How Can CISOs Create the Ideal Cyber Budget?

The cybersecurity budgeting landscape has shifted dramatically as organizations grapple with stagnant growth and the rapid adoption of generative AI tools. Recent research shows budget increases have stalled for the first time in five years, forcing CISOs to defend every dollar. At the same time, AI‑enabled breaches are surfacing, creating ambiguous liability and insurance claims that are difficult to quantify. By translating these emerging threats into financial risk models, security leaders can speak the language of the board and justify proactive investments.

Wheeler’s framework breaks the budget into three pragmatic layers. First, compliance obligations consume roughly 78% of spend, representing non‑negotiable controls that often deliver a negative return‑on‑controls. Second, CISOs should target initiatives that generate a positive return, such as robust backup strategies, regular tabletop exercises, and comprehensive awareness training that directly reduce quantified risk. Finally, forward‑looking allocations for incident‑response tooling and cross‑functional collaboration with CIOs, CTOs, and CLOs prepare organizations for the inevitable settlement of AI‑related claims. This tiered approach balances mandatory requirements with strategic, revenue‑protecting investments.

Effective board engagement remains the linchpin of a successful cyber budget. Beyond hard numbers, executives must weave narratives that illustrate the hidden costs of breaches—employee attrition, reputational damage, and lost client trust. Early, continuous dialogue with board members, coupled with a three‑plus‑year vision, transforms budgeting from a reactive exercise into a strategic partnership. As staffing constraints tighten—only a quarter of large security teams feel sufficiently staffed—prioritizing high‑impact controls and talent acquisition becomes essential for maintaining resilience in an increasingly hostile threat environment.