Security Budget and Investment
No Budget, But Risk
Cybersecurity is not a technical side issue here, but part of continuity, liability, and reputation.
For Security Budget and Investment, steering only works with measurable goals, clear escalation, and timely decisions.
This way the topic does not become a recurring discussion, but a manageable part of regular business operations.
Immediate measures (15 minutes)
Why this matters
The core of Security Budget and Investment is risk reduction in practice. Technical context supports the choice of measures, but implementation and safeguarding are central.
"How much should we spend on security?"
It is the question every CISO dreads and every CFO asks. And the honest answer is: it depends. But that answer is about as useful as a meteorologist saying "tomorrow will be weather again", so let's make it more concrete.
This chapter gives you the benchmarks, the frameworks, and the arguments you need to put together a security budget that fits your organisation. Whether you are the executive who must decide, or the CISO who must defend the budget – here you will find the numbers and the justification.
What do others spend? Benchmarks
Benchmarks are not prescriptions. They are reference points. What a bank spends on security is not what a construction company should spend. But they do help to check whether you are heading in the right direction – or hopelessly lagging behind.
Percentage of the IT budget
The most commonly used measure is security spending as a percentage of the total IT budget.
| Sector | Typical % of IT budget | Notes |
|---|---|---|
| Financial services | 10 – 15% | Heavily regulated, high impact from incidents |
| Healthcare | 7 – 12% | Sensitive data, increasing regulation |
| Government | 8 – 12% | NIS2 and BIO requirements drive investment |
| Retail and e-commerce | 5 – 10% | Payment data, large attack surface |
| Industry and manufacturing | 4 – 8% | OT security is becoming increasingly important |
| SME (generic) | 3 – 7% | Often too low; the lower limit is risky |
Percentage of revenue
An alternative measure is security spending as a percentage of total revenue. This is more useful for organisations where IT doesn't have a separate budget.
| Organisation size | Typical % of revenue |
|---|---|
| Enterprise (>250 employees) | 0.5 – 1.5% |
| Mid-size (50-250 employees) | 0.3 – 1.0% |
| Small (<50 employees) | Often less than 0.3%, but 0.5% is desirable |
Warning: A benchmark of "6% of the IT budget" is meaningless if your IT budget itself is too low. If your total IT budget is 50,000 euros and 6% of that goes to security, you have 3,000 euros. That buys you exactly half a penetration test.
Building the business case
Defending a security budget with "otherwise we'll get hacked" is like telling your child to eat their vegetables "because it's healthy". Technically true, but not convincing. You need a business case.
The foundation for a good business case is a solid risk analysis. Without insight into the risks your organisation faces, any budget is a shot in the dark.
Step 1: Quantify the risk
Risk analysis translates threats into monetary terms. The model is simple:
Expected annual loss = Probability of incident x Impact per incident
| Scenario | Estimated probability (per year) | Estimated impact | Expected annual loss |
|---|---|---|---|
| Ransomware attack | 15 – 25% | 500,000 – 5,000,000 euros | 75,000 – 1,250,000 euros |
| Data breach with personal data | 10 – 20% | 200,000 – 4,500,000 euros | 20,000 – 900,000 euros |
| BEC fraud (CEO fraud) | 10 – 15% | 50,000 – 500,000 euros | 5,000 – 75,000 euros |
| Downtime due to DDoS | 5 – 15% | 10,000 – 100,000 euros | 500 – 15,000 euros |
These figures are estimates based on sector averages and Dutch incident statistics. Your own risk profile may differ. But even rough estimates show that the expected annual loss quickly exceeds a reasonable security budget.
Step 2: Show the cost of doing nothing
The costs of a security incident go far beyond the direct loss. Calculate the full picture.
| Cost item | Notes |
|---|---|
| Direct damage | Ransom, stolen money, system recovery costs |
| Operational downtime | Revenue loss due to downtime – average 21 days for ransomware |
| Fines | GDPR: up to 20 million euros or 4% of revenue. NIS2: up to 10 million euros or 2% of revenue |
| Legal costs | Lawyers, claims from affected customers, director liability |
| Reputational damage | Customer churn, loss of contracts, falling share price |
| Recovery costs | Forensic investigation, emergency measures, accelerated investments after the fact |
| Insurance impact | Higher premiums after an incident, possible loss of coverage |
Rule of thumb: The costs of resolving an incident after the fact are on average five to ten times higher than the costs of prevention. Every euro you invest now saves you five to ten euros in damage.
