Great proposals still fail if they don't fit the way decisions are made.
A compelling business case doesn’t just need to be strong—it needs to be positioned correctly within the decision-making system of your organization. That means understanding who decides, how they decide, when they decide, and what they need to see in order to say yes.
Cybersecurity teams often skip this step, assuming that logic and urgency will carry the day. But if your case doesn’t match the process, timing, or governance cadence, it can fall flat—regardless of merit.
This section helps you diagnose how budget decisions get made, so you can work with the system, not against it.
Start by pinpointing who actually approves the type of investment you're requesting.
Is this within the domain of the CIO, CFO, or a committee?
For mid-size requests, does your VP or business unit leader sign off?
Who has influence over the decision, even if they don’t hold the budget?
Tip: Budget authority and decision influence are not always the same. Know both.
Every organization has some form of capital governance—even if it’s informal.
Are there investment committees, program management boards, or budget councils?
Do proposals need a business sponsor to proceed?
Is this initiative part of an existing program, or does it need to stand on its own?
Proposals aligned with broader initiatives often move faster—leverage that if possible.
Budget is rarely decided in real time.
Is your organization in an annual planning window right now?
Are there quarterly or mid-year check-ins where new requests are reviewed?
What’s the lead time between proposal and decision?
If you’re trying to rush a case through outside that cadence, you’ll need to build urgency and sponsorship more deliberately.
Your current budget tells a story—make sure it’s the right one.
Before asking for more investment, take a hard look at the current state of cybersecurity spend. Executives will often ask (or think): “What have we already spent? What results did we get? Why more now?”
If you don’t lead with that analysis, someone else will—and the narrative may not serve you.
Start by creating a 3-line summary:
Allocated budget (original approved amount)
Actual spend to date (across major cost categories)
Variance (underspend or overspend)
Include context:
Were any savings intentional (e.g. vendor consolidation)?
Were there unplanned cuts or reallocation decisions?
Tip: Create a basic spreadsheet by quarter showing budgeted vs. actual, then annotate major changes.
Once you have the numbers, ask:
Are we delivering the outcomes tied to our last funding cycle?
Are we overextended, running lean, or carrying unspent funds?
What part of our current spend is reactive vs. strategic?
This helps surface inefficiencies, resource constraints, or underinvestment—each of which has risk implications.
Your financial story may carry:
Reputational risks if money was spent with unclear ROI
Political risks if other departments feel security is overfunded (or under-resourced but vocal)
Skepticism if previous asks were large but impact wasn’t well-communicated
Rather than dodge these, incorporate them:
Acknowledge where the program has struggled
Emphasize where lessons have been learned
Connect the next ask to a more disciplined, outcome-focused plan
Pro Tip: Use this section to reposition the security org as fiscally responsible and strategically aligned—not just technically urgent.
This step supports your credibility and financial discipline:
Establishes a clear baseline for cost-benefit framing
Shows you’re not “just asking for more”—you’ve reflected on what’s been spent
Helps preempt pushback about past spend and ROI
Who are the decision-makers and influencers that shape or control this funding decision?
What is the governance structure and timing for financial approvals?
What is the current financial health of the cybersecurity program—and how might that shape perception or resistance to your case?