"How much should we spend on cybersecurity?"
It's a question CFOs and boards ask constantly. And it's fundamentally the wrong question.
The right question is: "What risk exposure are we accepting with current investment?"
The difference between these questions is profound. The first frames security as a cost to be minimised. The second frames it as risk management requiring strategic allocation.
Most security investment discussions follow a predictable pattern: security teams request budget for new tools, additional staff, infrastructure upgrades, or training programmes. Each request claims to reduce risk. Few clearly articulate how much risk, at what cost, with what business benefit. Requests are evaluated against industry benchmarks, peer comparisons, or whatever survived previous budget negotiations.
The result? Security investment becomes arbitrary rather than strategic. CFOs struggle to differentiate between essential security spending and nice-to-have improvements. Security teams struggle to explain why their requests matter more than competing priorities. Boards approve budgets without clear understanding of what risk is being reduced or accepted.
This approach satisfies nobody. Security teams feel perpetually under-resourced. Finance teams see security as a budget black hole with unclear returns. Boards lack confidence that security spending is proportionate to risk.
The fundamental problem isn't budget size. It's the inability to translate security needs into business language that enables informed investment decisions.
The Translation Problem
Security professionals and business leaders speak different languages.
Security teams think in technical terms: vulnerabilities, exploits, attack vectors, control frameworks, threat actors, zero-days. Their mental models are built around technical risk, measured in CVE scores, penetration test findings, and configuration weaknesses.
Business leaders think in business terms: revenue impact, operational continuity, reputational damage, regulatory exposure, competitive positioning, shareholder value. Their mental models are built around business outcomes, measured in financial performance, market position, and strategic objectives.
Neither perspective is wrong. They're simply optimised for different domains. The challenge is bridging them.
When security teams request investment, they naturally frame it in technical terms: "We need to upgrade our SIEM platform because our current solution lacks advanced threat detection capabilities and our log retention doesn't meet compliance requirements."
This framing provides technical justification but doesn't help business leaders understand: Why does this matter to the business? What bad thing happens if we don't upgrade? How does this compare to other investment priorities? What's the return on this investment?
The gap isn't about intelligence or intent. It's about translation. Security professionals must learn to articulate risk in business terms. Business leaders must learn to ask questions that surface the business implications of technical decisions.
Quantifying Risk in Business Terms
Effective security investment cases require translating technical risk into business impact.
Instead of: "We have critical vulnerabilities in our authentication system that could allow unauthorised access."
Frame it as: "Our current authentication system has known weaknesses that create risk of unauthorised access to customer financial data. Based on New Zealand's average SME breach cost of NZD $173,000 (NCSC/Kordia research), and factoring in regulatory fines, mandatory notification costs, potential customer churn (5-10% of revenue), and reputational damage, total potential impact could range from NZD $300,000 to several million depending on scale. Remediation cost: NZD $180,000."
Instead of: "We need to upgrade our firewall infrastructure to support more advanced filtering."
Frame it as: "Our current firewall creates a single point of failure. If it fails, our e-commerce operations halt completely. Based on our transaction volume, each hour of downtime costs approximately NZD $75,000 in direct revenue, plus delayed order processing and customer service costs. A redundant architecture reduces this risk. Implementation cost: NZD $250,000. First prevented outage recovers this investment."
Instead of: "Our incident response capability needs improvement."
Frame it as: "Current incident detection and response timelines average 72 hours from breach to containment. Industry research from IBM shows earlier detection and response reduces average breach costs by 30-40%. For our organisation, reducing detection time to 24 hours could reduce estimated breach costs significantly. Investment in improved detection and response capability: NZD $200,000 annually."
This translation makes several things explicit:
• What business asset or capability is at risk
• What realistically bad outcome could occur
• What the financial impact of that outcome would be
• How the proposed investment reduces that risk
• Whether the investment is proportionate to the risk
Business leaders can evaluate these investment cases using the same frameworks they apply to other risk management decisions. The security investment isn't special-case spending—it's risk mitigation with quantifiable costs and benefits.
Understanding Risk Appetite
Every organisation has limited resources and unlimited potential risks. The strategic question isn't whether to accept security risk—it's which risks to accept and which to mitigate.
This requires articulating risk appetite: the amount and type of risk the organisation is willing to accept in pursuit of business objectives.
For many organisations, risk appetite for security is implicit rather than explicit. Boards approve security budgets without clearly stating what level of security risk is acceptable.
