How to Craft a Cybersecurity Budget Your CFO Can Understand in 3 Steps

This blog post is an extract of last weeks Venation newsletter.

This is our system for crafting, visualizing and pitching a cybersecurity budget everyone will understand and support.

3 seemingly simple steps, that aren't so simple.

If you want more content; join the newsletter here: https://venation.digital/newsletter

We're exploring systems that help decision-makers make smarter decisions about digital risk management; from the role of financial budgeting, to tactically modeling cyber threats into a visualizations.

Now, let's get into the content.

Step 1: Building your budget with strategic alignment ???

First off, when we refer to the CFO, we mean any financial stakeholder; fractional, in-house, or otherwise.

Second, rather than focusing solely on technology-driven solutions, make sure to align your cybersecurity budget with people and process improvements that enhance operational resilience.

Third, craft your budget with a clear focus on business outcomes. This is usually the bottom-line your CFO is laser-focused on.

The best way forward is explicitly addressing root causes, rather than tackling symptoms.

Too often, we find ourselves solving surface-level issues because the root causes seem difficult or uncomfortable to address.

To get to the bottom of the metaphorical bottom-line, our friends from Blog on Security created the following mental model:

Oh, did you notice their usage of threat scenarios? ??

Jokes aside, here are the key questions we believe you should answer:

1. What are the risks we’re addressing? Focus on key risks your company faces, like emerging cyber threats or compliance requirements. Talk about them in executive stakeholder language, avoiding cybersecurity nuts and bolts.
2. How do the business impacts of these risks compare to our capabilities? CFOs care about the bottom line. Highlight how mitigating these risks supports business growth and stability. Tying back to company relevant compliance requirements wherever possible.
3. What security capabilities are required? Define the security measures needed to address these risks. Demonstrate forms of ROI, for example how the capability protects or supports growth of EBITDA.

Let's investigate further.

Identifying key risks and strategic priorities

To begin crafting your cybersecurity budget, start by identifying the risks your organization faces and aligning them with your company’s strategic goals.

Your CFO needs to understand why these risks matter.

At Venation, we always leverage a scenario-based model to articulate threat and how this determines or influences risk.

Instead of framing risks as purely technical, emphasize how poor processes or lack of operational maturity contribute to these threats.

Focus on the inefficiencies that could exacerbate security vulnerabilities, or explain how improving internal processes will mitigate risk XYZ; contributing directly to business growth.

This means the business is facing a growing threat that should be addressed directly.

It should be treated as a business issue, as compromise will impact trust in our brand and customer relationships if left unaddressed.

By framing risks in terms of their potential business impact, you ensure that your budget request is seen as crucial for the company’s future success.

Sounds easy, but why isn't everyone doing it?

Here's another pro tip:

We encourage you to stay away from fear, uncertainty, and doubt (FUD).

This has been a long-time goto strategy for cybersecurity professionals, but we strongly believe modern decision-makers (especially financial stakeholders) see through this play.

Again, it might seem like you're asking for more resources but you're not.

You’re demonstrating how these investments protect the company from real, measurable dangers.

Explicit vs implicit decision-making.

This is extremely relevant in today's current economic climate.

Defining security capabilities based on risk response

Once risks are identified, the next step is to align security capabilities with those risks.

The CFO needs to know:

“What’s the most effective response to this risk?”

Make it clear that each proposed capability directly addresses a specific threat.

Use simple language and tie every capability back to reducing risk.

There's two area's to consider:

1. Psychological anchoring: By anchoring the discussion in specific solutions that solve concrete problems, you can appeal to your CFO's need for clarity and actionability. Again, make sure to tailor this to the person you are working with.
2. Solution ≠ technology: We already mentioned this and we'll do it again. Technology plays a role in solving concrete problems, it often adds complexity to existing people and processes. For a more sustainable, long-term impact, you might be better off focusing on non-technical solutions that improve operational efficiency and resilience.

Differentiate between mandatory and discretionary spend

When building your budget, it's crucial to divide investments into two categories: mandatory (needs) & discretionary (wants).

This is often a huge point of discussion but can be circumvented rather quickly using a simply method: Transparency.

CFOs appreciate transparency.

They want to know which parts of the budget are absolutely necessary and which ones are value-adds but not urgent.

Mandatory expenses are often compliance-driven, while discretionary spending may improve operational efficiency or future-proof your security posture.

