Why Security Budgets Miss the Mark: The Case for Risk-Aligned Investment

A security budget is a governance instrument. It represents the board's decision about how much risk the organisation is willing to carry, expressed in the resources it allocates to managing that risk. Most security budgets are not built that way. They are built by adding a percentage to last year's approved figure, incorporating the cost of any new tools the security team has identified, and defending the result in a CFO conversation that is fundamentally about cost containment rather than risk management. The output is a budget that bears no clear relationship to the organisation's actual risk profile, and a board that has no real basis for evaluating whether what it has approved is adequate, excessive, or irrelevant to the risks that matter most.

This is not a new problem. It has persisted for the entire period that cyber security has been a boardroom topic, roughly twenty years. The persistence is partly structural: cyber risk is genuinely difficult to quantify in the financial terms that make investment decisions tractable. But it is also partly a failure of the conversation between security functions and boards: a failure to establish the framework that would allow investment decisions to be made on the basis of risk rather than on the basis of precedent, peer benchmarking, and organisational comfort.

The consequence of this failure is not simply that security budgets are sometimes too low. It is that they are frequently misallocated: too much in areas that feel important, not enough in areas where the actual risk lives, and structured around the security function's internal priorities rather than the organisation's strategic risk profile. Correcting this requires a different kind of conversation, one that most boards and most CISOs have not yet had.

Why the current approach fails

The current approach to security budgeting fails for three reasons that are structural rather than incidental.

Budgets are built on history, not risk. Last year's budget, adjusted for inflation and any significant incidents, is the default starting point for most security budget conversations. This approach has an intuitive logic: what we spent last year roughly covered us, so roughly the same plus growth should be sufficient this year. The problem is that an organisation's risk profile is not static. Its digital footprint changes as it grows, acquires, or transforms. Its threat landscape changes as its sector attracts different adversary attention. Its regulatory obligations change as new frameworks come into force. A budget built on last year's spend will systematically lag these changes, sometimes by years.

Benchmarking peers creates a floor, not a strategy. Many security budget proposals are supported by peer benchmarking data: we spend X% of revenue on security, compared to a sector average of Y%. This is useful for framing conversations but useless as a basis for investment decisions. Peer organisations have different risk profiles, different technology environments, different regulatory obligations, and different security maturity levels. Spending what competitors spend tells you nothing about whether you are spending it on the right things.

Investment follows the security function's priorities, not the business's risks. The security function is inevitably shaped by its own perspective on what matters. It will prioritise the risks it can see, the tools its team is trained to use, and the areas where it has experienced recent pressure. This is not irresponsibility; it is a natural consequence of how organisations work. But it means that security budgets systematically underweight risks that are visible from the strategic level but not from the security function's operational view, supply chain risk, regulatory risk, and the specific risks that attach to the organisation's particular business model and customer relationships.

Building a risk-aligned security investment framework

A risk-aligned security budget starts from a different place. Instead of asking "what did we spend last year and what do we need to add?", it asks "what are our most material security risks, what would it cost to manage them to an acceptable level, and what is the right trade-off between investment and residual risk?" This is a harder question to answer. It is also the right one.

Start with the risk, not the programme. A proper security investment framework begins with an honest assessment of the organisation's material risk exposures: the scenarios that, if they occurred, would cause the most significant harm to the business, its customers, and its regulatory standing. These scenarios should be specific, plausible, and connected to the organisation's actual operating environment, not generic industry threats. The investment case should then be built around the controls, capabilities, and capacity needed to reduce the likelihood or impact of those specific scenarios to within the board's defined risk appetite.

Distinguish between necessary and discretionary investment. Not all security spending is equivalent in its relationship to risk. Some investment maintains the baseline, the controls that must function to meet regulatory obligations and prevent the most likely attacks. Some investment reduces material risk below the current baseline. Some investment is desirable but not risk-critical. A board that can distinguish between these categories, and that requires the CISO to present the budget in these terms, is making a governance decision. A board that approves a single security budget line is not.

Connect investment to risk appetite explicitly. The board's approved risk appetite for cyber should directly inform the security budget. If the organisation has defined a low tolerance for significant data breaches, that tolerance must be funded: the controls, monitoring, and response capability required to make a major breach materially less likely than it would be without those investments. When risk appetite and security investment are not explicitly connected, the risk appetite statement is aspirational rather than governing.

Build in a review mechanism, not just an annual cycle. The annual budget cycle is poorly suited to the dynamic nature of cyber risk. An organisation that acquires a business, moves to a new cloud environment, or becomes subject to a new regulatory obligation in month four of the financial year has a materially different risk profile than it did at budget approval. A risk-aligned security investment framework includes a mechanism for in-year review and reallocation, not just annual approval.

What boards should be asking

The board's role in security investment is not to approve a number. It is to ensure that the number has been derived rationally, that it reflects the organisation's actual risk profile, that it is structured around the risks that matter most, and that the trade-offs between investment and residual risk are explicit and understood.

Three questions make this concrete. First: what are the three most material cyber risks we face, and can we trace a direct line from this budget to the controls designed to manage them? Second: what risk would we be carrying if we approved a budget ten percent lower, and is that a risk we have consciously decided to accept? Third: how will we know, at the end of the year, whether this investment delivered the risk reduction it was designed to achieve?

A CISO who cannot answer these questions has not built a risk-aligned investment case. A board that does not ask them has not discharged its governance responsibility for security investment. Both conditions are common. Neither is satisfactory given the regulatory environment and the risk landscape that organisations are now operating in.

Ali Zeb is an Executive Cyber Security Advisor, Non-Executive Director, and former advisory member at the FCA, NCSC, and Lloyds of London Market Cyber Risk Committee. He advises boards and CISOs on security investment strategy, risk appetite frameworks, and the governance of cyber risk at the highest level.