How to Build and Defend a Cybersecurity Budget

How do you size a cybersecurity budget that the board will actually fund?

Most cybersecurity budgets get cut because the people defending them are speaking the wrong language. A CISO who shows up with “industry benchmark” slides and a list of tools they want is not going to win against a CFO who has real P&L pressure and competing capital priorities. The benchmark is someone else’s risk exposure. Your board does not care about it.

Stop thinking about percentages and start thinking about risk. A 10% security budget is either recklessly underfunded or wastefully expensive depending on what you are protecting and what could happen if a control fails. The right budget is the one that reduces quantifiable risk to within the organization’s risk appetite, tied to specific threats and controls, expressed in business language the board already speaks.

Most security budgets fail because they are built top-down (the board sets a total, security carves it up) instead of bottom-up (security quantifies risks, calculates control costs, and defends the total). Top-down budgets are always wrong—they ignore the specific risks your company carries and treat cybersecurity as a cost center to be minimized rather than an investment to be optimized.

Start with risk quantification

The foundation of a defensible budget is a clear, quantified view of what could go wrong. Not a list of threats or a compliance checklist, but dollar-denominated risk exposure: if we experience a breach of customer data, the expected loss is X. If we lose critical infrastructure for 72 hours, the expected loss is Y. If we violate HIPAA, the regulatory penalty is Z.

Cyber risk quantification translates security language (vulnerabilities, threat actors, attack vectors) into financial language (annual loss expectancy, return on security investment, cost-benefit of controls). You run scenarios for your top three to five risks, assign probability and impact ranges, and calculate the median expected loss for each. That total is your risk exposure. Controls that reduce that exposure by more than they cost are ROI-positive investments.

The CISO who can say “our uncontrolled vulnerability exposure costs us $3.2 million per year in annualized risk, and a $450K SIEM investment cuts that to $1.1 million, yielding a 2.4x return in year one” wins the budget conversation every time. The CISO who says “we need better threat detection because our competitors have it” loses every time.

Operator note: At Silicon Valley Bank, the annual budget cycle was always a negotiation between security investment and business growth spending. The conversations that got funded were the ones where I could show the regulatory examiner’s view — the specific control gap, the expected penalty range or breach cost, and the cost of the fix. The conversations that got cut were the ones framed as technology modernization. Boards fund insurance, not upgrades.

For most organizations, annual loss expectancy modeling is the fastest way to get there—identify the top three scenarios (ransomware, data exfiltration, compliance violation), estimate probability and impact for each, and calculate the expected annual loss. That number is your baseline. Now price the controls that address each scenario, and the differential is your budget case.

Allocate across five categories

Once you know how much to spend, allocate it across the five categories that actually matter: people, tools, managed services, compliance, and everything else (consulting, training, incident response retainers).

People (typically 40–60% of the budget) are your most expensive and most important asset. If you cannot afford a full-time CISO, a fractional CISO costs $5,000 to $15,000 per month and provides governance, board reporting, and vendor management. A security engineer or architect costs $150K–$250K fully loaded; a SOC analyst $100K–$150K. Small organizations should bias toward managed services and fractional leadership over in-house headcount. Growth-stage companies (Series B onwards) typically justify 2–5 dedicated security professionals plus fractional or managed support for specialized functions.

Tools (typically 20–35% of the budget) should never be the largest line item. Most organizations spend too much on tools and too little on people who can interpret tool output. Evaluate tools by their contribution to closing specific risks, not by feature count or vendor reputation. A $60K SIEM that your team cannot configure or interpret is a waste; a $8K managed SIEM that your MDR provider operates is leverage.

Managed services (15–30% for small/mid-market, 5–15% for enterprise) let you buy capability without building in-house. MDR, managed SIEM, fractional CISO, and vulnerability management services compress what would cost $500K in salaries and tool licenses into $50K–$200K annually, with someone else owning the 24/7 operations. For organizations under 1,000 employees, managed services almost always beat in-house on cost and capability.

