Earlier this year, research found that cybersecurity budgets reached a five year low in terms of growth. Budget constraints are nothing new to security leaders, with many leaders having experience in stretching small budgets, but as the new year approaches, many are hoping to earn a little more wiggle room. 

Here, Security magazine talks with Chris Wheeler, Chief Information Security Officer (CISO) at Resilience, about how CISOs can create the ideal cyber budget for the new year. 

Security magazine: Tell us about your background and career.

Wheeler: My experience in cybersecurity spans the gamut of Blue Team, Red Team, Threat Intelligence, and leadership. Before Resilience, I led the Security Orchestration, Automation, and Response (SOAR) program and the Cyber Incident Response Team (CIRT) Senior Analyst Team at Morgan Stanley. After getting my degree in computer science and information technology, I served in the United States Navy at sea and in the US Intelligence Community, before moving into the cybersecurity startup world, including a much earlier version of Resilience.

Security: What are some unique challenges CISOs are facing with budget development this year?

Wheeler: This year, CISOs are tasked with communicating a mix of emerging risks and the long-tail risk of AI adoption. 

I recently presented on how we built our own employee generative AI policy. Some of the central audience questions were where the data ended up when employees used free versions of these tools. Could the data be stolen or exposed? Another practitioner rightfully pressed me on whether this has caused insurance claims or breaches. Boards will be asking the same questions of their CISOs this budgeting season.

Resilience has already seen a handful of AI-related breaches come through our insurance claims. The tough part in planning for these is that we always recommend that CISOs quantify their risk in financial terms when speaking to boards, but many of these incidents are too young; lawsuits and penalties have not been settled, and many have not been detected or reported. 

Security: How could the ideal budget support a security team — and the business as a whole — for the upcoming year?

Wheeler: CISOs need to service their compliance regimens first. Unsurprisingly, CISOs cite this as justification for 78% of their needs according to a 2025 Hitch Partners survey. This is an area of the budget for non-negotiables, including items that have a negative return-on-controls. 

Next, CISOs should look for outsized return-on-controls. These should have a positive return on controls, meaning they bring in more revenue or reduce more quantified risk than they cost. Controls that build business resilience really shine in this category. Think of actions like backups and associated exercises, or meaningful cybersecurity awareness training. 

Finally, CISOs should be thinking ahead. As I said earlier, many lawsuits and claims related to AI haven’t been settled, and security teams may not even have the tools to detect and report these kinds of incidents. Are CISOs prepared when those tools are available, and claims are settled? They should budget to support their incident response and proactive mitigations. This may include sharing budget items with other executives, like a Chief Information Officer (CIO), Chief Technology Officer (CTO), or Chief Legal Officer (CLO). 

Security: How can CISOs ensure they are on the same page with their board to create the most effective budget possible?

Wheeler: It’s most important for CISOs to know their board members’ objectives and values. While financially quantifying their organization’s risk is unquestionably valuable when presenting to the board, they shouldn’t forget the value of storytelling to showcase their wins and portray the non-financial impact of a cybersecurity-related loss. This can be increased attrition due to decreased morale, perceived reputational damage, or loss of key clients.

To really know their board, CISOs should make sure they’re a part of the conversation before they have a budgeting need. They should seek formal and informal opportunities to offer their expertise outside of budgeting season, and collaborate with their peers and executives to do the same. 

As always, CISOs should think ahead and make it clear to the board that they are doing so. If they can elevate the cybersecurity conversation to a 3+ year vision, incremental investments should not be as daunting. While being forward-looking, CISOs must show alignment of their vision with the company’s objectives. 

Security: Is there anything we haven’t discussed that you would like to add?

Wheeler: Generally, I think that executive boards are getting smarter on cybersecurity. A recent NACD survey found that 80% of boards’ cybersecurity knowledge has improved as compared to 2022. There is a better understanding of what’s needed for a cybersecurity budget in many areas. Unfortunately, some of this stems from the board’s own experience with events such as ransomware attacks or their industry peers.

All CISOs are feeling the budget pinch as year-over-year budget growth has slowed. According to IANS Research, when asked, “Does your organization have sufficient staff to effectively execute your security agenda?” only about 23% of CISOs with teams of over 50 people felt adequately staffed, and those numbers are much worse for smaller teams. Staff are typically the highest cost, alongside software. This puts a premium on solid hiring.

The budget pinch will force prioritization across all costs, and unfortunately, CISOs may not get everything they want. They should know their must-haves and return-on-controls to guide that prioritization, but avoid compromising on their overall vision.