Why 2026 Security Budgets Rise (and How I Keep Them Under Control)

Post title and Steve Liss picture
By Steve Liss, Fulton May Solutions

Risk exposure grows every year: more cloud services, more SaaS, and more automated attack paths. Tool sprawl follows quickly and new products get bought to solve single problems, then sit idle or overlap. Finance hears about “security” and expects a line item, but the right answer isn’t a longer shopping list. It’s a defensible program.

My thesis is simple: a one-page security control map, paired with a sequenced rollout, keeps spend focused and defensible for leadership. When I present plans to finance, they’re not buying products; they’re buying risk reduction delivered in measurable increments.

"Security is a program, not a product: define controls, show evidence, sequence work, and budget the hidden costs up front."

Steve Liss

Build a One-Page Security Control Map

A control map turns abstract risk into actionable commitments. I structure mine as: Risk → Control → Capability → Owner → KPI/Evidence. That single line shows why a control exists and how we will prove it.

Control Map Definition and Examples

Here are one- to two-row examples I use when I need decisions fast.

  • Business Email Compromise (BEC) → Identity & Email Controls → MFA (multi-factor authentication), Conditional Access, DMARC (Domain-based Message Authentication, Reporting & Conformance) → IT Ops Lead → MFA coverage %, failed-sim phishing rate, DMARC enforcement reports.
  • Ransomware from Unpatched Hosts → Endpoint & Patch Management → Endpoint protection, patch policy enforcement, OS/browser currency → Systems Admin → Patch latency (days), vulnerable-host count, backup success rate.

Control Map Readiness

  • All critical risks listed and prioritized (top 10–15).
  • Clear control mapped to each risk (prevention, detection, response).
  • Concrete capabilities named (products or processes—not vague goals).
  • Single owner assigned for each control.
  • KPI / evidence defined for monthly and quarterly review.
  • Implementation timeline or phase noted (90/180/270 days).
  • Acceptance criteria and success thresholds documented.
  • Rollback or mitigation steps defined if rollout fails.
  • Dependencies and third-party owners identified.
  • Budget estimate range attached to each control (implementation + O&M).

Sequence Investments for Momentum (90 / 180 / 270 Days)

I sequence work to deliver early, high-value wins that reduce outsized risk and free capacity for tougher projects. Start with controls that are low effort but high impact, then move to pilots, then to sustainment and maturity.

Sample 2026 Sequencing Plan

Phase

Focus

Key Capabilities

Effort Band

Budget Notes

Phase 1

(0–90 days)

Baseline defenses and recoverability

MFA everywhere, OS/browser currency, email security, one backup recovery rehearsal

Low–Medium

Small one-time implementation; modest staff hours for rollout and support surge

Phase 2

(90–180 days)

Access posture & SaaS visibility

ZTNA (Zero Trust Network Access) / SASE (Secure Access Service Edge) pilot, SaaS posture management, least-privilege cleanup

Medium

Pilot licensing + integration; expect higher SIEM logging during pilot

Phase 3

(180–270 days)

Detection, response, and operationalization

Curated detections, incident runbooks, response SLAs, training cadence

Medium–High

Ongoing people costs; runbook authoring; planned drill overhead

Budget the Invisible Costs (So You Don’t Get Surprised)

Finance often sees license and hardware figures, but the real, recurring costs are less visible. If you budget only software, you’ll hit surprises when you enable more telemetry or need staff time to tune detections.

  • Implementation & tuning cycles: Estimate initial deployment plus three-month tuning windows. Plan a 20–40% staff-time uplift during onboard months for hand-holding.
  • Logging & retention: Logging ingest grows with coverage. Estimate ingest volume (GB/day) × cost/GB × retention months. If you’re adding endpoints or cloud sources, expect a step change in SIEM logging costs.
  • Playbooks and drills: Authoring runbooks takes 4–8 hours per major scenario; rehearsal is a half-to-full-day per cohort. Budget post-mortem hardening time after each drill.
  • People time: Account for admins, incident responders, and business stakeholders for change management and communications. A small company will pay in admin time; larger orgs need dedicated SOC/response FTEs or contracted support.

Example framing for SIEM logging costs (illustrative): estimate 10–50 GB/day depending on coverage. Multiply by vendor cost/GB and retention months to create a conservative annual line item. Don’t forget indexing/ingest vs. cold storage differences because these are different pricing buckets.

Business people talking And calculations about charts and graphs showing the growth of investment

Right-Sizing by Organization Size

The same principles scale differently. I recommend blunt, practical thresholds rather than theoretical models.

  • <20 employees: Identity controls and endpoint hygiene first. Keep subscriptions narrow and high-value. Focus on MFA, patch cadence, and backups.
  • 20–99 employees: Governance basics, lifecycle automation, and SaaS visibility. This is where the biggest percentage budget jump happens consider investing in automation to avoid staff scaling linearly.
  • 100–500+ employees: Staged ZTNA/SASE rollout, curated detection/response, regular training windows, and formal change controls. Expect multi-quarter projects and dedicated people costs.

KPIs Finance Will Respect

Finance wants measurable risk reduction and predictable ops. I present KPIs in two groups: coverage and outcomes.

  • Coverage: MFA coverage %, patch latency (median days to patch), phishing simulation failure rate.
  • Response: Mean time to contain (MTTC), mean time to recover (MTTR). Define these in your incident taxonomy first.
  • Resilience: Tested recovery point objective (RPO) and recovery time objective (RTO) from rehearsed restores.
  • Auditability: Evidence frequency and quality mapped to the control map (weekly dashboard snapshots, quarterly audit packs).

Rollout Rhythm & Change Management

I use a standard cadence: pilot cohorts → staggered department rollouts → planned support surge → defined rollback criteria. That reduces help-desk churn and keeps projects moving.

  • Pilot cohort: 5–10 users or a small department to validate integrations and communications.
  • Staggered rollout: roll groups weekly or biweekly, with a one-week support surge after each group.
  • Rollback criteria: measurable thresholds for usability or failure (e.g., authentication failure >3% of logins triggers rollback).
  • Communications plan: explain why, when, what changes, where to get help. Share monthly metrics with leadership.

What to Do Next

Use the control map checklist and the sequencing table this quarter. Build your one-page control map, assign owners, and cost the invisible items before you present to finance. Share this post with your finance partner and security stakeholders so you start with a common vocabulary.

Control Map Readiness (Checklist)

  • Top risks identified and prioritized
  • Controls mapped to each risk
  • Capabilities named and scoped
  • Owners assigned
  • KPI / evidence cadence defined
  • Implementation timeline attached (90/180/270 days)
  • Acceptance criteria and rollback plan included
  • Dependencies and third-party responsibilities listed
  • Budget ranges for implementation and recurring O&M included
Share:
More Posts
Skip to content