We've learned another great application of a similar mental model from our friends over at Blog on Security :

• Imperative priority: It is mission critical imperative to do this.
• Strategic priority: Without it the security team cannot service prospects in support of company's growth plans.
• A maturity ambition: does not support company grown ambitions. However, without it the security team cannot improve one or more capabilities.

Most of the time, your CFO is the economic buyer.

Using a clear distinction helps the economic buyer feel in control of the decision-making process.

To be clear, a CFO knows that she or he is in control; except it removes ambiguity, making it clear that everyone knows exactly where their investment is going.

Let's explore further how you build visualizations for this.

??

Step 2: Visualizing Your Cybersecurity Budget ???

Once you’ve built your budget, visualization is the next step.

CFOs respond well to data, but the presentation is key.

We recommend coming up with a good example yourself, scheduling iterative feedback loops to tune this example to the decision-making needs of the CFO.

Here's a few tips to visualize your cybersecurity budget effectively:

• Highlight the delta between this year's budget and the previous year. CFOs need to see where the increases come from and why.
• Divide your budget into mandatory and discretionary spending, so it’s clear which investments are essential.
• Focus on what addresses root causes, not just symptoms; tackling systemic issues reduces the need for continuous firefighting, allowing for a more cost-effective and sustainable execution.
• Use visuals to emphasize your points: Charts, graphs, and clear breakdowns help make complex cybersecurity concepts more digestible.

Remember, simplicity is power when communicating with financial stakeholders.

Showing the delta

CFOs think in terms of year-on-year growth.

To help them understand your budget, present the difference between last year’s budget and your current request.

Focus on areas where the spend has increased and why.

Use simple visuals to show the breakdown, making it easy for the CFO to see where the additional funding will go.

Visualization adds to the sense of control and foresight

Two key elements every financial stakeholder needs, but now always receives.

Visualizing mandatory and discretionary spending

We already talked about this earlier.

When presenting the budget, use clear, compelling visuals to break it down into mandatory and discretionary spending.

CFOs are more likely to approve budgets when they can see exactly where their money is going.

This is just one example how a visual helps build trust and transparency; they can quickly identify what part of the investment is critical and which can be scaled back if needed.

Reusing the above graph doesn't work, but integrating the logic in your own visualization will.

Again, tailor to your stakeholders; rinse & repeat.

Illustrate strategic impact using ROI

Finally we get to the Return On Investment (ROI) part.

In fact, we probably should have started with it, because this is one part which is one of the hardest parts of cybersecurity budgeting.

CFOs want to see the return on their investment, both in terms of reduced risk and potential cost savings.

The bottom-line.

However, with cybersecurity, this has proven to be difficult because sometimes you just can't definitively say it.

Case in point: reducing a risk is not a tangible, immediate return.

There's two things we believe you should consider:

1. Prepare for ambiguity: In cybersecurity, not all outcomes are easily quantifiable. You won't be able to definitively say, "this investment saves us X euros." However, human psychology demands clarity in decision-making. Just like you want to understand improved battery life before purchasing a new phone, your CFO needs some level of certainty about the benefit of the investment. Prepare an answer that addresses this ambiguity. One successful approach is addressing root causes, because they not only reduce risk but also unlock operational efficiencies that contribute to the company's bottom line.
2. Use visuals: Create clear and compelling visualizations that demonstrate the strategic impact of your cybersecurity investments. The visual can help you guide the reader through the ambiguity. See below example, visuals like this demonstrate the value of your cybersecurity investments, making it easier for the CFO to connect the dots between spend and business success. We will never be able to demonstrate this kind of charts due to item #1, but you get the idea.

The key takeaway here is that even if the exact value can’t always be shown, the CFO needs to see evidence of improved resilience and risk reduction.

Preferably a visual, anchored in positive outcomes, gives the CFO a level of confidence that the investment is worth the cost.

??

Step 3: Pitching Your Cybersecurity Budget ???

Finally, it’s time to pitch your budget.

Here’s a curated framework that helps deliver a successful pitch:

1. Introduction: Start with a high-level overview of the risks tracked, why these risks are growing, and how your proposed budget will address them. If applicable, use narratives (e.g. threat scenarios) to support your risk explanations.
2. Explain the strategic impact: Show how your cybersecurity investments will support business continuity, growth, and resilience. CFOs want to know the ROI; not just in terms of finances, but in terms of risk reduction and business stability.
3. Justify new investments: Break down why certain investments are new or increased and how they directly support the company’s long-term goals.

