches in the coming year due to the recent staffing and funding reductions. More than a quarter expect breach numbers to climb by 1–10%, while over 20% anticipate increases of 31% or more. 

For agencies responsible for protecting sensitive government data and public-facing services, this trajectory demands immediate strategic attention. The link between reduced resources and elevated risk is already showing up across teams, where fewer personnel are creating measurable gaps in detection, response, and remediation.

And the data just reinforces the trend. Roughly 6 out of 10 respondents report that security incidents overall have increased in frequency. Meanwhile 65% say their mean time to remediate (MTTR) has been negatively affected. Over half say their ability to secure technology and architecture delivery has also suffered. 

Taken together, these signals point to a compounding effect where each unaddressed gap creates the conditions for the next. Agencies that fail to prioritize their highest-risk exposure areas may  face growing difficulty to maintain the compliance posture and operational resilience their missions demand.

How AI and automation help lean teams stay ahead 

Amid these challenges, a clear opportunity emerges. Agencies are increasingly recognizing that AI and automation can help maintain security effectiveness when human capacity is stretched thin. In fact, 72% of respondents said they are open to adopting automation tools to enhance cybersecurity resilience. The top priority areas include incident response, network security, compliance and data protection—the same domains where resource gaps are most prevalent.

Forrester’s recommendations align with this shift. Using AI to automate tasks like network traffic analysis, policy validation, and alert triage allows teams to focus on higher-confidence threats. These can include data exfiltration and lateral movement, rather than being consumed by manual tasks. When applied effectively, AI can even help offset staffing shortfalls, reduce analyst burnout and preserve (or even improve) mean time to investigate (MTTI) or mean time to remediate (MTTR) metrics.

Agencies that invest in AI-driven security tools today aren’t simply responding to a short-term resource problem. They're building a more adaptive, scalable security model that can sustain performance even as uncertainty continues.

Strategic consolidation carves a path forward

The data all points toward a clear strategy: working smarter, not just harder, with the resources available.

When it comes to investment priorities, respondents are concentrating limited resources where they can to have the greatest impact: threat detection, incident response, network infrastructure modernization, and process automation. 

Forrester recommends that agencies rationalize their security stacks, eliminating overlapping capabilities and reducing tool sprawl. 

Unified platform solutions can simplify operations while improving visibility and response. 

Critically, agencies should plan for sustained lean operations rather than assume a return to pre-2025 staffing or budget levels. Redesigning operating models around automation, risk prioritization, and efficiency will be the defining factor for long-term resilience.

Where agencies go from here

The findings from this Forrester study make one thing clear: the agencies that emerge strongest from this period of constraint will be those that treat resource limitations as a catalyst for smarter, intentional security strategy. The end goal should be a leaner, more resilient security posture—one that holds up under pressure today and in the years ahead.

Download the full Forrester study, Smarter Security for Leaner Budgets and Teams and register for the upcoming webinar for an in-depth look at the findings with our cybersecurity and government experts. 

Let’s explore the path forward, together. 

A commissioned study conducted by Forrester Consulting on behalf of Carahsoft and Broadcom, March 2026.