Step 3: Compare investment with risk reduction
| Investment | Annual cost | Expected risk reduction |
|---|---|---|
| Endpoint Detection & Response (EDR) | 15,000 – 50,000 euros | 30 – 50% lower chance of ransomware |
| Security awareness training | 5,000 – 20,000 euros | 40 – 60% fewer successful phishing attacks |
| Annual penetration test | 10,000 – 50,000 euros | Proactive identification of vulnerabilities |
| MFA on all systems | 5,000 – 15,000 euros | 80 – 99% fewer credential attacks |
| SIEM/SOC (managed) | 30,000 – 120,000 euros | On average 60% faster detection of incidents |
| Incident response retainer | 10,000 – 30,000 euros | Much faster response time during incidents |
| Cyber insurance | 5,000 – 30,000 euros | Financial cushion for residual risk |
| Backup and recovery | 10,000 – 40,000 euros | Recovery without ransom in ransomware situations |
The language CFOs understand is not "we need to reduce our attack surface" but "for 80,000 euros per year we reduce the probability of a million-euro incident by 70%". Translate technical measures into financial impact.
Where does the budget go? Budget categories
A security budget that only goes to tooling is like a gym membership without food and sleep. The distribution across categories is at least as important as the total amount.
Recommended distribution
| Category | % of security budget | What it includes |
|---|---|---|
| People | 35 – 45% | CISO (internal or external), security analysts, hired specialists |
| Tooling and technology | 20 – 30% | EDR, SIEM, firewalls, vulnerability scanners, IAM solutions |
| Training and awareness | 10 – 15% | Security awareness for all staff, technical training for IT, executive training |
| Testing and audit | 10 – 15% | Penetration tests, red team exercises, compliance audits, code reviews |
| Incident response | 5 – 10% | IR retainer, forensic capacity, crisis plans, exercises |
| Insurance | 5 – 10% | Cyber insurance, supplementary D&O coverage |
Common mistake: Organisations invest heavily in tooling but barely in people and training. A SIEM costing 100,000 euros per year without anyone to read the alerts is an expensive screensaver. People make the difference – tools support them.
Prioritising: where to start?
Not every organisation can do everything at once. The art is to start where the greatest risk reduction sits for the least money.
The prioritisation framework
Rank investments on two axes: impact on risk reduction and cost/complexity.
| Priority | Measure | Impact | Cost | Start here |
|---|---|---|---|---|
| 1 | MFA on all external access | Very high | Low | Tomorrow |
| 2 | Security awareness training | High | Low | This month |
| 3 | Structure patch management | High | Low-medium | This month |
| 4 | Test backup and recovery | High | Medium | This quarter |
| 5 | EDR on all endpoints | High | Medium | This quarter |
| 6 | Develop incident response plan | High | Low | This quarter |
| 7 | Conduct penetration test | Medium-high | Medium | This half-year |
| 8 | SIEM/SOC (managed) | Medium-high | High | This year |
| 9 | Zero trust architecture | High | High | Multi-year plan |
| 10 | Red team exercise | Medium | High | After basic measures |
Quick wins versus long-term investments
Quick wins (within a month, low budget): - Activate MFA on all external access points - Tighten password policy - Enable automatic updates where possible - Run a phishing simulation to measure baseline - Restrict admin rights on workstations
Long-term investments (multi-year plan, substantial budget): - Zero trust network segmentation - Security Operations Centre (internal or managed) - Full identity & access management - DevSecOps integration in software development - Business continuity planning and disaster recovery
ROI of security: the return on protection
The ROI of security is difficult to calculate because you measure the return in incidents that don't occur. But there are ways to make it tangible. In chapter 10 on security metrics and board reporting we go deeper into how you structure the reporting of these indicators to the board.
