The result is a budgeting process that is often inconsistent with the ultimate purpose of cybersecurity investment: namely, to reduce risk. Instead, enterprise security managers silently accept whatever they’re allocated, or they distribute resources based on inertia rather than real exposure. I believe, rather, that they should tie their enterprise budgets to quantifiable cyber risk.
Admittedly, this is easier said than done. But this article suggests a practical framework for how risk can become the driver of budgeting decisions. Our experience of working with KPMG clients globally has consistently shown that when budgets are mapped to risks, with measurable business outcomes, organisations achieve greater resilience, better board alignment, and higher returns on their security investments.
Our framework is based on three cybersecurity management principles. The principles provide a basis for a three-step process that will help companies better manage the risks in their budgets.
If a given mapping is unclear, then the spend should be challenged. For example, if an AI security platform is proposed for deployment, but the purpose of the solution is unclear, then our framework would suggest that the investment be delayed until a real threat can be identified.
As should be evident to any cybersecurity practitioner, cyber risk evolves at varying speeds and with varying outcomes. Therefore, budgets must be flexible, adaptive, and continuously updated rather than set once a year in stone. We understand that this is not the typical approach. Managers are often handed rigid year-over-year, carry-over budgets with little room for change.
A properly designed, risk-driven budget should allow all stakeholders to see the link from money spent to risk reduced. The implication, of course, is that the security function understands the risks that apply to the organisation. Transparency will be of little use if the risks are poorly identified or exist in some ad hoc format or representation.
To put these principles into practice, CISOs will need to consider moving away from line-item categories like endpoint or network security and toward categories such as “ransomware disruption risk” or “third-party access exposure.” This change represents a fundamental reorientation that would force every budget item to be justified based on risk reduction. Let’s see how this would work in practice.
Our framework should be guided by the following core management steps:
1. Identify top risks: Everything starts with risk identification and quantification. You may choose to build your profile from the organisation’s risk register, or there might be a preferred quantification process or methodology. It is likely that for many enterprises, ransomware, insider misuse, third-party dependencies, and emerging categories like AI misuse will bubble up as the greatest risks.
2. Map current spend: Every existing budget line included in the current spending plan should be mapped or recast in the context of one of these risk categories. Inevitably, you will find mismatches. That is, large allocations might emerge that are supporting risks that are no longer material, and gaps might emerge where critical risks lack adequate investment.
3. Resolve gaps and coordinate with Procurement: Clean up tasks where gaps need to be resolved - either with proposed changes to vendor spend or changes to the staffing plan. The goal is to rebalance the portfolio. This will demand working with procurement, because purchase plans are typically driven by vendors, not by risk. So, coordination will be required to map the risk-based plan to an actual purchasing plan for vendors.
This approach requires some discipline and collaboration, because it introduces the new step of mapping budget to risk rather than the easier (but less effective) approach of buying into the usual categories, like endpoint, SIEM, MFA, and so on. We recommend this process, because it allows security budgets to function more like investment portfolios, which are constantly rebalanced based on where the greatest exposures exist.
Despite the fact that different teams will have different means for identifying risk, we strongly expect that cyber risk quantification (CRQ) will ultimately be required. Frameworks such as FAIR (factor analysis of information risk) and other quantitative methods might also offer the ability to assign financial values to risks. Useful metrics include risk reduction per dollar spent and a residual risk index, which will allow the CISO to demonstrate efficiency and effectiveness of spend.
These types of tools should also help to shift the narrative with senior leadership. Instead of making claims such as “we need another $2 million for monitoring,” the improved discussion would become something more like “for $2 million we will reduce expected annualised loss from ransomware by $10 million.” That is a language business leaders understand, and it reinvents how security investments are proposed, justified, and approved.
We understand that this approach is not without obstacles. Organisations often resist moving away from legacy spend, and legacy vendor relationships can distort priorities. Risk modelling also requires asking questions and collecting data that organisations are not used to answering or providing such as “if we experience a ransomware attack, how long are critical services likely to be unavailable?” Finally, this process requires collaboration across security, finance, and enterprise risk functions - cultural shift that some enterprises find challenging.
We strongly recommend that every CISO considers a risk alignment audit of their current budget. They should ask which budget allocations map to which risks - establishing a joint working group with finance and enterprise risk managers. Finally, CISOs should consider presenting budgets in risk-justified terms. Done well, this transition creates budgets that adapt to threats, speak the language of management, and deliver reductions in enterprise risk.
This article is part of the Re-inventing Cyber Budgeting publication. It's a joint publication by KPMG and TAG Infosphere, written for CISOs, risk leaders and executives who are being asked to do more – with less – and need a better way to explain, justify and defend cyber investment decisions. Read the full report here.
