Ask most security leaders how their last significant budget increase came about, writes Katie Barnett, Director of Cyber Security at the consultancy Toro Solutions, and the honest answer is rarely “we made the case and won it.”
It’s usually “something happened.” A breach, a near-miss, a competitor’s headline, an audit finding that couldn’t be ignored or a new regulation with a deadline attached. Security spend still moves in response to events far more often than it moves in response to argument, and that has quietly shaped how the function operates: always slightly behind the risk, always justifying itself against the last incident rather than the next one.
Why the money still follows the incident
ย There’s a structural reason for this, not just a cultural one. Most other line items in a business have a visible output: new revenue, faster processing, better margins, something a finance team can point to and say “that’s what we bought.” Security’s best outcome is invisible: nothing happened. That’s an almost impossible thing to put in front of a board with confidence, so budget conversations default to the one moment security does produce something visible, the aftermath of an incident, where the cost of not spending suddenly has a number attached to it.
The result is a funding pattern that rewards reaction and quietly punishes foresight. A CISO who successfully prevents a class of incident through investment made two years ago has, from the board’s perspective, very little to show for it. A CISO responding to a live breach gets immediate budget approval for measures that should arguably have been in place already. It’s not that boards are irrational it is that they’re responding to the only signal they’re reliably given.
A business case that doesn’t rely on fear
The instinct, understandably, is to try to fix this by making the fear case better: sharper statistics, scarier scenarios, more vivid what-ifs but this isnโt a long-term solution. Fear-based cases decay fast; the board that approved spend after a competitor’s breach forgets the urgency within a quarter, and the next budget cycle you are back to where you started.
A more durable case ties security spend to things the business already tracks and already values: deal velocity, customer retention, uptime and the ability to enter regulated markets or pass a client’s due diligence process. Framed that way, security isn’t a cost defended on its own terms, it’s an input to numbers that the board is already watching. A due diligence question answered cleanly, a contract closed faster because the security posture didn’t become a blocker, a renewal retained because a client’s audit went smoothly: these are outcomes that your finance team understands without translation.
The other shift that tends to land well is talking about resilience rather than protection. Protection implies nothing happens, which as noted is hard to sell. Resilience implies the business keeps functioning when something does happen, and that’s a much easier thing to demonstrate, through tabletop exercises, recovery time metrics and scenario planning that boards can actually watch play out.
When the budget won’t stretch
Doing more with less is, in practice, mostly a prioritisation exercise, and the instinct to spread limited budget evenly across every risk is usually the wrong one. Thin coverage everywhere tends to leave the same gaps a determined attacker will find regardless of how the spreadsheet looks. Better to be deliberately strong against the handful of scenarios that would actually be existential for the business and accept visible, documented gaps elsewhere, gaps a board has consciously chosen to accept, rather than gaps nobody noticed.
That means being honest about which assets and processes the business genuinely cannot afford to lose and building the case for those specifically, rather than defending a flat percentage increase across the board. It’s a harder conversation to have, because it means naming what you’re choosing not to protect as clearly as what you are but it’s a far more credible position than pretending a fixed budget can cover everything reasonably well.
Value without an incident to point to
The metrics that tend to work best here aren’t the traditional security ones. Time to detect and time to respond matter operationally, but they don’t mean much to a board unless there’s an incident to compare them against. What tends to land better are things like: how early security is now involved in new projects compared with a year ago, how many risks were identified and resolved before they became live issues, how quickly a control gap gets closed once it’s flagged. These show a trend line moving in the right direction without needing a crisis as the reference point.
It also helps to report in the same language finance already uses – cost avoided, time saved, deals unblocked, rather than incident counts and vulnerability totals that mean little outside the security team. The goal isn’t to make security’s work sound simpler than it is instead itโs to make it legible to the people deciding whether it gets funded.
None of this changes the underlying problem quickly. Reactive budgeting is deeply embedded in how most businesses think about risk and one good board presentation won’t undo it. But the security functions making real progress here aren’t the ones with the most alarming statistics. They’re the ones that have learned to speak in the business’s own terms, consistently, long before the next incident forces the conversation anyway.
Photo by Mark Rowe.




