Budget season is a defining moment for Chief Information Security Officers (CISOs). It’s the time when security leaders must make the case for their budgets, often to a boardroom full of executives who may not speak the same technical language. In fact, 59% of directors admitted in a recent PwC study that their board is not very effective in understanding the drivers and impacts of cyber risks for their organisation. Without a clear, compelling business-oriented argument, CISOs risk losing critical funding for controls and risk mitigation strategies, potentially leaving their organisation vulnerable to a host of unwanted cyber security consequences.

Today, CISOs are held to a higher standard than ever, both internally by their boards and externally by government and regulatory oversight entities, and they can’t afford to leave themselves or their organisations exposed. Instead of presenting a typical security wish list, they must advocate for a proactive cyber security strategy that ensures business continuity when threats inevitably arise. By shifting the conversation from compliance checklists to cyber security as a business investment in risk reduction, CISOs can highlight their role in protecting revenue, operations and brand reputation.

Here are three ways CISOs can make this necessary shift when presenting budget requests to the board.

1. Avoid the compliance checklist mentality

A common pitfall in budget planning is treating cyber security as a compliance exercise — simply checking boxes rather than strengthening security. While compliance is important, a checklist alone doesn’t guarantee meaningful risk reduction or business resilience. Securing budget approval starts with identifying essential security measures based on an organisation’s unique risk landscape and demonstrating how these investments align with broader business objectives.

To make the case for smarter spending, CISOs must evaluate compliance-driven investments through the lens of actual security impact. For instance, if a regulatory mandate requires a control that has minimal effect on overall security posture, simply implementing it isn’t enough. CISOs should quantify its limitations and advocate for solutions that deliver both compliance and real risk reduction. The goal is to move beyond reactive spending and towards proactive, risk-based decision-making that aligns with the business objectives boards have in mind.

2. Quantify your risk and make a financial case

A major challenge for CISOs in budget discussions is making cyber security risk feel tangible. Cyber risks often remain invisible – that is, until a breach happens. Traditional tools like heat maps, which visually represent risk by colour-coding potential threats, can be misleading or oversimplified. While they offer a high-level view of risk areas, heat maps fail to provide a concrete understanding of the actual financial impact of those risks. This makes it essential to shift from qualitative risk assessments like heat maps to cyber risk quantification (CRQ), which assigns a measurable financial value to potential threats and mitigation efforts.

By leveraging reliable, validated cyber risk models that assess their company’s risk and quantify the probability and financial impact of specific cyber threats, security leaders can present real-world scenarios that illustrate financial trade-offs. For example, a firm might face an annual 5% risk of having a ransomware attack that costs an average of £10 million. Investing £10,000 per year that halves this risk from 5% to 2.5% costs, sounds like a smart, defensible decision with ~150% annual return on investment (ROI) in terms of financial risk buy-down.

By presenting security in financial terms – i.e., average losses mitigated versus investment required – CISOs can make a compelling case for funding critical cyber security initiatives.

3. Speak the board’s language

The biggest challenge CISOs face isn’t just securing budget – it’s making sure decision-makers understand why they need it. Boards and executives don’t think in terms of firewalls and threat detection; they care about business continuity, revenue protection and return on investment (ROI) – see our ’Mastering Cost Management and Reduction: A Guide for Chief Information Security Officers’ blog for more on this subject.

For cyber investments, though, ROI is not typically the figure for security experts to validate these investments, largely because of the difficulties in estimating the value of risk reduction. However, new approaches to cyber risk quantification have made this a reality. With models validated by real-world loss data, it is now possible to produce an ROI figure. Using a CRQ approach to risk analysis, CISOs can reframe security investments in financial terms that decision-makers understand, including:

• Value at Risk (VaR): What’s the potential financial impact of a cyberattack on critical business functions?
• Risk Reduction: How much does a specific investment reduce financial exposure?
• Business Continuity: How will this investment help the company remain operational in the face of an attack?

For example, instead of saying, “We need endpoint detection and response (EDR) to improve threat detection,” a CISO could say, “In the event of a ransomware attack, investing in EDR is expected to reduce our business interruption and extortion risk from £10 million to £4 million, saving millions in clean-up costs and lost revenue.”

Importantly, by speaking the board’s financial language in this way, and articulating the “why” behind cyber security investments, CISOs not only can secure this year’s budget, but also lay the foundation for genuine long-term collaboration. When executives grasp the strategic value of cyber security, they are more likely to prioritise it in future discussions, making it easier to align on long-term goals, gain support for ongoing initiatives and build a shared sense of responsibility for the organisation’s overall resilience.

Turning the tide on CISO and board relations

While CISOs have traditionally struggled to make their case in the boardroom, the tide is turning. High-profile breaches and the growing regulatory scrutiny in recent years have begun opening the eyes of C-suite leaders to the importance of mitigating cyber risk. However, to fully bridge the gap, CISOs must evolve to think beyond technical defences and position themselves as risk advisors and strategic business leaders. That means learning the language of finance, communicating risk in pounds and pence, and positioning cyber security as a critical enabler of business continuity and resilience.

Quorum Cyber’s free whitepaper, ‘Mastering Cost Management and Reduction: A Guide for Chief Information Security Officers’, helps organisations to better manage budgets and maximise resources.