That tension is now visible across most organisations. Investment in cyber has plateaued, yet the threat landscape continues to expand in frequency, sophistication, and impact. Despite this, many organisations continue to budget in the same way – rolling forward prior spend, adjusting incrementally, and reinforcing existing control environments.
This creates an inherited structure that reflects past decisions more than current exposure. A CISO we worked with described it simply: “We spend weeks building the numbers, then an hour deciding them. Nothing material changes.”
Several structural pressures sit behind this.
Large organisations are now managing extensive portfolios of cyber vendors, often with overlapping capabilities across multiple areas such as identity, endpoint security, and network protection. Each control serves a purpose, but assessing them collectively and challenging their value vs the current risk picture is often a gap in the budgeting process.
Budget cycles can involve months of preparation, yet executive discussions are often limited and too often the right expertise to discuss inevitable trade-offs isn’t in the room. In that environment, meaningful reallocation becomes difficult, and existing spend persists.
This creates two challenges for leadership teams:
External pressure is also increasing. Regulatory expectations are also changing, in particular boards are expected to be able to show evidence of the process behind decision making and are taking on more accountability. Leaders are being asked to explain how cyber investment translates into reduced exposure, operational continuity, and preparedness. Where that link is unclear, scrutiny increases.
Some organisations are beginning to address this by making cyber investment decisions more explicit and outcome-led.
We believe cyber risk quantification (CRQ) can play a central role in that shift. Modelling realistic threat scenarios and understanding their most likely financial and operational impact delivers a clearer view of exposure. CRQ also provides visibility over the effect investment in different controls can have over that financial an operational impact.
One global manufacturer used this approach to review its identity environment. Over time, multiple tools had been deployed to address specific issues. When mapped against quantified risk scenarios, a smaller number of controls accounted for a disproportionate share of risk reduction. Others had limited impact relative to their cost.
The outcome was a reallocation of investment towards areas with the greatest effect on overall exposure.
This approach introduces greater discipline into decision-making. It allows leaders to understand where investment has the most material impact, support trade-offs with evidence, and demonstrate how spend aligns with risk. For leadership teams, the question centres on whether investment is clearly linked to the risks that matter most, and whether that link can be communicated with confidence to the board and external stakeholders.
The Reinventing Cyber Budgeting report explores how organisations are approaching this shift in practice.
Join our session at InfoSec or visit us at stand F112 to hear more about how CRQ is helping leaders prioritise investment, strengthen resilience, and stay ahead of a rapidly evolving threat landscape.