Compliance (varies by framework and stage) is a fixed cost driven by what regulations apply, not by optional belt-tightening. First-year SOC 2 costs $50K–$150K; ISO 27001 $60K–$200K. Annual maintenance runs 50–70% of first-year costs. Do not try to cut compliance—the business consequence (lost deals, regulatory fines, audit findings) always exceeds the savings.

Everything else (5–10%) includes penetration testing ($15K–$50K annually), security architecture reviews ($20K–$50K as-needed), training and awareness ($5K–$15K), incident response retainers ($3K–$15K monthly), and travel/conference attendance. These feel like they can be cut, and sometimes they should be—but cutting the wrong items creates technical debt that compounds.

Defend the budget by company stage

Different stages require different budget profiles because risk profiles differ.

Seed and Series A (10–15% of IT budget, typically $100K–$400K annually)

Bias toward managed services and fractional leadership. A fractional CISO ($5K–$10K monthly) + MDR ($3K–$8K monthly) + basic tools (identity, email security, vulnerability scanning: $1K–$3K monthly) + one penetration test annually ($20K–$30K) totals $120K–$250K. You need a SOC 2 Type II if you are selling to enterprises ($50K–$100K first year). At this stage, you do not have the volume to justify a full-time security engineer; managed services compound your leverage.

Series B and growth stage (12–18% of IT budget, typically $500K–$3M annually)

You have justification for a dedicated security professional now—a security engineer or architect who can manage vendors, tune tools, and own architecture. Add a fractional CISO if you do not have a full-time CISO yet. Continue managed services for SOC operations and specialized functions (vulnerability management, penetration testing, compliance consulting). At this stage, you are building internal capability while buying expertise you do not yet have in-house.

Enterprise or pre-IPO (10–15% of IT budget, typically $2M–$20M+ annually)

You have in-house teams: SOC operations, security engineering, GRC, identity and access management, application security, and a full-time CISO. Managed services shift from outsourcing entire functions to buying specialized expertise (red teaming, incident response, CRQ consulting, M&A due diligence). You operate your own SIEM and SOC because the volume justifies the overhead. Compliance and audit costs rise as your regulatory footprint expands.

Present the budget to the CFO and board

CFOs and boards think in three languages: cost (what does it cost), return (what do we get), and risk (what happens if we do not do this). Security budgets that speak only security language get cut. Budgets that translate to business language get funded.

For cost conversation: show total budget, break it into your five categories, and benchmark against peers in your industry and size. “We are allocating $1.2M to cybersecurity, which is 11% of our IT budget. Based on comparable SaaS companies our size, the industry average is 9–15%, so we are in the middle of the range.”

For return conversation: use cybersecurity ROI to show what the budget bought in prior years. “Last year’s $50K investment in a SIEM reduced our mean time to detect from 45 days to 8 hours, cutting our annualized risk exposure from $2.1M to $0.3M—a $1.8M improvement for a $50K investment.” This is 1500% ROI, expressed in business terms the CFO understands.

For risk conversation: quantify what happens if you do not fund the budget. “Our uncontrolled risks total $3.2M in annual loss expectancy. The controls in this budget reduce that to $0.8M. Without this budget, the board is implicitly accepting an incremental $2.4M of annual risk from our business operations.” Frame it as a choice, not a supplication.

What you cannot afford to cut

When budget pressure hits—and it always does—you will be asked to find efficiencies. Some cuts are sensible; others are false economies that cost more than they save.

Always cut last (or do not cut at all)

• Incident response capability and retainers. A $10K/month retainer with an incident response firm sounds expensive until a breach happens. The cost of a 72-hour IR retainer vs. a 30-day forensic investigation is not $10K vs. $250K—it is the difference between a $1M and a $10M breach. This is where the math is clearest: incident response pays for itself every time.
• Identity and access management. IAM is the foundation of everything. Weak IAM means weak detection (attackers use stolen credentials), weak response (you cannot quickly revoke access), and weak compliance (you cannot prove who accessed what). Do not skimp here.
• Compliance framework controls. If your business model depends on SOC 2 or ISO 27001 certification, cutting controls that feed the audit is cutting customer revenue. The control cost is already sunk.

