With the threat of recession looming, chief information security officers (CISOs) will increasingly see cybersecurity budgets constrained. So how can companies focus their limited cybersecurity investments on the controls that matter most? This article breaks cybersecurity investments into three categories: 1) controls that defend against threats in a particularly impactful way, 2) measures that validate that these controls are operating as intended and 3) capabilities that automate (1) and (2). All three of these categories will be important to consider moving forward, as business profile, attack surface complexity, and related threats change. This article discusses the elements of a good cybersecurity program, resources you can use, and how to determine the controls that will matter most for your own company.