CISOs Speak the Language of Money to Secure Funding
▼ Summary
– Cybersecurity budgets are growing overall but at a slowing rate, with tech and insurance sectors seeing around 5% annual increases while healthcare and retail face stagnation or declines.
– Organizations are shifting funds toward CTO and CFO budgets, particularly for AI initiatives, as improved cybersecurity education helps them better assess threats and investment returns.
– Third-party risk management spending is being reduced as companies question the ROI of compliance-only assessments, leading some to consolidate providers or accept integration risks.
– CISOs must quantify cybersecurity risks in financial terms using tools like loss exceedance curves to demonstrate ROI and justify investments to boards by showing reduced potential losses.
– Emerging priorities like AI security and post-quantum cryptography require new budget allocations, though most CISOs have limited discretionary funds and must prioritize based on executive risk interviews and impact analysis.
Modern Chief Information Security Officers are increasingly adopting the language of finance to advocate for their budgets, framing cybersecurity not just as a technical necessity but as a strategic investment that protects the organization’s financial health. This shift is essential as security leaders navigate fluctuating budget landscapes, where overall spending may rise but not always align with the most critical needs.
While cybersecurity budgets are generally growing, the rate of increase has slowed and varies significantly by industry. Sectors like technology and insurance often see year-over-year budget growth around five percent. In contrast, fields facing greater financial pressure, such as healthcare, retail, and professional services, are experiencing much smaller increases or even budget reductions. This divergence is partly due to better organizational awareness of threats and the potential return on investment from security programs, which has led to more funds being allocated directly to CTO and CFO budgets, especially for initiatives involving artificial intelligence.
Third-party risk management represents a notable area where spending is being critically re-evaluated. Despite significant past investments in tools and personnel to review compliance paperwork, many companies continue to suffer financial losses stemming from their service providers. Consequently, leaders are questioning the value of assessments focused solely on compliance. Many are responding by consolidating their number of vendors, while others are making a conscious decision to simply accept the inherent risks that come with third-party integrations.
Since cybersecurity does not generate revenue in a direct way, CISOs must articulate its value in financial terms when presenting to the board. A powerful method involves using a loss exceedance curve, a tool that quantifies risk by modeling potential financial losses. This model illustrates both the most likely and the worst-case scenarios that security investments are designed to mitigate, accounting for direct costs, operational disruptions, and other real-world financial impacts. For example, a major investment in zero trust architecture and AI risk management was recently justified by projecting the specific amount of financial risk the solution would reduce over a three-year period.
Linking the cybersecurity budget to overarching business goals is another critical strategy for securing funding. This requires CISOs to maintain consistent communication with the board to fully understand its priorities. Strong relationships with board members can also provide opportunities for funding outside the standard annual cycle. If a company is pursuing a merger or acquisition, for instance, a CISO can proactively request funds for integration consultants, backfilling staff lost to turnover, and for auditing tools that accelerate the merging of systems and identification of undiscovered risks.
Looking ahead, AI security and post-quantum cryptography are emerging as major budget priorities. Fortunately, existing capabilities in areas like data governance, asset management, and security testing can provide a foundation for these new initiatives. However, both areas also present unique challenges that demand specialized solutions and fresh spending, such as tools for managing cryptographic inventories and for detecting and responding to threats targeting large language models.
An ideal approach is for a CISO to dedicate ten percent or more of their budget to emerging risks over a multi-year timeframe. In reality, the average discretionary budget is closer to three percent, and many security leaders, even in large corporations, report feeling under-resourced. There is no universal model for managing this challenge. A practical path forward involves conducting risk interviews with the executive team to clarify the organization’s specific financial exposure, using tools like the loss exceedance curve to communicate risk estimates to the board, and relentlessly focusing investment on the initiatives that will deliver the greatest impact.
(Source: HelpNet Security)
