Strategy and Governance /

Cybersecurity Isn’t Underfunded — It’s Undermanaged

cybersecurity undermanaged

Towards a new leadership narrative for the modern CISO.

 

Quote a lot of the narrative I come across online around cybersecurity budgets revolve around convincing the Board and justifying investments.

Some approaches are built around financial models and aim at justifying return on investment. Some others focus on quantifying risk and showing risk reduction.

All are data-driven and designed around some form of rational argument.

But is this really the way decisions are made at the top of large organisations?

In fact, those approaches are all part of the bottom-up narrative CISOs, cybersecurity consultants and cybersecurity vendors have been building towards top executives over the past two decades.

In my experience, they clash with three aspects of real-life enterprise dynamics:

First of all, decision making at enterprise level may have the appearance of a rational endeavour, but is in fact heavily influenced by cognitive biases, as evidenced by Daniel Kahneman and his school of thought.

This is perfectly obvious with cybersecurity, and it brings me to my second point:

Anybody who has spent enough time in the security industry would have come across various situations where money that was previously denied appears in vast quantities at the first sight of a regulatory investigation, a bad audit report, an incident, a near miss, or a similar event affecting a competitor (that’s the “can it happen to us?” question many CISOs will be familiar with).

No concerns around ROI or risk reduction are raised in those scenarios: Top executives want to see boxes checked and evidence that they have done their job, should a bad breach occur. If execution does not follow, someone else will be blamed (often the CISO, which has sometimes been nicknamed Chief Incident Scapegoat Officer).

More seriously, the penny has in fact dropped in many boardrooms around the “when-not-if” paradigm with cyberattacks: Following almost two decades of non-stop breaches, you would probably struggle to find one board member not aware of the business impact they can have. That’s taking me to my third point:

I have had many discussions, in particular with CIOs, openly admitting that they could put “anything they like” in their budgets for cybersecurity, but that their main problem was delivering on cyber projects.

Where does that disconnect come from, between many CISOs and their vendors pretending to struggle with resources, and top executives increasingly cyber-aware and wanting to invest to protect the firm?

Of course, cybersecurity projects are often complex because they need to reach across corporate silos and geographies to deliver effective protection to the business. This is not natural in large firms, which are, almost by essence, territorial and political.

But beyond that, the profile of CISOs is also a key dimension:

Most are technologist by trade and background, and have spent the last decade firefighting incidents, incapable of building or delivering any kind of long-term narrative.

They have not developed the type of management experience, political finesse or personal gravitas that they would require to be truly successful, now that the spotlight is firmly on them from the top of the firm.

Many genuinely think that chronic under-investment in cybersecurity is the root cause of insufficient maturity levels, while it is in fact chronic execution failure linked to endemic business short-termism that is at the heart of the matter: Projects deprioritised as soon as “quick wins” are delivered or boxes checked on compliance reports, changes in direction as soon as a new executive joins or leaves, initiatives put on hold at the first sight of market turbulences: All point to governance and cultural aspects that are the real root causes of the long-term stagnation of cybersecurity maturity levels in large firms.

For the CISOs who have not integrated those cultural aspects and are almost always left out of those decisions, it breeds frustration; frustration breeds short tenures (in the region to two to three years for many); short tenures aggravate the management and leadership mismatch: You cannot deliver much of genuine transformative impact in large firms on those timeframes.

For top executives, the CISOs “merry-go-round” also builds frustration: They have seen too many coming in with grandiose plans asking for millions before resigning after a few years leaving everything half done.

Quite a lot of that disconnect is effectively built up in the first 100 days of the CISO.

Many CISOs come into a new job with pre-conceived views, sometimes created at interview time: Things that have worked elsewhere, pet subjects, vendors or consultants.

Many also feel that they have to prove themselves as specialists in their first 100 days. That’s a mistake. Competence is assumed in the first 100 days (you’ve just been hired). The challenges lie elsewhere.

The first 100 days are about proving your ability to fit in the organisational structure of the firm and act as a leader.

That starts by listening in my view: Listening to stakeholders and sponsors, understanding their expectations, their pain points, what has worked in the past, what hasn’t and why, what happened with your predecessor… Sometimes “what can I do to help you?” is simply the best question to ask…

This process should initiate a journey of co-construction of the cybersecurity narrative, and beyond that of the firm’s cybersecurity strategy.

If objectives are shared with stakeholders and sponsors, friction is reduced; over time, business champions emerge who relay the cybersecurity narrative, not because it’s the CISO’s but because it’s theirs.

The process should also embed the CISO in the governance and leadership dynamics of the firm.

By listening truly, identifying and following the cultural currents across the firm, the allegiances, the informal networks of trust where real decision making happens, the CISO becomes a trusted player for business leaders.

At that point, budgetary discussions become two-way discussions between trusted partners, not adversarial situations where one party has to win over the other.

Conversely, CISOs who approach their first 100 days looking to prove themselves tactically run the risk of ending up trapped in operational firefighting: This is a situation from which very few escape. They may be seen as a safe pair of hands in the end, but that’s unlikely to get them accepted at the strategy table.

This is the type of situations where a CSO role becomes a necessity, as I was advocating in an earlier piece, to orchestrate business protection at corporate level and ensure all regulatory obligations are met.

But it is not a fatality.

Ultimately, the future of cybersecurity leadership will belong to those CISOs who recognize that building influence and trust has to precede action and investment.

Boards no longer need to be convinced that cyber risk matters — they need confident, culturally attuned leaders who can navigate complex corporate dynamics, build trust with all stakeholders, and orchestrate delivery across silos.

The first 100 days set the tone: Not through technical demonstrations or budgetary battles, but through listening, aligning, and co-creating a narrative that business leaders feel ownership over.

In doing so, CISOs move from pleading for resources to shaping strategy as true executives — not firefighters on the sidelines, but architects of resilience at the heart of the enterprise.

 

JC Gaillard

Founder & CEO

Corix Partners

Contact Corix Partners to find out more about developing a successful Cyber Security Practice for your business.

Corix Partners is a Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation & Governance challenges.

An edited version of this article was published on CSOonline on 11th December 2025 and can be found here.