The Impact of Funding on Cybersecurity Growth

2025's Cybersecurity Budget Reality Check 💰 New data shows over 50% of companies are spending 11-30% of their IT budgets on cybersecurity tools. That's not just significant—it's transformative. 10 years ago, convincing enterprises to invest in cybersecurity was an uphill battle. Today, the conversation has completely flipped. The mindset shift is profound: - "We can't afford a breach" → "We can't afford to fall behind on security innovation" - Security budgets moved from defensive spending to competitive investment - Fear-based vendor pitches are getting rejected—buyers want business enablement stories What's really fascinating: Companies implementing zero trust aren't just getting better security. They're seeing 23% faster customer onboarding, reduced IT friction, and improved user experiences. For B2B SaaS founders, this budget shift creates unprecedented opportunity. Your prospects have allocated funds and executive urgency. But here's the key: Don't sell security as insurance—sell it as acceleration. The deals I'm seeing close fastest show how security investments: ✓ Reduce customer acquisition friction ✓ Enable faster product development cycles ✓ Create differentiated customer experiences ✓ Support compliance-driven market expansion Security isn't a cost center anymore—it's a growth multiplier. How are you positioning your cybersecurity investments: as protection or as competitive advantage? #Cybersecurity #B2BSaaS #ZeroTrust #ProductLedGrowth #Innovation

"𝘞𝘦 𝘤𝘢𝘯'𝘵 𝘢𝘱𝘱𝘳𝘰𝘷𝘦 𝘵𝘩𝘪𝘴 𝘤𝘺𝘣𝘦𝘳𝘴𝘦𝘤𝘶𝘳𝘪𝘵𝘺 𝘣𝘶𝘥𝘨𝘦𝘵 𝘸𝘪𝘵𝘩𝘰𝘶𝘵 𝘶𝘯𝘥𝘦𝘳𝘴𝘵𝘢𝘯𝘥𝘪𝘯𝘨 𝘵𝘩𝘦 𝘙𝘖𝘐." The CFO's request was reasonable but revealed a fundamental disconnect in how organizations evaluate security investments: conventional financial metrics don't apply to risk mitigation. 𝗧𝗵𝗲 𝗖𝗵𝗮𝗹𝗹𝗲𝗻𝗴𝗲: 𝗠𝗮𝗸𝗶𝗻𝗴 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗧𝗮𝗻𝗴𝗶𝗯𝗹𝗲 Traditional security justifications relied on fear-based narratives and compliance checkboxes. Neither approach satisfied our financially rigorous executive team. Our breakthrough came through implementing a risk quantification framework that translated complex security concepts into financial terms executives could evaluate alongside other business investments. 𝗧𝗵𝗲 𝗠𝗲𝘁𝗵𝗼𝗱𝗼𝗹𝗼𝗴𝘆: 𝗤𝘂𝗮𝗻𝘁𝗶𝗳𝘆𝗶𝗻𝗴 𝗥𝗶𝘀𝗸 𝗘𝘅𝗽𝗼𝘀𝘂𝗿𝗲  𝟭. 𝗕𝗮𝘀𝗲𝗹𝗶𝗻𝗲 𝗥𝗶𝘀𝗸 𝗖𝗮𝗹𝗰𝘂𝗹𝗮𝘁𝗶𝗼𝗻: We established our annual loss exposure by mapping threats to business capabilities and quantifying potential impacts through a structured valuation model.  𝟮. 𝗖𝗼𝗻𝘁𝗿𝗼𝗹 𝗘𝗳𝗳𝗲𝗰𝘁𝗶𝘃𝗲𝗻𝗲𝘀𝘀 𝗦𝗰𝗼𝗿𝗶𝗻𝗴: We created an objective framework to measure how effectively each security control reduced specific risks, producing an "effectiveness quotient" for our entire security portfolio.  𝟯. 𝗘𝗳𝗳𝗶𝗰𝗶𝗲𝗻𝗰𝘆 𝗙𝗮𝗰𝘁𝗼𝗿 𝗔𝗻𝗮𝗹𝘆𝘀𝗶𝘀: We analyzed the relationship between control spending and risk reduction, identifying high-efficiency vs. low-efficiency security investments. 𝗧𝗵𝗲 𝗥𝗲𝘀𝘂𝗹𝘁𝘀: 𝗧𝗮𝗿𝗴𝗲𝘁𝗲𝗱 𝗥𝗶𝘀𝗸 𝗠𝗮𝗻𝗮𝗴𝗲𝗺𝗲𝗻𝘁  • Our IAM investments delivered the highest risk reduction per dollar spent (3.4x more efficient than endpoint security)  • 22% of our security budget was allocated to controls addressing negligible business risks  • Several critical risks remained under-protected despite significant overall spending 𝗞𝗲𝘆 𝗟𝗲𝘀𝘀𝗼𝗻𝘀 𝗶𝗻 𝗥𝗶𝘀𝗸 𝗤𝘂𝗮𝗻𝘁𝗶𝗳𝗶𝗰𝗮𝘁𝗶𝗼𝗻  𝟭. 𝗦𝗵𝗶𝗳𝘁 𝗳𝗿𝗼𝗺 𝗯𝗶𝗻𝗮𝗿𝘆 𝘁𝗼 𝗽𝗿𝗼𝗯𝗮𝗯𝗶𝗹𝗶𝘀𝘁𝗶𝗰 𝘁𝗵𝗶𝗻𝗸𝗶𝗻𝗴: Security isn't about being "secure" or "vulnerable"—it's about managing probability and impact systematically.  𝟮. 𝗖𝗼𝗻𝗻𝗲𝗰𝘁 𝗰𝗼𝗻𝘁𝗿𝗼𝗹𝘀 𝘁𝗼 𝗯𝘂𝘀𝗶𝗻𝗲𝘀𝘀 𝗼𝘂𝘁𝗰𝗼𝗺𝗲𝘀: Each security control must clearly link to specific business risks and have quantifiable impacts.  𝟯. 𝗖𝗵𝗮𝗹𝗹𝗲𝗻𝗴𝗲 𝗰𝗵𝗲𝗿𝗶𝘀𝗵𝗲𝗱 𝗮𝘀𝘀𝘂𝗺𝗽𝘁𝗶𝗼𝗻𝘀: Our analysis revealed that several long-standing "essential" security investments delivered minimal risk reduction. By reallocating resources based on these findings, we:  • Reduced overall cybersecurity spending by $9M annually  • Improved our quantified risk protection by 22%  • Provided clear financial justification for every security investment 𝐷𝑖𝑠𝑐𝑙𝑎𝑖𝑚𝑒𝑟: 𝑉𝑖𝑒𝑤𝑠 𝑒𝑥𝑝𝑟𝑒𝑠𝑠𝑒𝑑 𝑎𝑟𝑒 𝑝𝑒𝑟𝑠𝑜𝑛𝑎𝑙 𝑎𝑛𝑑 𝑑𝑜𝑛'𝑡 𝑟𝑒𝑝𝑟𝑒𝑠𝑒𝑛𝑡 𝑚𝑦 𝑒𝑚𝑝𝑙𝑜𝑦𝑒𝑟𝑠. 𝑇ℎ𝑒 𝑚𝑒𝑛𝑡𝑖𝑜𝑛𝑒𝑑 𝑏𝑟𝑎𝑛𝑑𝑠 𝑏𝑒𝑙𝑜𝑛𝑔 𝑡𝑜 𝑡ℎ𝑒𝑖𝑟 𝑟𝑒𝑠𝑝𝑒𝑐𝑡𝑖𝑣𝑒 𝑜𝑤𝑛𝑒𝑟𝑠.

