The Unwinnable Game Trap

Cybersecurity leadership is starting to look like an unwinnable game. The average CISO tenure of 1.5–2 years tells us something isn’t working. Leaders are handed budgets where 75% of spend is locked into technical debt or mandatory controls, leaving only a sliver of discretionary funding to maneuver. Expectations continue to rise while resources stay flat—or even decline.

A recent survey of nearly 600 CISOs by IANS and Artico found that only 47% reported budget increases in 2025, down sharply from 62% the year before. More than half are facing flat or shrinking budgets. And for the first time in five years, security’s share of IT spending dropped—from 11.9% to 10.9%—as dollars shifted toward AI and digital initiatives. In game theory terms, cybersecurity leaders are being asked to play with fewer moves on the board while the stakes keep climbing.

The outdated “people, process, technology” model doesn’t help much in this new environment. Nor does the familiar cost-avoidance narrative: “we stopped bad things from happening.” That might have worked a decade ago. Today, boards and CFOs expect security leaders to frame their work in terms of options, trade-offs, and business value. In short, to play a game they can actually win.

The Economics of Cybersecurity Leadership

The financial headwinds facing security leaders are undeniable. A recent IANS and Artico Search survey of nearly 600 CISOs found that only 47% reported a budget increase in 2025, down from 62% the year prior (IANS Research & Artico Search, 2025). Meanwhile, 54% are dealing with flat or shrinking budgets. And for the first time in five years, security’s slice of IT spending actually declined—from 11.9% to 10.9%—as dollars were redirected toward AI, cloud, and digital growth priorities (SecureWorld, 2025).

For many CISOs, these numbers translate into a game where most of the moves are already taken off the board. Fixed costs like technical debt, compliance requirements, and mandatory controls can consume three-quarters of a typical budget, leaving little discretionary funding for innovation or strategic bets. In this environment, cost avoidance alone isn’t enough to justify spend—or to ensure career survivability.

What leaders need instead is a new way to reframe and navigate financial constraints. Three starting points:

• Map fixed vs. discretionary spend: know exactly how much of the budget is locked in vs. how much can be maneuvered, and make that visible to the board.

• Translate dollars into Run / Grow / Transform categories: adopt a model the CFO already understands, showing whether spend is maintaining the baseline, enabling incremental growth, or transforming the business.

• Present investments as options and trade-offs: instead of “we need this much money,” offer “here are three paths forward—here’s what we gain, and here’s what we accept if we don’t.”

Each of these reframes gives CISOs more credibility in executive discussions and begins to shift perception—from tactical risk manager to strategic partner.

Why the Current Playbook Fails

For decades, the dominant framework for cybersecurity management has been the familiar trio of people, process, and technology. It served its purpose in an era when the biggest challenge was building controls and maturing basic practices. But in today’s economic climate, that model feels outdated.

Boards and CFOs are no longer impressed by a laundry list of controls or by the language of cost avoidance—“we stopped bad things from happening.” That narrative, while true, doesn’t hold up against competing investments in AI, digital expansion, or customer experience, where executives can see direct returns.

Worse, the old playbook locks CISOs into reactive cycles—always responding to the next regulation, audit, or incident—without a framework for shaping strategy. This undermines their ability to survive in roles where the average tenure is less than two years.

Three reasons the old playbook is breaking down:

• Cost avoidance isn’t strategy: Preventing losses matters, but it doesn’t prove value or growth potential.

• Controls ≠ credibility: Boards expect clarity on business impact, not just technical soundness.

• Reactive posture shortens careers: CISOs who only defend and comply rarely get the chance to innovate, which accelerates burnout and turnover.

The implication is clear: continuing to play by yesterday’s rules is a losing game. The question is whether CISOs can adopt a new playbook—one rooted in finance, strategy, and value creation—that allows them to compete on equal footing with other executives.

Reframing the Role: From Cost Center to Value Creator

If the old playbook is failing, what replaces it? The answer lies in shifting the frame—from security as an unavoidable cost to security as a portfolio of strategic options the business can choose to invest in.

