In today’s rapidly changing economic landscape, organizations worldwide are navigating uncertainties driven by inflation, recession and evolving policy requirements. These factors often prompt business leaders to reexamine budgets across all functions, including cybersecurity.
As a result, cybersecurity leaders must adapt their approach to securing funding, leveraging transparency, clear executive communication and compelling storytelling to advocate for the resources needed to protect their organizations.
Executive leaders, often viewing cybersecurity as a cost center, may not fully understand the risk implications of budget reductions. To address this, cybersecurity leaders are encouraged to benchmark their staffing, spending, and program maturity against industry peers, and demonstrate how investments support business outcomes and resilience.
By aligning cybersecurity initiatives with organizational priorities and formalizing strategic planning, leaders can build a strong value story that resonates with executive leadership and helps secure critical funding, even in uncertain times.
Read: Saudi Arabia maintains top position in global IMD cybersecurity ranking in 2025
Benchmark cybersecurity staffing, spending, and maturity
Benchmarking cybersecurity staffing, spending, and maturity provides essential context for budget discussions with board directors and C-suite executives. Leaders are often asked how their organization’s cybersecurity investments compare to those of industry peers.
Benchmarking delivers clear, data-driven answers, supporting cost optimization decisions and strengthening the narrative when communicating with executive leadership.
By assessing strengths and gaps across program maturity, control implementation, spending, staffing and operational performance, cybersecurity leaders can craft compelling stories that resonate with business leaders.
For example, organizations may highlight their ability to “do more with less”, demonstrate a plan to “catch up” to industry standards or showcase “leading edge” maturity. These benchmark-informed narratives add essential context to budget conversations.
Key areas to benchmark
To maximize the impact of benchmarking, cybersecurity leaders should focus on several critical areas:
- Budget and staffing: Compare overall spending and staffing levels to similar organizations, breaking down resources by cybersecurity domain.
- Program maturity: Evaluate the maturity of cybersecurity activities relative to peers, identifying gaps and opportunities for improvement.
- Controls implementation: Assess the effectiveness of security controls using established frameworks and benchmark against industry standards.
- Operational performance: Measure key operational metrics and compare results to industry benchmarks to identify strengths and areas for growth.
While benchmarking should not be the sole driver of cybersecurity strategy, it adds valuable perspective to budgeting and resourcing decisions.
Demonstrating cybersecurity’s value to the business
Although cybersecurity budgets have often remained stable during economic downturns, cybersecurity is still viewed as a cost center and may be targeted for reductions.
Cybersecurity leaders cannot assume their budgets are immune to cuts. To safeguard funding, it is essential to clearly demonstrate how cybersecurity investments contribute to business outcomes that matter to executive leadership.
Traditionally, cybersecurity leaders have focused executive communication on risk reduction. While important, this approach can overlook the broader benefits of cybersecurity in enabling business objectives.
To address this, leaders should map cyber risks to core business risks that directly impact organizational outcomes. By making these connections explicit, cybersecurity leaders can show how their programs support faster and safer digital innovation, enable revenue growth, protect intellectual property, defend brand value and ensure compliance with evolving regulations.
Capturing this alignment in a concise, visual format — such as a “strategy on a page” — can help executive leaders quickly understand the value cybersecurity brings to the organization.
Formalize cybersecurity’s strategic planning
Cybersecurity leaders often find themselves shifting between urgent priorities without a broader, cohesive strategy to protect the enterprise. This reactive approach can leave cybersecurity budgets vulnerable to cuts, as C-suite and board-level leaders may not fully understand the consequences of reducing cybersecurity spending.
Recent Gartner data highlights significant gaps in strategic planning: 48 percent of cybersecurity functions do not have a documented strategic roadmap for new solutions or controls, and 52 percent do not base project priorities on business needs as defined by the business.
To close these gaps, cybersecurity leaders must formalize their strategic planning and budgeting processes. Establishing a structured, repeatable approach makes spending decisions more transparent and defensible to executive leadership.
It also enables leaders to proactively identify areas for potential cost savings — such as vendor consolidation, technology rightsizing or reprioritizing projects — while protecting essential operations.
Will Candrick is the senior director analyst at Gartner.