This creates problems:
• Security teams don't know how much risk they're expected to reduce
• Investment decisions lack clear criteria for prioritisation
• Residual risk (the risk remaining after controls are implemented) is never formally accepted
• When incidents occur, there's often surprise and blame rather than recognition that some risk was knowingly accepted
Explicit risk appetite statements provide clarity:
"We accept that some security incidents will occur. Our appetite is to reduce likelihood of incidents affecting customer data to less than 5% annually, and to ensure any incidents that occur are detected within 24 hours and contained within 72 hours. We are willing to accept higher risk of incidents affecting internal-only systems if this allows greater investment in customer-facing security."
"Our risk appetite for operational disruption is low. We prioritise availability and resilience over maximum security. Controls that might reduce attack surface but increase operational fragility are disfavoured. We accept slightly higher security risk to maintain operational stability."
"As a financial institution, our regulatory obligations create minimal risk appetite for security incidents affecting customer data or transaction integrity. We prioritise security investments that reduce these specific risks even if cost-benefit analysis for other risk types would suggest different priorities."
These statements don't eliminate difficult decisions, but they provide frameworks for making them consistently with organisational priorities.
Balancing Short-Term and Long-Term Thinking
Security investment discussions often create tension between immediate needs and long-term architecture.
Short-term investments address current threats and known vulnerabilities: patch management, tool updates, addressing penetration test findings, responding to emerging threats. These investments show immediate risk reduction and are relatively easy to justify.
Long-term investments build enduring capability: architecture modernisation, skills development, process improvement, strategic tool platforms. These investments create compounding benefits but take time to demonstrate value.
Both are necessary. Over-indexing on short-term needs creates technical debt and architectural fragility. Over-indexing on long-term initiatives leaves current vulnerabilities unaddressed.
Effective security investment strategies balance both:
Immediate risk reduction (30-40% of security budget): Addressing known vulnerabilities, implementing critical patches, responding to penetration test findings, deploying urgent controls. These investments provide rapid risk reduction and are typically non-negotiable.
Capability building (40-50% of security budget): Investing in architecture, tools, skills, and processes that create sustainable security posture. These investments compound over time and reduce the need for crisis-driven spending.
Strategic initiatives (10-20% of security budget): Exploring emerging security approaches, piloting new technologies, investing in innovation. These investments position the organisation to adapt to evolving threats.
Reserve capacity (10% of security budget): Maintaining flexibility for unforeseen needs, emerging threats, or opportunities that arise mid-year.
This balance evolves with organisational maturity and threat landscape, but the principle remains: sustainable security requires both immediate action and long-term investment.
Common Investment Pitfalls
Several patterns consistently undermine security investment effectiveness:
Reacting to headlines rather than risk. After high-profile breaches, organisations often rush to invest in whatever controls might have prevented that specific incident. This creates reactive, fragmented security posture rather than strategic capability building.
Chasing compliance rather than security. Compliance requirements establish baselines, not optimal security. Organisations that invest only to meet minimum compliance requirements often discover those minimums are inadequate when tested by actual incidents.
Technology bias over process and people. New security tools are easier to procure than organisational change. But technology without supporting processes and skilled people creates expensive shelfware. Investment must address the full socio-technical system, not just acquire tools.
Failing to maintain existing investments. Security tools require ongoing maintenance, tuning, and updating. Organisations often invest in new capabilities while under-investing in maintaining existing ones, creating security control degradation over time.
Ignoring opportunity costs. Every dollar spent on security is unavailable for other priorities. Security investment discussions should acknowledge trade-offs, not pretend security spending has no opportunity cost.
Treating security as one-time investment. Security is operational expense, not capital investment. Threat landscapes evolve, systems age, staff require ongoing training. Sustainable security requires ongoing investment, not one-time projects.
Overestimating return on investment. Security prevents bad things from happening. Events that don't occur don't generate obvious ROI. Framing security investment as "ROI positive" often requires questionable assumptions about prevented incidents.
Recognising these pitfalls allows organisations to structure investment decisions more effectively.
Building Effective Investment Cases
Strong security investment proposals share common characteristics:
Business framing. Start with business context: what business capability, asset, or obligation is at risk? Why does it matter? What regulatory, competitive, or operational factors create urgency?
Clear risk articulation. Describe specifically what could go wrong, how likely it is, and what the business impact would be. Use scenarios rather than abstractions. "Ransomware could encrypt customer databases, halting order processing for multiple days" is more compelling than "we face ransomware risk."
Quantified impact. Estimate financial impact as realistically as possible. Use ranges when precision isn't achievable. Reference industry data, peer experiences, and organisational-specific factors. Even rough quantification is better than none.
Proportionate solutions. Propose investment proportionate to risk. A NZD $500,000 solution to a NZD $100,000 problem is difficult to justify. Ensure proposed investment is the right-sized response to identified risk.