This is more than semantics. In The CISO On The Razor’s Edge, I argued in Chapter 7 (Security Leadership as a Series of Real Options) that CISOs must think less like operators and more like financial strategists. Every initiative—whether it’s a new control, a modernization effort, or a cloud migration—can be presented as an option with trade-offs: invest and gain future flexibility, delay and accept defined risks, or decline and carry the exposure. This approach allows the board to see security decisions in the same way they evaluate other capital investments.

Industry leaders echo this. Mark Settle advises CISOs to “follow the money” through budgeting frameworks like Run / Grow / Transform, which reveal whether dollars are being used simply to keep the lights on or to unlock growth and transformation. Steve Zalewski, drawing on his time as CISO at Levi Strauss & Co., pushes CISOs to ensure that cybersecurity isn’t just about protection—it must directly support the mission of the business. As he often says, security has to “help sell more jeans.”

Taken together, these perspectives form a new leadership model: the financially literate, strategically minded CISO who frames security not as an overhead cost but as an investment portfolio. And it’s a model that boards are more likely to respect—and fund.

Tools for Playing a Winnable Game

Shifting from cost center to value creator isn’t just about mindset—it’s about using practical tools that reshape how security is discussed in executive conversations. CISOs don’t need to become CFOs, but they do need to adopt financial frameworks that make their work legible and valuable in business terms.

Here are four tools that create leverage and credibility:

• Budget Mapping: Break down spend into fixed vs. discretionary categories. Show explicitly how much of the budget is consumed by technical debt and mandatory controls versus what’s available for strategic investment. Boards respond to clarity.

• Run / Grow / Transform: Reclassify spend using a model familiar to CFOs. Demonstrate which investments simply keep operations running, which enable incremental improvements, and which unlock real transformation.

• Options & Trade-Offs: Frame every major initiative as a set of choices: If we invest, here’s the upside. If we don’t, here’s the risk we’re carrying. Boards don’t want ultimatums—they want structured options.

• Value Creation Scenarios: Move beyond cost avoidance by modeling how security investments can generate value—faster time to market, higher customer trust, stronger brand resilience, or lower cost of capital through risk reduction.

Each of these tools has the same effect: they reposition security decisions from technical necessities to strategic investments. They give CISOs a way to demonstrate alignment with business goals—and to survive, and even thrive, in a budget-constrained environment.

The Payoff: Confidence, Impact, and Career Resilience

Mastering strategic finance is not just about surviving another budget cycle—it’s about changing the way the game is played. CISOs who frame investments as options and trade-offs, who can translate dollars into growth and resilience, and who model value creation are no longer trapped in a defensive posture. They step into the role of strategist, gain confidence in boardrooms, and extend their career runway.

A winnable game is one where:

• The board sees clarity, not confusion.

• The CFO sees alignment, not overhead.

• The CISO sees a path forward, not burnout.

That’s the future of cybersecurity leadership—and it’s within reach.

If you want to sharpen these skills and apply them in your own organization, join us on Tuesday, September 16th for the webinar Strategic Finance for Cybersecurity Leaders. We’ll dive deeper into how CISOs can reframe budgets, speak the language of the business, and make smarter strategic bets in the year ahead.

And if you’d like a companion to guide you even further, pick up a copy of The CISO On The Razor’s Edge, especially Chapter 7: Security Leadership as a Series of Real Options. It will help you increase your odds of surviving—and thriving—in the game you’re already playing.

References

IANS Research & Artico Search. (2025, August 5). Security budgets under pressure: How CISOs can navigate tight budget constraints. IANS Research. Retrieved from https://www.iansresearch.com/resources/all-blogs/post/security-blog/2025/08/05/security-budgets-under-pressure--how-cisos-can-navigate-tight-budget-constraints

SecureWorld. (2025, July 24). CISO budget squeeze: Security growth slows as IT priorities shift. SecureWorld. Retrieved from https://www.secureworld.io/industry-news/cisos-budget-squeeze-security-growth-slows