The Cost Center That Cannot Count
Security loses the budget fight not because it matters less, but because it reports activity while the board prices value. Only 47% of CISOs are even in the room when cyber investment gets planned.
This is Part 2 of "The Corporate Security Gap", a series on why companies have security on paper but not as a function. Part 1: The Function That Never Got a Seat.
Picture the budget round. Each function arrives to defend its number. Sales projects revenue per pound of spend. Operations shows throughput and unit cost. Finance models the cost of capital. Then security presents: incidents handled, mean time to respond, patches applied, a tidy uptime figure on the access-control system. Every chart is accurate. Not one of them answers the only question the board is actually asking, which is what the company got for the money, expressed in the same currency as everything else on the table. So security defends activity in a room that is pricing value, and it loses, quietly, the way it loses every year.
This is the mechanism the first article in this series pointed at without naming. Part 1 argued that security sits outside the machinery of decision, that the board prices value in full and risk by half. This article is about why that exclusion is self-reinforcing. A function that cannot express its own worth in the board’s language cannot make the case for its own budget, which keeps it underfunded, which keeps it operational, which keeps it out of the room. The inability to measure is not a side problem. It is the lock on the door.
Activity is not value
Start with the distinction that the budget round exposes. Security, as most companies run it, reports activity metrics: number of incidents, time to detect, time to respond, vulnerabilities patched, phishing tests run. These are real and operationally useful. They tell you the department is working. They tell you nothing the board can price, because the board does not allocate capital against activity. It allocates against value and risk, measured in money: what an exposure would cost, how much a given spend reduces that cost, what the residual risk is worth carrying.
The gap between those two vocabularies is the whole problem. A value metric answers “what loss did this prevent, and what did prevention cost”. An activity metric answers “how busy were we”. A board fluent in the first hears the second as noise, or worse, as overhead asking to grow. And the evidence that this translation is not happening is direct. According to PwC’s 2025 Global Digital Trust Insights survey, only 47% of CISOs are involved to a large extent in strategic planning with CFOs on cyber investment. Fewer than half of the people who understand the exposure are in the room where the money is decided. The other half are reporting activity upward and hoping it reads as value. It does not.
Why the number is hard to produce
Part of this is not negligence; it is genuinely difficult. Security ROI is a probabilistic claim about events that did not happen. Sales can point to a signed contract. Security has to argue that a breach which never occurred would have cost a specific amount, and that its spending is what kept the breach in the realm of the counterfactual. That is a harder sentence to say with a straight face in front of a CFO, and security leaders know it, so many simply do not try.
But the difficulty is overstated as an excuse, because the methods exist. Return on Security Investment, ROSI, reframes the traditional ROI formula around expected loss: estimate the annual loss a risk would cause, estimate how much a control reduces that loss, subtract the cost of the control, and you have a number a finance executive recognises. Put numbers on it and the budget stops being a cost. Say a given class of incident is expected to cost two million a year in aggregate, and a six hundred thousand control is projected to cut that exposure by seventy per cent. The control removes one point four million of expected loss for six hundred thousand of spend, a net risk reduction the board can compare directly against any other use of the same capital. That is not a plea for funding. It is an investment case. The FAIR model, Factor Analysis of Information Risk, goes further and expresses cyber risk itself in financial terms, as a distribution of probable loss rather than a colour on a heat map. Value-at-risk logic, borrowed straight from finance, lets a company state its exposure as “this much capital is at risk at this confidence level”. None of these is exotic. All of them translate security into the board’s native language.
The problem is adoption, not availability. These frameworks demand loss data, probability estimates, and a willingness to defend a range rather than hide behind a tidy activity count. Most security functions, scoped as operational units and staffed accordingly, have neither the mandate nor the analytical posture to run them. So the tools that would buy security a seat sit unused, and the budget round repeats.
What the gap costs
The consequence compounds in three steps, and each one tightens the lock.
First, the budget. A function that reports activity is read as overhead, and overhead is what gets trimmed first when the year is quiet and blamed first when it is not. Security spending is rising in absolute terms, but rising spend decided without a value frame is not the same as security shaping where protective capital goes. It is the board topping up a cost line it does not fully understand, which is generosity, not governance, and generosity reverses the moment margins tighten.
Second, the standing. Because security cannot price itself, the rest of the C-suite prices it, usually as a necessary expense rather than a value-add. The PwC data shows the symptom plainly: when fewer than half of CISOs are in the strategic planning conversation, the default is that security receives priorities rather than shaping them, exactly the recipient posture this series keeps returning to. And the gap is not just structural, it is perceptual. PwC’s survey records a thirteen-point divide between CISOs and CEOs on how ready the organisation is for cyber regulation, the security leader closer to the threat reading the risk one way, the chief executive reading it another. A function that cannot speak the board’s language in numbers does not just lose budget. It loses the argument about how exposed the company even is.
Third, the governance lock. This is where Part 1 and Part 2 close into a loop. Security is absent from the decision because it cannot measure itself; it cannot measure itself because it is scoped as an operational department; it is scoped that way because it has never made the value case that would justify anything larger. Each turn of the loop confirms the last. The measurement gap is not a reason security is undervalued. It is the machine that keeps it undervalued.
The sector that had to learn
There is one place the loop breaks, and it breaks under pressure rather than insight. Financial services, pushed by regulators who demand that risk be quantified and capital be held against it, has had to express security and operational risk in financial terms for years. The clearest current example is the European Union’s Digital Operational Resilience Act, Regulation 2022/2554, which became enforceable in January 2025 across roughly twenty two thousand financial entities. DORA does not accept “we patched diligently” as an answer. It mandates an ICT risk-management framework with accountability sitting at board level, demands incident reporting and resilience testing, and backs the whole regime with penalties reaching ten per cent of annual turnover. When the cost of vagueness is a fine of that size, “how exposed are we, in money” stops being a question security can decline to answer. The result is that, in that sector, security speaks closer to the board’s language by obligation, and its standing is correspondingly higher. The contrast is the lesson. Where measurement is forced, security stops being a cost center. Where it is optional, it almost never makes the leap on its own.
The line
Security without governance is just guarding, and a function that cannot count itself cannot defend itself. The two are the same observation seen from different ends. A guard measures effort, hours on post, doors checked, alarms answered. A function measures consequence, loss avoided against money spent. The first will always read as cost, because cost is the only thing effort can be priced as. The second can read as value, because value is what consequence is made of.
So the question that closes this article is not whether your security team is busy. The metrics will say it is. The question is whether anyone in the building can state, in money, what that team is worth, and whether the team itself can. Because if the answer is no, then the budget round will go the way it always goes, and the seat at the table that Part 1 described will stay empty for the reason Part 2 just gave: not because security does not matter, but because it never learned to say how much.
The next part of this series turns from the single function to the spaces between them, where the gaps that hurt most are the ones no department was ever measured on.


