How CISOs can cut through board-level budget discussions

Art Gilliland, CEO at Delinea.

It’s that time of year again—summer vacations are a memory, fall routines are settling in, and companies of all sizes and industries are forecasting their next fiscal budgets.

For chief information security officers (CISOs), many of whom now report directly to their boards, this season brings the challenge of balancing evolving business priorities with increasingly complex cybersecurity ecosystems.

Navigating these board-level discussions and asking for additional funding isn’t always easy, but with the stakes higher than ever, it’s critical to make a compelling case for deeper investment—particularly in identity and access management (IAM). . It’s about demonstrating how these investments drive business growth, protect operations and ensure regulatory compliance.

The good news is that security spending is generally on the rise. According to Gartner, global spending on information security is expected to reach $212 billion in 2025a 15% increase from this year. This mirrors information from Forrester’s Budget Planning Guide for Security and Risk Managers where nine out of 10 CISOs expect their budgets to increase in 2025, but that optimism is tempered by the fact that only one in 10 expect to see budget increases of more than 10%.

Undoubtedly, in this age of artificial intelligence, a proliferation of vendors, tools, and platforms that promise cyber salvation, rather than creating operational silos, unexpected costs, and heightened exposure. This is on top of a regulatory maze that spans industries and borders, affecting the investments companies make in their cyber posture.

Despite the growing scale and complexity of businesses’ digital footprints, it’s clear that it will take more than a polite request for CISOs to justify increased solutions and spend in their FY2025 IT budgets.

As CISOs prepare for upcoming boardroom discussions, here are three strategies to help them demonstrate that deeper investments in security solutions like IAM not only mitigate threats but also strengthen IT integrity and drive business growth.

Position security as a business enabler.

Security as the linchpin to business enablement isn’t just a happy tune sung by CISOs to hopefully win more incremental budgets, it’s a fact.

Security automation and most fluid controls help companies put the corporate pedal to the metal on their digital transformation journeys. Take this simple analogy: Brakes are a control on a vehicle. without them, you can’t dive fast. Businesses should approach security the same way. Comprehensive and appropriate security controls allow businesses to move with greater speed and confidence.

In addition, try to place customers as a catalyst for security investments. Many customers are strongly focused on supply chain risks, which has led them to scrutinize the security postures of their partner and supplier ecosystems. Beyond general compliance certifications—such as SOC2, ISO, NIST, and FedRamp—customers often have specific regulatory requirements tied to their industry or region, which may include stricter data privacy measures, encryption standards, or unique audit protocols .

CISOs should leverage these very real customer concerns and demands to justify security investments that meet regulatory requirements as well as unique customer standards.

It is critical for CISOs to demonstrate to boards that security controls accelerate digital transformation and are the engine that powers the rest of the IT apparatus. If boards are skeptical, don’t be afraid to lean on your customers and point to the ever-growing network of standards and policies that, if not met, could lead to disruption or even loss of business.

Use attacks to go on the attack.

Cyber ​​threats are advancing at the same pace as the innovations developed to combat them. This means that whether you are a Fortune 100 company or a mid-sized company, a major attack on your IT infrastructure is a matter of when, not if. As counterintuitive as it may seem, security leaders should strengthen through breaches.

Following major cyber incidents or regulatory pressures, it is common for boards and executive leadership to pour significant dollars and resources into strengthening their cyber postures. But the faucet is only open for so long. As time passes, the urgency subsides, and the digital dust settles, this flow often dribbling as budget is redirected to other IT initiatives.

CISOs must take advantage of these windows of increased awareness and appetite to ask boards for deeper investments in security and compliance solutions that not only cover the cracks in their IT environments today, but to prevent future cracks in the months and years to come. .

Carry insurance as an adjustment against risk.

Almost every jurisdiction has some framework or legislation regarding information security and privacy and data protection: HIPAA, GDPR, PCI DSS, and a host of others that criss-cross government buildings, capitols, and bureaucratic buildings around the world.

For businesses that cross industries and borders, this complex web of regulations is enough to make any CISO wake up in a cold sweat screaming, “Compliance!”.

While it’s true that the increased cost and complexity of this regulatory network—and the severe penalties that accompany a failed audit—is a headache for any security leader, a major breach is a migraine. According to IBM’s annual data breach report, the global average cost this year is $4.88 millionup 10% from last year and the highest total ever. Not to mention the serious impact this downtime can have on ongoing business continuity, customer confidence and reputational damage.

CISOs need to convey to boards that proper cyber hygiene and strong controls—particularly around IAM—are critical to regulatory health and audit management. Furthermore, proof of these security investments is now the table stakes for companies to be eligible for cyber insurance. In fact, according to my company’s recent report, 35% of decision makers Reported compliance/regulatory requirements were the top reason for applying for cyber insurance—higher than any other motivation.

Conclusion

CISOs face a persistent challenge to balance long-term business needs with dynamic security risks, often without significant increases in spending.

By showing boards how investments in security, especially IAM, can enable digital transformation, IT integrity, and manage risk for the regulatory cycle, they may finally find a few more dollars in those coffers.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Am I eligible?