How to Plan a Cybersecurity Budget for 2023 in Q4


Developing and setting up a cybersecurity strategy for 2023 is a task that requires not only extensive technical knowledge, but also the ability to communicate that clearly to others.

Unfortunately, the threats that small and medium-sized businesses face in 2022 are not getting any less serious in 2023. Research has shown that cybercriminals can penetrate 93% of company networks, but only 50% of SMBs have a cybersecurity plan in place. This disconnect can lead to dangerous cybersecurity incidents that could cause a company ongoing financial and reputational damage. Your organization is going to need the budget and investment to meet these threats before they come expensive problems. 

Maintaining or increasing your cybersecurity budget for 2023 can help avoid these issues by investing in tools, technologies, and expertise to protect your network and keep your employees and customers safe. 

What to Consider When Planning Your Cybersecurity Budget

Getting all your stakeholders to agree on a cybersecurity budget can be complex. First, everyone must understand the business value of cybersecurity, which can be a tricky prospect when your company has never experienced a data breach or downtime due to a cybersecurity incident.

During the budget planning process, part of your job is laying out the potential risks (even if no incident has occurred before) and explaining cybersecurity ROI in a way that is understandable even to people with minimal technical knowledge.

Getting buy-in from all company leaders is the best way to build a robust cybersecurity strategy, as it ensures that every aspect of the business, from IT to compliance, sales, and more, is designed and functioning in accordance with cybersecurity best practices.

To help them understand the situation fully, here are some considerations to keep in mind when planning your cybersecurity budget for the next year in Q4.

The Threat Landscape

Helping your colleagues gain a better understanding of the threat landscape facing your business is helpful in determining the best way to allocate resources. Throughout 2022, some of the biggest threats have been ransomware and malware, which have been adjusted and adapted to facilitate increasingly sustained and sophisticated attacks.

There are also more determined threat actors operating on a global scale who are eager to sow the seeds of disorganization among any business that will potentially pay a ransom or offer them information that can be traded on the dark web. 

Your Business Needs

The ways that businesses operate have changed drastically over the last few years. Many companies have employees spread out worldwide, leading to many more endpoints that must be protected.

Evaluating your business needs and determining how to protect future business growth is essential in planning your Q4 cybersecurity budget. Asking questions about where the business is going and how your security practices can help achieve these goals will support your team in developing a thoughtful and responsive strategy.  


There are many metrics out there that can help measure key performance indicators for cybersecurity and aid in the decision-making process. However, measuring metrics without a plan of how to analyze or use the data is simply busy work.

The best approach to ensure your KPIs work for your business is to track only the KPIs that are clear to every stakeholder. Some great examples include:

  • Level of preparedness
  • Intrusion attempts
  • Security incidents
  • First-party security ratings
Calculating Cybersecurity ROI

When discussing cybersecurity budget planning with a broader group, one of the easiest ways to ensure their buy-in is to clearly communicate the ROI offered by your proposed plan. 

The ROI for cybersecurity, also referred to as ROSI (return on security investment), can be calculated using a standard formula derived from a basic ROI calculation.  

ROSI (%) = [ (GI – CI) / CI ] × 100

In this formula, GI refers to Gain from Investment, and CI refers to Cost of Investment. Essentially, the percentage of your ROSI is determined by taking the gain from your investment and subtracting the cost of your investment, then multiplying by 100.

The cost of your investment (CI) can be discovered by adding up the costs of all the security measures you’ve put in place. A checklist like this one that is designed for small businesses can help you determine where your money is best spent, and whether anything is missing from your current setup.

Finding the gain from investment (GI) is a bit more complex. It depends on contributing factors that include:

  • Estimated costs of breaches
  • The cost of data theft
  • Anticipated remediation costs
  • The cost of downtime

If you’ve never experienced a breach or loss event, you may have to do some research to determine what your business could expect to spend during an event like this.  

Communicating the Business Value of Cybersecurity

When CISOs can clearly present the advantages and business value of cybersecurity to other executives, it’s much easier to earn their buy-in on the proposed cybersecurity budget. While a great deal of cybersecurity terminology is very technical, CISOs and other IT leaders must be able to translate this information to a non-technical audience. This is the only way the C-Suite can understand the seriousness of the threats they face.

Here are a few tips we’ve gathered for IT leaders looking to improve how they communicate the business value of cybersecurity across their organization.

Communicate an accurate estimate of ROI

Across the board, ROI is one of the most universal ways for people to understand the value of an investment. By calculating and clearly communicating an accurate estimate of the ROI on cybersecurity for your Q4 budget, you can make it easier for non-technical stakeholders to support your plan.

Additionally, communicating an accurate estimate of ROI can be a crucial factor in supporting the argument that adequate cybersecurity boosts your bottom line.

Bring in indirect benefits

There are more benefits to strong cybersecurity than simply avoiding a cyber-attack. When your organization weaves in cybersecurity at every level of the business, it’s typically easier to collaborate, work together, and maintain productivity and business growth. These indirect benefits may be hard to evaluate, but they should always be a part of the discussion.

Frame your proposal in non-technical terms

Framing your proposed Q4 cybersecurity budget in non-technical terms whenever possible will allow your executive colleagues the opportunity to engage with it without confusion or misunderstanding.

Don’t Let Your Cybersecurity Budget Fly Under the Radar

If you don’t take an active role in cybersecurity budget planning in Q4, it’s easy to just stick with the same old tools and technologies you’ve used for years in the coming year. While those may have worked in the past, the cybersecurity threats facing businesses in 2023 are more hazardous than ever.

Instead of letting your budget fly under the radar, pursue a more proactive cybersecurity approach by investing in a tool like Threater.

The Threater network security platform is an additional layer of security for your technology stack. Instead of replacing your current system with expensive upgrades, Threater provides sophisticated protection without altering your existing setup.

Want to see how it can support your cybersecurity stack? Try a demo today.