The security budget conversation usually follows one of two patterns. Either the CISO is arguing for more investment to address the expanding threat landscape and the growing regulatory requirements, or the CFO is arguing that security spending is growing faster than the business and needs to be constrained. Both arguments may be correct simultaneously, which is what makes the security budget conversation so persistently unresolved.<\/p>\n
The reason both arguments can be correct simultaneously is that security budgets are almost universally misallocated. Too much is spent on low-value controls that have been maintained through inertia rather than re-evaluated against the current threat model. Too little is spent on high-impact capabilities that would provide disproportionate risk reduction at their marginal cost. The aggregate spend is often appropriate; the allocation within the aggregate is not.<\/p>\n
The optimisation opportunity that results from this misallocation exists in almost every large enterprise security budget. Finding it requires a structured analysis that most CISOs do not apply systematically, not because they lack the methodology but because the security budget process is typically structured around annual renewal and incremental adjustment rather than fundamental allocation reassessment.<\/p>\n
The first step in the optimisation analysis is an investment effectiveness assessment: for each significant security investment, what is the risk reduction it provides, and is that risk reduction proportionate to its cost?<\/p>\n
The risk reduction measurement is the step that is most commonly absent. Security investments are typically evaluated at procurement on the basis of the threat scenario they address and the capabilities they provide. After procurement, they are renewed based on the fact that they exist and are providing some value, without systematic re-evaluation of whether the risk reduction they provide is proportionate to their cost and whether that risk reduction is still the most important gap in the security programme.<\/p>\n
The investment effectiveness assessment requires each significant security tool or control to be mapped to the specific risks it addresses, with an estimate of the probability reduction or impact reduction it provides. This mapping immediately reveals two categories of investment that are candidates for reallocation.<\/p>\n
Investments that address risks that are no longer in the top tier of the threat model. The DLP tool that was justified by a compliance requirement that has since been addressed differently. The legacy perimeter security control that addresses a threat model from an architecture that has been replaced by a cloud-first environment. The security awareness training programme that was designed for a threat landscape that has evolved significantly. These investments may have provided value at the time they were implemented; the question is whether they provide proportionate value against the current threat model.<\/p>\n
Investments where the coverage overlaps significantly with other investments in the portfolio. The endpoint detection tool and the XDR platform with overlapping endpoint visibility. The vulnerability scanner and the CSPM platform with overlapping cloud configuration assessment. The cloud access security broker and the SSPM with overlapping SaaS application security monitoring. Consolidation opportunities that reduce total spend while maintaining or improving coverage are the most consistent finding in enterprise security portfolio assessments.<\/p>\n
The capability gap analysis is the complement to the investment effectiveness assessment: for the current threat model, what capabilities would provide the highest risk reduction that the organisation does not currently have or does not have at the required maturity level?<\/p>\n
The capability gap analysis requires the same threat model mapping as the investment effectiveness assessment, but applies it to the portfolio of possible investments rather than the existing portfolio. The result is a ranked list of capability investments by expected risk reduction per unit of investment cost.<\/p>\n
The capability gaps that consistently appear in enterprise security portfolios assessed against 2025 threat models include:<\/p>\n
Identity threat detection and response capability that extends beyond traditional IAM monitoring to detect the lateral movement and credential abuse patterns that characterise modern enterprise attacks. This capability gap is particularly common in organisations whose identity security investments were designed for on-premises Active Directory environments and have not kept pace with the hybrid and cloud identity landscape.<\/p>\n
AI-specific security controls for the AI systems and AI-assisted development workflows that have been deployed at scale without corresponding security tooling. The detection of model manipulation, training data poisoning, and prompt injection attacks requires security controls that most enterprise security programmes have not yet incorporated.<\/p>\n
Operational technology and IoT security visibility in organisations whose operational technology environments have become networked in ways that connect them to the enterprise IT estate without the corresponding security monitoring that the connection requires.<\/p>\n
Third-party access monitoring and control capability that provides visibility into what third-party users and systems are doing within the enterprise environment. As supply chain attacks have become more prevalent, the gap between the organisation’s perimeter controls and the actual boundary of trust has grown.<\/p>\n
The optimisation analysis produces two lists: the investments that are candidates for reduction or elimination, and the capability gaps that are candidates for investment. The budget reallocation model converts these two lists into a net investment proposal.<\/p>\n
The reallocation model that is most effective in the CFO conversation is the one that demonstrates budget neutrality or budget reduction alongside capability improvement. If the consolidation of overlapping tools and the elimination of low-value controls frees more budget than the highest-priority capability gaps require, the CISO can demonstrate that the security programme is allocating its budget more effectively without requiring incremental investment. The narrative is not “I need more money” but “I have found a way to improve the security posture within the current budget by reallocating from lower-value to higher-value investments.”<\/p>\n
This narrative is more effective in the CFO conversation because it demonstrates the financial discipline that technology investment conversations typically lack. The CISO who can demonstrate that they have assessed the existing portfolio’s investment effectiveness and found reallocation opportunities is credible in a way that the CISO who always comes to the CFO with a request for additional budget is not.<\/p>\n
The security spending optimisation framework enables a board conversation that changes the nature of the security governance relationship.<\/p>\n
The board that has received a security spending optimisation analysis understands the security programme’s allocation rationale rather than just its total cost. It can evaluate whether the investment priorities make sense against the threat model the organisation faces. It can exercise governance over the reallocation decisions rather than simply approving the total security budget.<\/p>\n
The CISO who can run this conversation with the board is operating as a risk management executive rather than a technology specialist. The board engagement they achieve is substantive rather than nominal.<\/p>\n
That is the security governance quality that the optimisation investment enables.<\/p>\n","protected":false},"excerpt":{"rendered":"
Most enterprise security programmes are simultaneously overspending on low-value controls and underspending on high-impact capabilities. The optimisation opportunity exists in almost every large enterprise security budget. This is the framework for finding it.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-167","post","type-post","status-publish","format-standard","hentry","category-business-value"],"_links":{"self":[{"href":"https:\/\/baecke.io\/index.php?rest_route=\/wp\/v2\/posts\/167","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/baecke.io\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/baecke.io\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/baecke.io\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/baecke.io\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=167"}],"version-history":[{"count":0,"href":"https:\/\/baecke.io\/index.php?rest_route=\/wp\/v2\/posts\/167\/revisions"}],"wp:attachment":[{"href":"https:\/\/baecke.io\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=167"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/baecke.io\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=167"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/baecke.io\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=167"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}