Cybersecurity leaders spend months building annual budgets, only to watch the assumptions behind them change before the year is halfway over.
That was a central theme in a Gartner Security & Risk Management Summit session led by Elizabeth Davis. Drawing on her background in finance and cybersecurity, Davis challenged the idea that security budgets should be treated as fixed plans. Threats change, business priorities shift, acquisitions happen, new products launch, and regulatory requirements emerge. Yet many organizations still expect security teams to operate against a budget built for a different set of conditions.
Rather than trying to predict every future requirement, Davis encouraged security leaders to focus on creating more flexibility in how budgets are discussed, justified, and adjusted throughout the year.
Start With Business Priorities
One of Davis’s most practical observations was that many security budgets are built around technologies and controls while executive teams are focused on business outcomes.
Security leaders know why identity modernization, endpoint protection, and detection tools matter. The challenge is helping non-security stakeholders understand why those investments matter to the business.
A request for additional IAM funding may be technically sound, but a CFO is more likely to respond to a discussion about customer access, digital growth initiatives, or reducing friction in online transactions.
The technology remains the same. The framing changes.
“Executives don’t fund controls. They fund outcomes.“
Elizabeth Davis
According to Davis, only about 40% of security leaders intentionally align budget discussions to business objectives. That creates a gap between what security teams are trying to accomplish and what executive stakeholders believe they are funding.
Build Scenarios Before Budget Season Gets Difficult
Davis repeatedly returned to the value of scenario planning.
Many security teams submit a single budget request and then scramble when funding targets change. A better approach is to develop several versions in advance: a baseline plan, a reduced-funding option, and an accelerated-investment scenario tied to business priorities.
This creates a framework for discussing risk.
If leadership decides to reduce spending, security leaders can explain which initiatives will be delayed and what risks will increase as a result. If additional funding becomes available, they can identify where it will have the greatest impact.
Finance teams are already accustomed to working through multiple scenarios. Security teams that come prepared with the same level of planning often become stronger partners in those conversations.
Show What the Business Receives
Security leaders frequently struggle with visibility because success often looks like the absence of problems.
A successful cybersecurity program prevents incidents, reduces disruption, and helps the business operate normally. The challenge is that those outcomes are not always visible to executives who are evaluating competing budget priorities.
Davis encouraged security leaders to connect spending decisions to measurable business results. A discussion about a security tool may not resonate with a CFO. A discussion about reducing incident detection times from 48 hours to eight hours, protecting customer-facing services, or supporting a major business initiative is much easier to understand.
The goal is to explain security investments in terms of business impact rather than technical capabilities.
The Wrap
Security leaders cannot predict every threat, business change, or technology requirement that will emerge over the next 12 months. The goal is to create a better framework for discussing risk, priorities, and tradeoffs when conditions change.
In practice, that means treating budgeting as an ongoing conversation rather than a once-a-year exercise.
