The CISO budget framework
A CISO's budget is the most honest expression of the program's strategy. Where the dollars actually land tells you what the company believes the threats are, what the team can operate, and how mature the program is. This is how working CISOs actually break it down.
The headcount-vs-tooling ratio
The most-asked benchmark question: how much of a security budget is people vs tooling? Industry benchmarks tend to settle around 50–60% headcount, 30–35% tooling, 10–15% services and compliance, with significant variation by sector and stage. Regulated industries skew toward compliance and audit; SaaS and cloud-native companies skew toward AppSec and identity tooling; manufacturing and OT shops skew toward physical-cyber convergence. The most common mistake at scale-up stage is over-tooling and under-staffing — buying enterprise SIEM without a Detection Engineer means the SIEM ships at 30% effectiveness, which is also how CISO Game models it.
The fourteen capability layers
A modern CISO budget covers roughly fourteen capability layers, and the question is which ones to staff first:
- Endpoint Detection & Response (EDR) — the foundation layer. See EDR options →
- SIEM — the analyst's lens. Real-world ingest-priced.
- Identity & Access (IAM, PAM, MFA, SSO, ITDR) — the new perimeter. Strategy hub →
- Network security — NGFW, NDR, WAF, DDoS, ZTNA.
- Cloud security — CSPM, CWPP, CIEM, CNAPP.
- Application security — SAST, DAST, SCA, API security, secrets scanning.
- Backup & Recovery — immutable backups, tested DR. The ransomware-leverage layer.
- Awareness — phishing simulation, training, just-in-time micro-training.
- Compliance — SOC 2, ISO 27001, PCI DSS, HIPAA, FedRAMP. Strategy hub →
- Architecture — Zero Trust rollout, network segmentation, identity overhaul. Multi-quarter projects.
- Headcount — Senior Analysts, Detection Engineers, IR Specialists, GRC Specialists, Deputy CISO.
- Platform suites — XDR, SASE, M365 E5, CNAPP. The Best-of-Breed vs Platform decision.
- AI Security — only material when AI is in the product. Strategy hub →
- Insurance — cyber policy, with carrier-attested controls.
How the mix changes by stage
Series-B SaaS (200–500 people): first hire is usually a Senior Analyst (60% of budget on people), the foundational tooling (EDR, IAM with MFA, SIEM tier 1, basic backup) eats most of what's left, compliance is SOC 2 only. Late-stage / pre-IPO: the program shape changes — multiple specialists, full IAM stack, AppSec built in, formal IR retainer, multiple compliance frameworks. Public company: regulator-clock readiness becomes a budget line of its own, the audit cadence anchors planning, identity threat detection layers on top of basic IAM. CISO Game's scenario list covers each of these archetypes.
How to defend the budget
Real-world CISOs who keep their budgets year over year tend to do four things consistently: (1) tie every line item to a named risk — the risk register is the budget's parent document; (2) show year-over-year trends in the metrics that matter (composite posture, mean-time-to-detect, breach cost avoided); (3) request emergency budget post-peer-breach when the moment is open — boards remember; (4) cancel things publicly — auditing the existing stack and dropping low-ROI tools earns more trust than asking for new spend without that hygiene.
What CISO Game models
The simulation tracks the full budget loop: an annual budget grows by a configurable percentage, year-end overspend rolls into a cumulative overspend that can fire you, and emergency budget requests scale by your current board confidence. The Investments catalog has 99+ entries across all fourteen capability layers, each with team-requirement gates that punish over-tooling without staffing. Play free to feel how the trade-offs land in real time.