Want A Bigger Budget? Learn to Think Like a Board

When thinking about the impact budgeting can have on the cybersecurity of an organization, I am often reminded of the quote,  “Beware of little expenses. A small leak will sink a great ship.” It’s a helpful reminder as to why building that alignment between CISOs and boards, particularly when it comes to budgeting is important. Even small budget disparities can often have significant and immediate consequences.

In the new CISO Report: The Path to Digital Resilience Starts With Your Board, we examine some of the misalignments that have frustrated CISOs and kept boards from opening their proverbial wallets. We also detail ways CISOs can better champion bigger budgets to properly fund their security initiatives and make their organizations that much more resilient.

When budget cuts lead to security shortfalls

While 70% of CISO and board respondents say that cybersecurity spending is expected to increase “somewhat,” for many, it still isn’t enough. Only 29% of CISOs say they receive the proper budget for their cybersecurity initiatives and accomplishing security goals.

Over the last 12 months, many CISOs have been on the receiving end of budget cuts to their departments that have impactful ripple effects on their teams and the services they provide. Some of the most common cuts experienced include postponing a technology upgrade or refresh (52%), reducing the number of security solutions to save on licensing costs (50%), and imposing freezes on promotions, raises, and/or hiring (40%).

But these budget cuts impact much more than just security systems. In many cases, the downstream effect has resulted in security breaches and cyberattacks that impact the broader business. And not all cuts are created equal or have the same impact on the organization. While only 18% of CISOs reported cuts that resulted in failing to support a business initiative, these cuts resulted in a cyberattack or breach 64% of the time. Comparatively, reducing security solutions, reported by half of CISO respondents, resulted in attacks only 19% of the time.

Meanwhile, cyberattacks are showing no signs of slowdown. A whopping 94% of CISOs report being victims of a disruptive cyber attack in the past year, with 55% experiencing multiple disruptive attacks.

It's safe to say that an antidote to these threats is a properly funded cyber defense. That also means CISOs will have to become their own best advocates.

Evangelizing for a more secure future

To ensure that initiatives are solidly funded, CISOs will not only be required to self-advocate, but they’ll also have to articulate their needs in a way that boards can hear and understand. In short, they need to know their audience and learn to speak “board” — fluently.

For CISOs, this means focusing less on presenting hard security metrics such as MTTR and MTTD and instead elevating the ROI of their investments and positioning security as something that drives the business forward. Boards have made it clear that they value business growth (44%) over strengthening the cybersecurity program (24%), which means they are prone to back cybersecurity initiatives with tangible value to shareholders and the greater organization. However, the two disciplines are not mutually exclusive.

Presenting security as a business enabler has the most mileage by far with boards, at 64% citing this method as the most convincing. However, only 43% of CISOs are actively doing this. Providing cyber risk metrics and recommendations to inform management decisions also goes a long way with boards at 49%. But with only 38% engaging in this practice.

CISOs can also effectively retain the board’s ear for budget by presenting them with concrete calculations on direct and secondary costs of downtime, including lost revenue, SLA fines, and factors that will impact shareholders. And it’s a conversation worth having. Downtime costs Global 2000 companies $400 billion annually, averaging $200 million per company, or about 9% of profits.

Getting on board with your board

It’s never too late to brush up on a new language, especially if it helps CISOs to drive alignment with their boards, and build a more resilient business. While boards benefit from your security acumen and expertise, it’s up to you to make them understand what you need, and why.

CISOs with good board relationships say they’re more likely to convince their leadership to increase their budget when needed (69% vs. 57% of other CISOs). So getting on the same page with your board will be critical. That means finding ways to protect revenue and shareholder value.

Finding common ground, and a common language, is not only a viable path to more funding, it often results in realizing shared values and goals, paving the way for better collaboration that benefits everyone.

To learn more about how CISOs can better communicate with their board, boost their budgets, and align on priorities, download the 2025 Splunk CISO Report.