Alternatives and trade-offs. Present options with different cost-risk profiles. "We can reduce this risk 80% for NZD $200,000, or 95% for NZD $450,000. The additional 15% risk reduction costs more than double." This allows business leaders to make informed trade-off decisions.
Implementation realism. Include realistic timelines, resource requirements, and dependencies. Security investments that can't be executed effectively waste money regardless of theoretical benefit.
Success metrics. Define how investment success will be measured. Reduction in incident frequency? Faster detection? Improved audit results? Clear success criteria enable post-implementation evaluation.
Residual risk acknowledgement. All security investments leave residual risk. Being explicit about what risk remains even after investment demonstrates maturity and enables informed risk acceptance.
This structure translates technical security needs into business investment cases that boards and finance teams can evaluate using standard investment criteria.
The Ongoing Conversation
Security investment isn't a one-time budgeting exercise. It's an ongoing conversation between security teams who understand technical risk and business leaders who make resource allocation decisions.
Effective organisations create regular touchpoints for this conversation:
Quarterly security briefings that update leadership on threat landscape changes, emerging risks, control effectiveness, and investment priorities. These briefings maintain visibility and enable mid-year adjustments.
Risk register integration that ensures security risks are assessed alongside operational, financial, and strategic risks. This prevents security from being siloed and ensures proportionate attention.
Board-level security reporting that provides governance oversight without overwhelming boards with technical detail. Key metrics should include: risk posture trends, investment vs. risk reduction, incident patterns, control effectiveness, and strategic initiatives progress.
Post-incident investment reviews that assess whether security investments would have prevented or mitigated recent incidents. This creates feedback loops that improve investment decision quality.
Industry benchmarking used carefully. While peer comparison provides context, organisations should invest based on their specific risk profile, not industry averages. A financial institution should invest differently than a manufacturer even in the same industry spending bracket.
The goal is making security investment a regular, evidence-based conversation rather than an annual budget negotiation.
When Investment Isn't the Answer
Sometimes the right answer to "how much should we invest?" is "investment alone won't solve this."
Security challenges that can't be fixed purely through investment:
Cultural issues. No amount of security tooling compensates for leadership that doesn't prioritise security or organisational culture that treats security as obstruction. Cultural change requires leadership commitment, not budget.
Architectural decisions. Some security challenges result from fundamental architecture choices that no security control can fully mitigate. The solution is architectural change, which is a business transformation project, not a security investment.
Process dysfunction. If core business processes are broken, adding security controls often makes them worse. Fix the process, then secure it. Not the reverse.
Third-party dependencies. Organisations often inherit security risk from vendors, partners, or platforms they don't control. Investment in security controls helps, but some risk can only be addressed through vendor management, contract negotiation, or accepting the risk.
Fundamental risk trade-offs. Sometimes business models or strategic choices create security risk that can't be eliminated through investment. Remote work creates security challenges. Cloud services create dependency risks. Digital transformation expands attack surfaces. These are business decisions with security implications, not security problems solved by security spending.
Recognising when investment isn't the primary solution prevents wasted spending and focuses attention on the actual decisions required.
The Strategic Perspective
From a governance standpoint, security investment is fundamentally about informed risk management.
Boards don't need to understand the technical details of security controls. They need to understand:
• What critical business assets and capabilities are at risk
• What realistically could go wrong
• What the business impact would be
• What investment is proposed to reduce risk
• What risk remains even after investment
• Whether proposed investment is proportionate to risk
• How this compares to other risk management priorities
These are business questions requiring business judgment informed by security expertise.
The organisations that invest in security most effectively are those that translate security challenges into this business framing, enabling boards and executives to make informed decisions using the same risk frameworks they apply to other domains.
Security spending isn't special. It's risk management requiring the same strategic thinking, cost-benefit analysis, and governance oversight as any other significant organisational investment.
The question isn't "how much should we spend on security?" It's "what level of security risk are we comfortable accepting, and what investment is proportionate to managing the risks we're not comfortable with?"
Answer that question well, and security investment becomes strategic. Answer it poorly or not at all, and security spending remains an arbitrary line item that satisfies nobody and may not even reduce the risks that matter most.
Because in the end, the goal isn't maximum security spending or minimum security spending. It's right-sized security investment proportionate to risk, aligned with business priorities, and delivered through a balanced portfolio of immediate protection, capability building, and strategic positioning.
Everything else is just noise.
About CyberForensics
We specialise in strategic cybersecurity guidance, digital forensics, and organisational risk management. We help leadership teams translate complex security challenges into clear, actionable strategies.