Direct ROI indicators
| Indicator | How to measure | Example |
|---|---|---|
| Phishing click rate | Before and after awareness training | From 25% to 4% = 84% improvement |
| Mean time to detect (MTTD) | Average time to incident discovery | From 197 days to 30 days |
| Mean time to recover (MTTR) | Average time to full recovery | From 21 days to 3 days |
| Blocked attacks | Number of blocked attempts by EDR/firewall | Quantifiable from logging |
| Compliance status | Percentage of GDPR/NIS2 requirements met | From 40% to 90% |
Indirect benefits
- Commercial advantage. More and more customers and clients demand demonstrable security. An ISO 27001 certification or SOC 2 report opens doors.
- Lower insurance premiums. Good security leads to lower premiums for cyber insurance and D&O.
- Director protection. Demonstrable investments protect directors from personal liability (see chapter 5).
- Employee trust. Employees who know that the organisation takes security seriously are more vigilant and report incidents more quickly.
Presenting the budget to the board
The CISO presents in technical terms. The board thinks in risks, costs, and strategic impact. Here are five principles to bridge that gap.
1. Speak the language of the board
Not: "We need to upgrade our SIEM to a next-gen XDR platform with SOAR integration." But: "We want to detect attacks twice as fast, reducing the average damage per incident by half."
2. Link to business risks
Not: "There are 47 critical vulnerabilities in our infrastructure." But: "Three of our customer-facing systems contain vulnerabilities that give an attacker access to 200,000 customer records. The expected fine in a data breach is 800,000 euros."
3. Offer options, not ultimatums
Present three scenarios with corresponding budget and risk acceptance.
| Scenario | Annual budget | What it delivers | Residual risk |
|---|---|---|---|
| Minimum | 50,000 euros | Basic hygiene: MFA, patching, awareness, backups | High – does not meet NIS2 |
| Recommended | 150,000 euros | Basic + pentest + EDR + incident plan + managed SOC | Medium – meets NIS2 baseline |
| Optimal | 300,000 euros | Everything above + red teaming + zero trust + 24/7 SOC | Low – best practice level |
4. Use incidents as illustrations
Refer to recent incidents in your own sector. Not to create fear, but to show that the risk is real. Board members respond more strongly to concrete examples than to abstract probability calculations.
5. Report progress, not just problems
Show every quarter what was done with the budget, which risks were reduced, and which metrics improved. Board members who see results invest further.
Tip for the CISO: Don't end your presentation with a list of everything that is wrong. End with three concrete actions, a timeline, and the requested budget. Board members want to make decisions, not become depressed.
Common mistakes in security budgeting
| Mistake | Why it goes wrong | Better alternative |
|---|---|---|
| Only investing after an incident | Reactive is always more expensive than proactive | Reserve a structural annual budget |
| Basing budget on last year + inflation | Security threats grow faster than inflation | Base budget on current risk analysis |
| Spending everything on tooling | Tools without people are useless | Distribute across people, tools, training, testing |
| No budget for incident response | "That won't happen to us" – until it does | Take out at least an IR retainer |
| Viewing security as a cost item | Creates a perverse incentive to cut costs | Frame as risk management and business continuity |
| No multi-year plan | Annual discussion leads to ad-hoc decisions | Three-year plan with annual recalibration |
Summary: the bill
Security budget is not a cost item – it is risk management. Just like a fire insurance policy, a lock on the door, and a good lock on your bike. You hope you'll never need it, but when the moment comes, it is the difference between an incident and a disaster.
Three things to take away:
- Start with the basics. MFA, patching, awareness, backups. This delivers the greatest risk reduction for the least money.
- Distribute evenly. People, tools, training, testing. No category may be zero.
- Make it measurable. Link every investment to a risk, and report quarterly on progress.
Remember: The question is not "can we afford this?" The question is "can we afford not to do this?" The numbers speak for themselves.
Do this this month
A budget is only effective if you know what to do with it when things go wrong. In the next chapter, Incident Response and Crisis Management, you will read how to prepare your organisation for the inevitable moment that a security incident occurs – and how to limit the damage.
Further reading in the knowledge base
These articles in the portal give you more background and practical context:
- Compliance — following rules without losing your mind
- Incident Response — when things go wrong
- Supply chain attacks — the weakest link problem
- "Are we a target?"
- Ransomware — digital kidnapping for beginners and advanced users
You need an account to access the knowledge base. Log in or register.
Related security measures
These articles offer additional context and depth:
