The Budget Request You Can't Evaluate
Your security lead asks for $150,000 for "security improvements." The proposal mentions SIEM tools, penetration testing, and compliance frameworks. You have no idea if this is reasonable, necessary, or a complete waste of money.
Security spending is uniquely difficult for CFOs. Unlike marketing (measurable CAC/LTV) or engineering (velocity, features shipped), security success is often invisible—nothing bad happening. But the downside of under-investment is catastrophic.
This guide helps CFOs evaluate security budgets without becoming security experts. You'll learn what questions to ask, how to benchmark spending, and how to tie security investments to business outcomes.
Understanding Security Spending Categories
Security budgets typically fall into four categories. Understanding these helps you evaluate whether requests are balanced and appropriate.
Ask your security lead: "What percentage of this budget is prevention vs. detection vs. response?" If it's 90% prevention, you might be under-investing in finding problems that slip through—which they will.
Benchmarking: Is Your Spending Reasonable?
By Company Size
By Industry
Some industries require more security investment due to regulatory requirements or target attractiveness:
- FinTech/Financial Services — 8-12% of IT budget (PCI, SOX, heavy regulatory)
- HealthTech — 7-10% (HIPAA requirements, PHI sensitivity)
- Enterprise SaaS — 6-8% (customer security requirements, SOC 2)
- Consumer Tech — 5-7% (reputational risk, user data volume)
- Internal Tools/B2B — 4-6% (lower regulatory pressure)
These are benchmarks, not targets. A company handling sensitive health data needs more security than a B2B tool with minimal data. Context matters more than percentages.
The Questions to Ask About Every Security Request
1. What Problem Does This Solve?
Every security investment should address a specific risk. "Because best practices" isn't an answer. Push for specifics:
- What attack or failure does this prevent?
- How likely is that attack without this investment?
- What's the potential impact if it happens?
- Why is this risk more important than others we're not addressing?
2. What's the Alternative?
For any significant investment, there should be alternatives considered:
- What's the cheaper option? What do we give up?
- What's the more expensive option? What extra do we get?
- What happens if we do nothing for 6 months?
- Is there a phased approach?
3. How Does This Enable Revenue?
Security spending can be tied to revenue in several ways:
- Sales Enablement — "SOC 2 unlocks $X pipeline currently blocked on security requirements"
- Contract Requirements — "Customer Y requires this control to renew their $X contract"
- Market Access — "Healthcare market requires HIPAA compliance for entry"
- Risk Reduction — "Reduces probability of breach that would cost $X"
Ask: "If I give you this budget, what specific business outcome can you promise?" Security can't promise zero breaches, but they can promise "SOC 2 certification by Q2" or "reduction of critical vulnerabilities from 40 to under 5."
Security ROI: Making the Math Work
The Basic Formula
Risk Reduction = (Probability Before × Impact) - (Probability After × Impact)
ROI = (Risk Reduction - Investment Cost) / Investment Cost
Example: SOC 2 Investment
Example: Breach Prevention Investment
Not every security investment has positive ROI. Some are table stakes (you can't operate without them). Some are insurance (low probability, high impact). Require ROI calculations but accept that some investments are justified by downside protection, not upside return.
Red Flags in Security Budget Requests
Concerning Signs
- No prioritization ("we need all of this")
- No alternatives considered
- Vague risk descriptions
- Everything is "critical"
- No connection to business outcomes
- Big bang requests (all at once)
Positive Signs
- Prioritized list with rationale
- Trade-off analysis included
- Specific risks identified
- Clear P1/P2/P3 classification
- Revenue or risk reduction tied in
- Phased approach proposed
Building a Security Budget Process
Step 1: Annual Risk Assessment
Security presents top 10 risks with probability, impact, and current mitigation status. This becomes the basis for budget discussions.
Step 2: Investment Proposals
Each significant request includes: problem addressed, alternatives considered, expected outcome, success metrics, and ROI calculation.
Step 3: Prioritization Session
CFO and security lead review proposals together. Rank by business impact. Make trade-offs explicit.
Step 4: Quarterly Reviews
Review spending vs. budget, progress on initiatives, changes in risk landscape. Adjust as needed.
What to Fund First (If Budget Is Limited)
If you can only fund some security initiatives, prioritize in this order:
- Revenue-Blocking Compliance — SOC 2 or certifications blocking active deals
- Contract Requirements — Security controls required by existing customers
- Critical Vulnerabilities — Known, exploitable weaknesses in production
- Basic Detection — Ability to know if you've been breached
- Incident Response — Plan and capability to respond if something happens
- Advanced Prevention — Sophisticated tools to stop attacks
At minimum, you need: endpoint protection, MFA on all accounts, encrypted data, backup capability, and an incident response plan. Everything else is building on this foundation. If you don't have these basics, start here.
Security Spending Mistakes CFOs Make
Mistake 1: Zero Until Something Happens
Waiting for a breach to fund security is like buying fire insurance after your house burns down. The cost of remediation after an incident vastly exceeds the cost of prevention. Budget consistently.
Mistake 2: Funding Tools Without Process
A $50K security tool with no one trained to use it is waste. Ensure budget includes implementation, training, and ongoing operation—not just licenses.
Mistake 3: No Security in M&A Due Diligence
Acquiring a company with poor security inherits their risk. Budget for security due diligence before acquisitions and remediation after. Security issues discovered post-close are expensive surprises.
Mistake 4: Treating Compliance as Security
SOC 2 and HIPAA are important but not sufficient. Compliance is a point-in-time assessment; security is continuous. Budget for ongoing security operations, not just annual audits.
Next Steps
Security budgeting doesn't require you to become a security expert. It requires the same rigor you apply to other investments: clear problem definition, alternatives analysis, expected outcomes, and measurable success criteria.
Start by asking your security lead for a prioritized risk assessment. Understand the top 5 risks facing your company and what it would cost to address each. That's your foundation for rational security budgeting.
Building your security budget? vCISO Lite helps companies track security investments against risk reduction, providing the metrics and reporting CFOs need to evaluate security spending—without hiring a full-time CISO.