Budgeting for Cybersecurity Requires a New Approach

It’s time for CFOs to dump the traditional line-item method to setting cybersecurity spending.
Vincent RyanSeptember 7, 2021

When a country sends its army to war, it does so based on a plan to win, not on fitting a predetermined budget.

But when it comes to the virtual cybersecurity battlefield, CFOs too often take the opposite approach, leaving their companies unnecessarily exposed. Their spending on cyber defense is shoehorned into a rigid budget plan rather than guided by a genuine assessment of security needs.

Cybersecurity spending needs to be treated differently because of the excessive damage that a successful attack can inflict. A million dollars saved now can easily cost $25 million later when a ransomware attack breaks through a company’s defenses or a phishing attempt results in a leak of sensitive customer data. Even if a company has cyber insurance to mitigate the direct financial costs, a successful attack can still lead to major reputational damage, lost customers, and hefty legal fees.

CFO Insights on Inflation, Workforce Challenges, and Future Plans 

CFO Insights on Inflation, Workforce Challenges, and Future Plans 

Download our 2022 survey report for a high-level view of finance team projections and strategies, directly from our executive readers.

That is hardly a theoretical risk. Cyberattacks are surging in the wake of the pandemic, and the work-from-home phenomenon has created more vulnerabilities. The FBI’s Internet Crime Complaint Center received nearly 800,000 cybercrime complaints in 2020, with reported losses exceeding $4.1 billion, up from $3.5 billion in 2019. This year there has been no let-up. The August 2021 breach of 50 million T-Mobile customers’ data by a 21-year-old hacker shows that even large, sophisticated companies aren’t immune.

Recipe for Failure

In this environment, managing cybersecurity to a budget is a recipe for failure. Just because cybersecurity spend was $1 million last year doesn’t mean it should be 5% higher this year in line with the traditional budget approval process.

The right approach for company leadership is to put budget considerations aside and first evaluate what’s needed to protect against cybersecurity threats. The starting point should be assessing risk, not establishing a dollar-spending figure. Of course, all companies have limits on how much they can allocate to cyber defense. Still, the risk-first approach allows a company to consciously decide which threats are acceptable versus leaving the company open to potentially crippling attacks.

Three Key Areas

There are three key areas where executives should be evaluating risks and the budget needed to cover them: people, technology, and processes.


Having the right personnel is perhaps the most crucial element of cyber defense. There’s a tendency for executives to assume that they don’t need to invest as much in people because they have cybersecurity tech products. But the tech is only as good as the people who configure and monitor it and know how to respond to threats as they occur. Protective processes, such as ensuring access for departing employees is eliminated or new servers are secured, need a strong team to carry them out. Companies need to have the right mix of strategic cybersecurity leaders and engineers and supplement that team with third-party consultants as necessary.


The hundreds of cybersecurity tech solutions on the market represent both a blessing and a curse. They give companies great options for protection and monitoring, but they also raise the risk of overspending and creating unnecessary overlap among products. The solution is for the CFO and IT leaders to whiteboard the tools needed to address critical risks and budget accordingly, rather than being tempted by sales pitches. The goal should be to create a dashboard that brings vital information from the tools together and enables leaders to monitor critical threats and processes in real-time.


A cybersecurity budget should account for the processes needed to secure systems properly. Both IT specialists and non-IT staff need to know what procedures to follow in terms of everyday cyber hygiene and in the event of an urgent incident. A budget needs to be set to ensure that solid processes are in place for activities such as backing up data and securing laptops, as well as dealing with a compromised password or an accidental data leak.

Once the risk outlook has been thoroughly evaluated, companies can start to put together the right-size budget to address potential threats and put themselves in a strong position to win the cyberwar.

Raj Patel is a partner at Plante Moran. He leads the cybersecurity practice.