Cybersecurity Budgets Shift to Risk-Based Models Amid Rising Threats
Severity: Low (Score: 39.9)
Sources: Kpmg
Published: · Updated:
Keywords: cyber, budgets, risk, budgeting, cybersecurity, risk-based, approach
Summary
Cybersecurity budgeting is evolving as organisations face increasing cyber risks while budgets stagnate. Traditional budgeting methods often rely on historical spending, failing to address current threats effectively. The articles advocate for a risk-based approach to budgeting, emphasizing the need for cyber risk quantification (CRQ) to inform investment decisions. This shift aims to align spending with measurable outcomes that reduce actual risks rather than merely maintaining existing tools and personnel. The call for flexibility in budgeting processes is crucial, as cyber threats evolve rapidly. Leaders are encouraged to justify expenditures based on risk reduction rather than historical allocations. The emphasis is on transparency and adaptability in budget management to enhance overall cybersecurity resilience. Key Points: • Cybersecurity budgets are often misaligned with actual risk levels. • A risk-based budgeting approach can improve resilience and investment returns. • Cyber risk quantification (CRQ) is essential for making informed budgeting decisions.
Detailed Analysis
**Impact** The shift to risk-based cybersecurity budgeting affects enterprises globally, particularly those managing ransomware, insider threats, third-party dependencies, and emerging AI misuse risks. Misaligned budgets lead to inefficient resource allocation, potentially leaving critical risks underfunded while overinvesting in less relevant areas. This misalignment can reduce organizational resilience, impair board-level risk communication, and diminish returns on security investments across sectors and geographies. **Technical Details** The articles do not provide specific attack vectors, TTPs, malware, CVEs, or infrastructure details related to active threats. Instead, they focus on the strategic approach to budgeting based on quantifiable cyber risks such as ransomware disruption and third-party access exposure, emphasizing the need for adaptive and measurable risk management rather than static, tool-focused spending. **Recommended Response** Organizations should implement a risk identification and quantification process to map existing cybersecurity budgets to actual risk categories, such as ransomware and insider misuse. They must realign spending by closing gaps and eliminating investments in outdated risks, coordinating closely with procurement to ensure vendor spend reflects risk priorities. Continuous budget flexibility and transparency linking spend to risk reduction are essential, with a focus on measurable business outcomes rather than fixed line-item categories.
Source articles (2)
- A risk-based approach to cyber budgets — Kpmg · 2026-05-22
Cybersecurity budgets are often poorly aligned with the actual level of risk to the organisation. Such misalignment can be driven by local challenges measuring and quantifying cyber risk, but it is co… - Reinventing cyber budgeting — Kpmg · 2026-05-19
Cybersecurity has entered a new phase. Budgets are flattening while cyber risk accelerates. Yet most cyber budgeting still relies on rolling forward last year’s spend, adjusting at the margins, and de…
Timeline
- 2026-05-19 — Reinventing Cyber Budgeting report published: KPMG and TAG Infosphere released a report advocating for a risk-led investment approach in cybersecurity budgeting.
- 2026-05-22 — A risk-based approach to cyber budgets published: KPMG article outlines a framework for aligning cybersecurity budgets with quantifiable risks to enhance resilience.
Related entities
- Ransomware (Attack Type)