CISOs and cybersecurity professionals need to be better equipped to justify overall spend levels on security and make objective trade-offs across initiatives. ROI simply doesn’t cut it. That’s because cybersecurity isn’t about generating profit; it’s about mitigating losses—ransomware attacks, breaches, downtime, etc. Traditional ROI fails to quantify these factors properly. 💰 Introducing: Return on Mitigation (RoM): Instead of revenue, RoM measures avoided financial damage, finally valuing security’s true impact in dollars. For CISOs, RoM provides a clearer financial framework to: 🔹 Secure executive buy-in with loss-prevention metrics that resonate with the board. 🔹 Prioritize security investments by comparing potential mitigated losses. 🔹 Benchmark cybersecurity effectiveness across teams, vendors, and industries. 🔹 Strengthen regulatory and insurance discussions with quantifiable risk reduction. The industry needs a common financial language for cybersecurity investments. Read my take: https://bit.ly/4izIUVB Are we ready to change the way we measure and talk about cybersecurity’s impact? Let’s discuss. 👇 #Cybersecurity #RiskManagement #RoM #CISO #CyberResilience

Cybersecurity is changing how financial markets work but not in the way people think: 1. Private equity companies have learned that cyber incidents can derail even the best-laid investment theses, and few cases illustrate it as well as the story of SolarWinds. That is why we are seeing more and more PE firms invest in captive MSSPs - having a single service provider (usually owned by the same PE) offer security and compliance to all the companies in their portfolio. The struggles of SolarWinds and the fact that the company has become known worldwide because of the breach highlighted that, while over the long term, the impact of cyber incidents tends to be negligible, given the PE playbook and timelines, it can be pretty disruptive. 2. During M&A, security is starting to play a more and more important role. One of the earliest wake-up calls came in 2017 when PayPal acquired TIO Networks. Some weeks after the acquisition closed, PayPal discovered that 1.6 million customers’ data had been compromised in a breach that predated the deal. The fallout was really bad: TIO was forced to suspend operations, PayPal got stuck in many lawsuits, and the company took a reputational hit even though it wasn’t responsible for the original breach. The story of TIO Networks became a textbook example of a cyber issue derailing an otherwise promising acquisition, sending over $200M down the drain. There have been plenty of other cases like Verizon’s acquisition of Yahoo and Marriott's acquisition of Starwood Hotels that made this an issue acquirers are paying attention to today. 3. VCs don't evaluate the security of their investments because there has not been a correlation between the security posture of a company and their success. Most startups fail due to well-known and well-documented reasons: lack of product-market fit, running out of money, poor execution, etc. A breach or cyber incident is not on the list of top 20-50 reasons. Let me be clear: I am not saying that VCs ignore cyber risk. It’s really the opposite - venture is fundamentally about managing risk and reward, but not all risks are treated equally. Legal and regulatory risks, for example, are taken seriously because there’s a well-established history of them tanking deals and killing companies. Legal due diligence is a standardized, critical part of the investment process, not because it’s exciting, but because stuff like intellectual property issues have burned investors before. The moment cybersecurity creates similar pain, like when a breach derails a billion-dollar IPO or acquisition, cyber due diligence will quickly become a part of the process, likely starting with later rounds.

