In this Help Net Security interview, Chris Wheeler, CISO at Resilience, talks about how CISOs are managing changing cybersecurity budgets. While overall spending is up, many say the increases don’t match their most pressing needs. Wheeler explains how organizations are reallocating funds, measuring ROI, and linking cybersecurity plans to business goals.
Many CISOs say cybersecurity budgets are rising overall, but not necessarily where they are most needed. From your experience, where are budgets increasing, and where are they stagnating or shrinking? Can you give a real-world example of how you have had to rebalance funding priorities?
Cybersecurity budgets may be increasing in size, but the total growth from year to year is slowing down. Much of that is industry-dependent. For instance, we are seeing 5% growth year over year in tech and insurance organizations’ cybersecurity budgets, but more financially uncertain industries like healthcare, professional services, and retail are seeing less growth, or even declines.
A lot of this has to do with the state of cybersecurity education. Organizations are generally more resilient and well-educated on the threat landscape, as well as the potential ROI of cyber initiatives they invest in. For that reason, we actually see a lot of money going to CTO and CFO budgets specifically, especially with the rise of AI.
Third-party risk management is an area where organizations have had to rightsize spend. Despite years of investment in tools and analysts to examine compliance documentation, we continue to see mounting losses caused by third-party service providers. I see clients questioning the ROI of compliance-only assessments, and many are reducing spend. Some are consolidating third-party service providers, and others are simply accepting the risks of third-party integrations.
Unlike revenue-driving departments, cybersecurity investments often do not have a straightforward ROI. How do you frame ROI or value creation when presenting to the board? Could you walk me through an example of how you successfully justified a major investment, such as in zero trust, threat intelligence, or AI tools?
You have to present a business case to the board to show your cybersecurity plan’s ROI. That can only happen if CISOs quantify their risk in financial terms. Our approach hinges on value at risk, presented through a tool called a loss exceedance curve. This allows CISOs to show their boards the likely and worst-case scenarios that their security investments are reducing. The model accounts for direct financial losses, business interruptions, and other perils, all grounded in real-world losses.
I recently justified a major investment in a key technology for zero trust and AI risk management by showing the amount of risk the solution would buy down over 3 years.
How do you tie your cybersecurity budget to broader business objectives such as digital transformation, mergers and acquisitions, or expansion into new markets? Can you share an example of when this alignment helped you secure funding that might otherwise have been denied?
CISOs need to understand their board’s priorities before organizing their budget. That means coordinating consistent touchpoints with them throughout the year to best understand their needs.
Good relationships with board members may give insight into opportunistic funding outside of the annual budget cycle, allowing you to posture funding requests with the board. For example, if your company were to be eyeing an M&A deal, planning for labor costs such as consultants for systems integration, or re-hiring/backfilling due to personnel churn, is paramount. Additionally, eyeing capabilities such as auditing and validation tools will allow quicker integration and quickly identify and fix any risks that were not discovered in diligence.
Looking at your 2026 roadmap, what areas are commanding new slices of the budget pie, such as AI security, identity, or third-party risk? Why are these priorities, and how are you measuring whether those investments are paying off?
AI and post-quantum security are two major areas I see necessitating more investment. Luckily, there is some overlap with existing capabilities and procedures, such as testing routines, data governance, asset and inventory management, and security guardrails. However, both these initiatives have some underserved business problems requiring bespoke solutions and new spending, such as cryptographic inventory and LLM security detection and response.
An aspirational approach for CISOs is to allocate 10% or more of their budget to emerging risk over a 3-5 year horizon. However, the average CISO has a 3% discretionary budget, and even in large organizations, a majority feel understaffed and under-resourced. As much as I’d like to say there’s an off-the-shelf model for this risk, I don’t think there is. So I’d default to applying some of these principles: conduct risk interviews with your executive team to reduce uncertainty of your own value at risk, use tools such as the loss exceedance curve to demonstrate both your estimates and uncertainty to your board, and prioritize your most impactful initiatives.