To be clear, every person is unique and so should your pitch be.

As we always say: tailor EVERYTHING to your stakeholders.

Start with risk & business impact

First off, a great pitch isn’t just about the numbers; it’s about decision-making.

• It clarifies your understanding of the variables and your desired effect.
• It clarifies what areas your team can influence, but also which ones you can't.
• It clarifies the bets the organization can make to achieve the desired effect.
• It clarifies what's at stake and how much it costs.
• Optionally, it clarifies options for which bets to take.
• Finally, it clarifies which bet you recommend.

Going through this logic, you will need a clear narrative in pitching your cybersecurity budget.

Instead of starting with figures, focus on the real-world consequences of not investing in cybersecurity.

This could be about the risks your organization faces and how they directly impact business operations.

The goal here is to anchor the conversation in business risks that the CFO already understands, clarifying urgency and necessity of the investment.

Presenting proposed investments as solutions

Next, present your proposed investments as solutions to the problems you've highlighted.

The real key thing is to avoid technical jargon and stick to high-level benefits.

Remember, your CFO is laser-focused on the bottom-line. They wants to know how your cybersecurity plan will keep the company running smoothly and protect its bottom line.

Cybersecurity folks always reason bottom up, while financial folks reason top down.

You're not just asking for funds, you're providing peace of mind and showing that you have a plan.

This taps into psychology by framing the solution as a shield against future loss.

Highlighting ROI and strategic gains

CFOs are always focused on the bottom line.

Always be sure to have a way to clarify the ROI.

The objective is to moving the conversation away from just spending and towards the strategic value each investment brings.

Here's a few tips to highlight the ROI:

• Showing clear benefits: Per cybersecurity investment, demonstrate how it reduce operational costs, avoid potential fines, or protect revenue streams.
• Highlighting the strategic gains: Not every cybersecurity investment will have a straightforward cost-to-benefit analysis, but they still can contribute to long-term plans. Examples include; gaining access to new markets through security compliance, increased customer retention by ensuring trust in your product or services, or improving the customer experience by reducing false positives in security systems.
• Aligning with business objectives: Ensure that you understand how every investment contributes to the company's long-term success. If it doesn't, that could also be fine but be prepared for questions. You want to ensure that your CFO understands the value of the investment, not just the cost.

Before we close, a few final comments on the role of ROI in cybersecurity budgeting.

This is often a pain point and its worth spending some extra thoughts on it.

• ROI may not be immediately quantifiable, but that doesn’t mean the investment isn’t valuable. Risk avoidance and operational continuity are often just as critical as cost savings, and these should be clearly communicated to the CFO.
• While cybersecurity and regulatory compliance are often perceived as a cost, they should be considered as a non-negotiable part of the quality of products (or services). A holistic approach integrating it into the business mindset helps prevent estrangement and subsequently negative decision-making about financial decisions.
• Emphasizing operational resilience is one effective approach to improve mindset. Highlighting how the cybersecurity investment feeds into business continuity, allowing the company to operate smoothly under a variety of threat scenarios.
• We really should do more on cost-effective risk mitigations. Even if you can't demonstrate financial ROI, at least show how unit cost of control is reduced. Being more efficient in managing certain threats can be a good example.

That's it.

Love to hear what you think, feel free to drop a comment !

We've built 15+ systems, 30+ scenarios and 4+ Accelerator Labs that significantly improved the way teams make smarter decisions about managing digital risk.

We found that teams get started in less than 10 minutes.

If you like to see this in practice, we're happy to show you.

Just ask our Venation team for help!

PS

I need your help !

(read below image)

I dedicated the last 36 months and €100,000+ on figuring out scenario-based defense for digital risk management.

Hired advisors. Contributors. Specialists. Turning all my experience and knowledge into practical systems and scenarios.

I spend more nights than I'd like to admit on understanding how this works.

Everything to make scenario-based defense extremely accessible for all decision-makers, regardless of maturity or role in the organization.

But I need your help to understand if we're on the right track:

I want to understand:

• What is the ONE thing that Venation is doing that stood out to you and why?
• How likely are you to recommend us to your friends or peers? Why or why not?
• What’s the ONE thing Venation is missing and why?

Just hit me up via LinkedIn .

I'll pick-up calendar logistics from there.

Your feedback means everything to me.

Let's make this week count!

Gert-Jan