In the US, enterprise tech spending has grown 8% annually while labor productivity has grown less than 2%. The tech spend to productivity relationship is showing up in mid-year budget discussions currently underway at most companies. The economics of IT/tech/digital/AI are (again) under a microscope. It was the same last year, and the year before that and every year prior for as long as I have been a professional adviser to CEOs, CFOs, and CIOs.  Tired of this Groundhog Day moment every year, we decided to dig into the economics of enterprise tech. There is some “new news” and some new insights on “old news”. The “new news” – what’s driving up costs: 1. Cyberattacks increased over 25% last year, resulting in a 15% increase in cybersecurity spend this year. While much of this is necessary, it doesn't correlate with an ROI a company can point to. 2. Increase in AI and geopolitical-related spending. On AI, most companies haven't seen value from their investments (only 1% describe themselves as “mature” in their AI deployments).     The new insights on “old news” are: 1. Indirect costs of product development (cloud/security services/tool licenses) can account for 80% of a product’s lifetime costs.   2. Incentive misalignment leads to poor decisions on enterprise tech spend and results in a 20-30% loss of value.  3. Companies pay an additional 10-20% to address tech debt on top of the costs of any project, creating a significant drag on productivity.  4. 5-10% of IT productivity improvements can be lost to vendors (for example, when providers don't pass along reduction in hardware costs).     Clearly, there's a need for deeper understanding and transparency into the economics of enterprise tech. In this new analysis with my colleagues Pablo Prieto, Ph.D., Jeffrey Lewis, James Kaplan, we lay out 4 ways to optimize these investments.  1️⃣Meter and measure: Track tech usage cost at a granular level to foster accountability and minimize tech debt, use models like FinOps. 2️⃣Treat everything as a product: Manage all technology initiatives as products with autonomous, accountable, and incentivized cross-functional teams (led by product managers) to ensure cost responsibility and value capture. 3️⃣Go big: Prioritize domains (end-to-end processes) over single use cases, leverage analytics to pinpoint and amplify initiatives with the most impact. 4️⃣Embrace and accelerate: Optimize agentic AI to modernize and rethink talent models with more flexible systems. In this season and beyond, the choices CEOs, CFOs and CIOs make now will be the cornerstone of success in an AI-driven future.  Looking forward to discussing this more with clients over the rest of the year to ensure 2026 decisions and priorities are better planned, executed, and value is fully realized. #NeverJustTech #McKinseyTechnology #TechEconomics #CIO #CFO https://lnkd.in/grFUuQks

Turning Cyber Risk Into Boardroom Metrics That Matter - Forbes Cybersecurity has always come with a translation problem. Technical teams speak in terms of vulnerabilities and threats, while boards want to understand risk in dollars and business impact. As attacks become more costly and regulatory scrutiny grows, however, the gap between technical risk and business accountability is shrinking fast. The Boardroom Is Asking New Questions Boards and executives increasingly want to know: How much risk are we taking on, in real financial terms? Are cybersecurity investments justified? Are we actually reducing exposure—or just reacting to the latest crisis? All fair and valid questions. The pressure to answer these questions isn’t just external. Internally, organizations are moving away from blank-check security budgets. Leaders expect to see risk—and progress—quantified in business language: dollars, business impact, and return on investment. From Jargon to Dollars It is an eternal struggle. For most companies cybersecurity is a cost center, not a revenue-generating function. The better cybersecurity is at achieving its stated objectives, the less necessary it seems—if there are no successful attacks, why spend so much money on defending against them? Cyber risk quantification is quickly gaining ground as a bridge between IT and the C-suite that addresses this challenge. The promise is simple: turn technical scenarios into dollar-based outcomes so everyone is on the same page. CRQ platforms don’t just talk about possible vulnerabilities—they show what a breach could really cost, how an investment reduces exposure, and where risk is shifting across the organization. This approach is becoming the new standard as boards and regulators demand clear evidence of measurable progress. A New Player in the US Market The changing landscape is driving international players to expand their presence. Squalify, a Munich-based cyber risk quantification provider, just announced its U.S. entry, launching with a Bay Area healthcare customer. The company’s platform, backed by Munich Re’s cyber loss data, aims to help organizations move from reactive, compliance-based security toward proactive, ROI-driven strategies. #cybersecurity #CyberRiskQuantification #CRQ #boardofdirectors #riskmanagement #ROI