Always cut first

• Consulting and professional services. Pentests, assessments, architecture reviews—these are valuable but deferrable. Cut them in tight years, rebuild in growth years.
• Training and awareness programs. Phishing simulations and security awareness training feel expensive and produce weak quantifiable ROI. They are also the easiest to restart, so they are the first to go.
• Tool purchases and lab projects. A proof-of-concept for a new SIEM or SOAR is nice to have; skip it if budget is tight and revisit when cash improves.

Cut thoughtfully

• Managed services. Shifting from managed SIEM to in-house SIEM saves $2K–$3K monthly but costs you 0.5 FTE of engineering time. If you do not have that FTE capacity, the “savings” cost you more in distraction and detection delay.
• Tool consolidation. Reducing from five vulnerability scanners to one saves licenses but requires migration work, staff retraining, and workflow redesign. The upfront cost is real; savings accrue over time.

Operator note: The cut I see management teams make most often — and most painfully regret — is eliminating the incident response retainer to recover a few months of budget headroom. Without a retained IR firm, a breach that would have been a $1M event becomes a $7M event because the first 72 hours are spent finding a vendor, negotiating a scope, and onboarding them to your environment. The retainer is not an expense; it is the option price on a dramatically cheaper breach.

How to allocate by threat and risk posture

Not all budget categories reduce risk equally for your company. A manufacturing firm exposed to operational technology (OT) attacks needs different spending than a SaaS company handling PII. A fintech firm with imminent regulatory examination needs different spending than a private equity portfolio company with no public markets pressure.

Build a risk heat map: identify your top three to five threat vectors for the business, estimate the impact and probability of each, and calculate expected annual loss. Now price the specific controls that address each threat. This is the most honest way to allocate resources.

This table is not a compliance exercise—it is your budget roadmap. Every dollar allocated traces back to a specific threat and a quantified reduction in risk. When the CFO asks “why do we need another $200K,” the answer is not “industry best practice” but “that $200K controls this specific $2.1M risk.”

Sizing for growth and exits

Your budget should evolve as the company scales. Do not assume that percentage-of-IT-budget stays constant—risk and regulatory obligations change.

Before an IPO or regulated status change: run a cyber risk quantification exercise that models the new regulatory environment. An IPO-bound company faces SEC disclosure obligations and heightened board oversight; the budget should reflect that with upgraded board reporting capability, incident response planning, and executive communication infrastructure.

Before an acquisition or fundraising: security posture becomes a due diligence item. Buyers and investors now quantify security risk as part of valuation. Your budget should include a penetration test and risk assessment that sets a credible baseline, reducing M&A surprises and valuation adjustments.

During hyper-growth: costs scale non-linearly. You do not need to double security spend to double your user base—many controls (identity, SIEM, compliance frameworks) scale logarithmically. But you do need to hire ahead of that curve or risk detection gaps during the fast-growth period.

Common budget mistakes

Mistake 1: Budgeting by comparison instead of by risk. “Our competitor is spending 12% of IT budget, so we should too.” But your competitor might carry different risks, operate in a different regulatory environment, or have made different architectural choices. Budget by quantified risk, benchmark afterward to validate the number is reasonable.

Mistake 2: Protecting equally against all threats. Every threat gets an allocation, every control gets funded. That is the opposite of risk-based budgeting. Identify your top three threats, allocate 70% of the budget there, and accept that other risks are not fully mitigated.

Mistake 3: Treating the budget as fixed. “We have $1.2M to allocate”—then carving it into equal slices. Reality: some categories are fixed (compliance costs, talent market rates), some are variable (tools, services). Adjust the allocation as reality arrives.

Mistake 4: Cutting by percentage instead of by impact. When times are tight, do not cut everything by 10%. Cut the items that produce the least risk reduction first. A 20% cut to consulting while preserving incident response and identity is smarter than a 10% cut to everything.

• vCSO.ai is the operator-led cybersecurity advisory firm of Nick Shevelyov, former 15-year Chief Security Officer at Silicon Valley Bank. vCSO.ai provides strategic oversight for growth-stage and enterprise organizations designing cybersecurity programs that secure funding, earn board confidence, and actually reduce risk. *