How to Increase & Justify Your Cyber Security Budget

A cybersecurity budget is essential for all companies, both large and small. This is because many different types of organizations have been targeted by hackers. While larger, richer companies tend to be more frequently targeted, small business attacks also happen all the time. Unfortunately, not everyone understands the need for a solid cybersecurity budget, and those people might include some of your bosses or investors. With that in mind, let’s go over a list of simple tips that will help you to justify an increase in cybersecurity spending.

1. Use Your Existing Tools To The Fullest

It is in the nature of corporate executives to engage in cost-cutting. Anything that can save a dollar will be appealing to them, as they are most concerned with the financial bottom line. Thus, if you are not fully utilizing the cybersecurity resources at your disposal, they will not be inclined to give you any more.

Further, if they see redundancies in your cybersecurity setup, that will definitely scream “inefficiency.” On the other hand, if you can show them that you are using your existing tools and funding to the fullest, it will be easier to justify an increase.

2. Use Just The Right Amount Of Tech Talk

When you are trying to describe these concepts to people who are not particularly tech-savvy, it can be easy to “talk over their heads” and lose their attention entirely. So, if you drone on and on like a technical manual and then conclude with a request for more money, that’s not a good look. Chances are, the audience will wake up from a state of semi-slumber and then deny your request.

Investors and executives need to understand what is going on, even if they don’t need to understand every minute detail. You want to get technical enough to explain the concepts thoroughly, but remember that you are not talking to an IT team here.

3. Make Sure The Risks Are Fully Understood

It can be a little expensive to invest in solid cybersecurity. We aren’t talking about fortunes here, but most companies will spend 3-4% of their revenue on IT costs. Of that amount, roughly 10% will go towards cybersecurity (assuming your company fits the average, of course). Again, not a fortune but still a significant amount. To mitigate that “sticker shock” factor, you need to make sure that your audience understands just how expensive a cyberattack can be.

To make the presentation more interesting, you should give them concrete examples of cyberattacks. Make sure that all of your examples are:

  • Relatively recent (1-2 years old at maximum)
  • Conducted against the same industry as your company/org
  • Accompanied by definite stats and figures regarding costs

It is no lie to state that a cyberattack is far more expensive than any reasonable cybersecurity budget. However, it is your job to make that fact obvious.

4. Incorporate Some Labor-Saving Measures

Whenever you ask someone for more funding, they will naturally wonder why it is needed. Without real benefits, they are unlikely to be sold on the idea. One of the many benefits that you can talk about is the potential for savings on labor costs. Obviously, you don’t want to push yourself out of a job, but everyone likes the idea of a more efficient workforce.

That’s where automated security tools come into play. They don’t require the same degree of attention and supervision that non-automated tools do. As such, they can free up members of the IT team for more important tasks. This means a greater value for the company in terms of money paid versus services rendered.

5. Describe Any Previous Incidents In Detail

If your company has recently suffered a cyberattack (or an attempted cyberattack), you need to make sure that the incident is known and understood. This is where you can get a little more technical, but avoid using terms that the average person doesn’t understand. Anyone can present statistics regarding cybersecurity incidents, but an investor will want info that is relevant to your organization specifically.

6. Explain The Hindrances That Come From False Positives

When it comes to cybersecurity evaluation, false positives are a real pain. Unfortunately, this problem can never be fully eliminated. In fact, your cybersecurity tools should give false positives from time to time. That is how you know that the software is sensitive enough to pick up a real threat. At the same time, false positives represent wasted time, and time is money. Investing in better tech that reduces the number of false positives is a very sensible thing to do, as this will provide a significant return on the investment.

7. Concentrate On Provable Information

Although your professional opinion should be of value to your employer, provable facts and concrete information are much more convincing. It isn’t enough to say “I think this is a good idea because (reasons).” Instead, you should show the investors/executives facts that support your ideas. These can include business statistics, either from your organization or from similar groups. You might also employ some well-made cost projection figures from a reputable source or maybe a series of charts and graphs showing recent trends. Whatever information you use, make sure to pre-investigate that info thoroughly, as this will help you to avoid looking foolish later.


When talking about a plan to convince your organization of anything, we should mention the importance of honesty. Nothing will kill your presentation faster than a piece of false or misleading information. Once your audience sees a potential integrity issue, they are likely to stop listening right then. On the other hand, if you give them objective facts and reasonable projections, it is far more likely that they will see the value of your plans. For those of you who would like to learn more about this subject, feel free to call PCH Technologies at (856) 754-7500.