Contact us

      This article was first published in CRI on May 20, 2026. It is part of the “Re‑inventing Cyber Budgeting” publication, a joint report by KPMG and TAG Infosphere focused on helping CISOs and risk leaders better justify cyber investment decisions. Please click here to read the original article and access the full report.

      Cybersecurity budgets are often poorly aligned with the actual level of risk to the organisation. Such misalignment can be driven by local challenges measuring and quantifying cyber risk, but it is compounded by the challenge of mapping perceived risk levels - accurate or otherwise - to security staff levels, controls, and approaches to risk mitigation.

      The result is a budgeting process that is often inconsistent with the ultimate purpose of cybersecurity investment: namely, to reduce risk. Instead, enterprise security managers silently accept whatever they’re allocated, or they distribute resources based on inertia rather than real exposure. I believe, rather, that they should tie their enterprise budgets to quantifiable cyber risk.

      Admittedly, this is easier said than done. But this article suggests a practical framework for how risk can become the driver of budgeting decisions. Our experience of working with KPMG clients globally has consistently shown that when budgets are mapped to risks, with measurable business outcomes, organisations achieve greater resilience, better board alignment, and higher returns on their security investments.

      Principles of risk-driven budgeting

      Our framework is based on three cybersecurity management principles. The principles provide a basis for a three-step process that will help companies better manage the risks in their budgets.

      • The first principle is alignment where every budget category is mapped to a documented and quantified risk

        If a given mapping is unclear, then the spend should be challenged. For example, if an AI security platform is proposed for deployment, but the purpose of the solution is unclear, then our framework would suggest that the investment be delayed until a real threat can be identified.

      • The second principle is adaptability

        As should be evident to any cybersecurity practitioner, cyber risk evolves at varying speeds and with varying outcomes. Therefore, budgets must be flexible, adaptive, and continuously updated rather than set once a year in stone. We understand that this is not the typical approach. Managers are often handed rigid year-over-year, carry-over budgets with little room for change.

      • The third principle is transparency

        A properly designed, risk-driven budget should allow all stakeholders to see the link from money spent to risk reduced. The implication, of course, is that the security function understands the risks that apply to the organisation. Transparency will be of little use if the risks are poorly identified or exist in some ad hoc format or representation.

      To put these principles into practice, CISOs will need to consider moving away from line-item categories like endpoint or network security and toward categories such as “ransomware disruption risk” or “third-party access exposure.” This change represents a fundamental reorientation that would force every budget item to be justified based on risk reduction. Let’s see how this would work in practice.

      A practical framework

      Our framework should be guided by the following core management steps:

      Identify top risks

      Everything starts with risk identification and quantification. You may choose to build your profile from the organisation’s risk register, or there might be a preferred quantification process or methodology. It is likely that for many enterprises, ransomware, insider misuse, third-party dependencies, and emerging categories like AI misuse will bubble up as the greatest risks

      Map current spend

      Every existing budget line included in the current spending plan should be mapped or recast in the context of one of these risk categories. Inevitably, you will find mismatches. That is, large allocations might emerge that are supporting risks that are no longer material, and gaps might emerge where critical risks lack adequate investment

      Resolve gaps and coordinate with Procurement

      Clean up tasks where gaps need to be resolved - either with proposed changes to vendor spend or changes to the staffing plan. The goal is to rebalance the portfolio. This will demand working with procurement, because purchase plans are typically driven by vendors, not by risk. So, coordination will be required to map the risk-based plan to an actual purchasing plan for vendors

      This approach requires some discipline and collaboration, because it introduces the new step of mapping budget to risk rather than the easier (but less effective) approach of buying into the usual categories, like endpoint, SIEM, MFA, and so on. We recommend this process, because it allows security budgets to function more like investment portfolios, which are constantly rebalanced based on where the greatest exposures exist.

      Tools and metrics

      Despite the fact that different teams will have different means for identifying risk, we strongly expect that cyber risk quantification (CRQ) will ultimately be required. Frameworks such as FAIR (factor analysis of information risk) and other quantitative methods might also offer the ability to assign financial values to risks. Useful metrics include risk reduction per dollar spent and a residual risk index, which will allow the CISO to demonstrate efficiency and effectiveness of spend.

      These types of tools should also help to shift the narrative with senior leadership. Instead of making claims such as “we need another $2 million for monitoring,” the improved discussion would become something more like “for $2 million we will reduce expected annualised loss from ransomware by $10 million.” That is a language business leaders understand, and it reinvents how security investments are proposed, justified, and approved.

      We understand that this approach is not without obstacles. Organisations often resist moving away from legacy spend, and legacy vendor relationships can distort priorities. Risk modelling also requires asking questions and collecting data that organisations are not used to answering or providing such as “if we experience a ransomware attack, how long are critical services likely to be unavailable?” Finally, this process requires collaboration across security, finance, and enterprise risk functions - cultural shift that some enterprises find challenging.

      An action plan for CISOs

      We strongly recommend that every CISO considers a risk alignment audit of their current budget. They should ask which budget allocations map to which risks - establishing a joint working group with finance and enterprise risk managers. Finally, CISOs should consider presenting budgets in risk-justified terms. Done well, this transition creates budgets that adapt to threats, speak the language of management, and deliver reductions in enterprise risk.

      Author

      Akhilesh Tuteja
      Akhilesh Tuteja

      Partner & National Leader, Clients and Markets

      KPMG in India

      How can KPMG in India help

      Transformation driven by data, enabled by digital technology, and led by business initiatives
      Read more

      Use cyber security to protect your future
      Read more

      The smartest businesses don’t just manage cyber risk, they use it as a source of growth and market edge
      Read more

      Access our latest insights on Apple or Android devices

      kpmg-insights-edge-qr