Much of the narrative I come across online around cybersecurity budgets revolves around convincing the Board and justifying investments.
Some approaches are built around financial models and aim at justifying return on investment. Some others focus on quantifying risk and showing risk reduction.
All are data-driven and designed around some form of rational argument.
But is this really the way decisions are made at the top of large organizations?
In fact, those approaches are all part of the bottom-up narrative CISOs, cybersecurity consultants and cybersecurity vendors have been building toward top executives over the past two decades.
In my experience, they clash with three aspects of real-life enterprise dynamics:
First of all, decision-making at the enterprise level may have the appearance of a rational endeavour, but is in fact heavily influenced by cognitive biases, as evidenced by Daniel Kahneman and his school of thought.
This is perfectly obvious with cybersecurity, and it brings me to my second point:
Anybody who has spent enough time in the security industry would have come across various situations where money that was previously denied appears in vast quantities at the first sight of a regulatory investigation, a bad audit report, an incident, a near miss or a similar event affecting a competitor (that’s the “can it happen to us?” question many CISOs will be familiar with).
No concerns around ROI or risk reduction are raised in those scenarios: Top executives want to see boxes checked and evidence that they have done their job, should a bad breach occur. If execution does not follow, someone else will be blamed (often the CISO, which has sometimes been nicknamed Chief Incident Scapegoat Officer).
More seriously, the penny has in fact dropped in many boardrooms around the “when-not-if” paradigm with cyberattacks: Following almost two decades of non-stop breaches, you would probably struggle to find one board member not aware of the business impact they can have. That’s taking me to my third point:
I have had many discussions, in particular with CIOs, openly admitting that they could put “anything they like” in their budgets for cybersecurity, but that their main problem was delivering on cyber projects.
Where does that disconnect come from, between many CISOs and their vendors pretending to struggle with resources, and top executives increasingly cyber-aware and wanting to invest to protect the firm?
The budget myth: Why cybersecurity isn’t actually underfunded
Of course, cybersecurity projects are often complex because they need to reach across corporate silos and geographies to deliver effective protection to the business. This is not natural in large firms, which are, almost by essence, territorial and political.
But beyond that, the profile of CISOs is also a key dimension:
Most are technologists by trade and background, and have spent the last decade firefighting incidents, incapable of building or delivering any kind of long-term narrative.
They have not developed the type of management experience, political finesse or personal gravitas that they would require to be truly successful, now that the spotlight is firmly on them from the top of the firm.
Many genuinely think that chronic under-investment in cybersecurity is the root cause of insufficient maturity levels, while it is in fact chronic execution failure linked to endemic business short-termism that is at the heart of the matter: Projects deprioritised as soon as “quick wins” are delivered or boxes checked on compliance reports, changes in direction as soon as a new executive joins or leaves, initiatives put on hold at the first sight of market turbulences: All point to governance and cultural aspects that are the real root causes of the long-term stagnation of cybersecurity maturity levels in large firms.
For the CISOs who have not integrated those cultural aspects and are almost always left out of those decisions, it breeds frustration; frustration breeds short tenures (in the region to two to three years for many); short tenures aggravate the management and leadership mismatch: You cannot deliver much of genuine transformative impact in large firms on those timeframes.
For top executives, the CISO “merry-go-round” also builds frustration: They have seen too many coming in with grandiose plans asking for millions before resigning after a few years, leaving everything half done.
The first 100 days: Where trust is won or lost
Quite a lot of that disconnect is effectively built up in the first 100 days of the CISO.
Many CISOs come into a new job with pre-conceived views, sometimes created at interview time: Things that have worked elsewhere, pet subjects, vendors or consultants.
Many also feel that they have to prove themselves as specialists in their first 100 days. That’s a mistake. Competence is assumed in the first 100 days (you’ve just been hired). The challenges lie elsewhere.
The first 100 days are about proving your ability to fit in the organisational structure of the firm and act as a leader.
That starts by listening, in my view: Listening to stakeholders and sponsors, understanding their expectations, their pain points, what has worked in the past, what hasn’t and why, what happened with your predecessor… Sometimes “what can I do to help you?” is simply the best question to ask…
This process should initiate a journey of co-construction of the cybersecurity narrative, and beyond that, of the firm’s cybersecurity strategy.
If objectives are shared with stakeholders and sponsors, friction is reduced; over time, business champions emerge who relay the cybersecurity narrative, not because it’s the CISO’s but because it’s theirs.
The process should also embed the CISO in the governance and leadership dynamics of the firm.
By listening truly, identifying and following the cultural currents across the firm, the allegiances, the informal networks of trust where real decision-making happens, the CISO becomes a trusted player for business leaders.
At that point, budgetary discussions become two-way discussions between trusted partners, not adversarial situations where one party has to win over the other.
Conversely, CISOs who approach their first 100 days looking to prove themselves tactically run the risk of ending up trapped in operational firefighting: This is a situation from which very few escape. They may be seen as a safe pair of hands in the end, but that’s unlikely to get them accepted at the strategy table.
This is the type of situation where a CSO role becomes a necessity, as I advocated in “Is the CISO role broken,” to orchestrate business protection at the corporate level and ensure all regulatory obligations are met.
But it is not a fatality.
Ultimately, the future of cybersecurity leadership will belong to those CISOs who recognize that building influence and trust has to precede action and investment.
Boards no longer need to be convinced that cyber risk matters — they need confident, culturally attuned leaders who can navigate complex corporate dynamics, build trust with all stakeholders and orchestrate delivery across silos.
The first 100 days set the tone: Not through technical demonstrations or budgetary battles, but through listening, aligning and co-creating a narrative that business leaders feel ownership over.
In doing so, CISOs move from pleading for resources to shaping strategy as true executives — not firefighters on the sidelines, but architects of resilience at the heart of the enterprise.
This article is published as part of the Foundry Expert Contributor Network.
Want to join?
No Responses