When decision-makers think about cybersecurity budgeting, the spotlight usually falls on big-ticket items, the core services and technology stack that form the backbone of protection. 

Whilst this makes sense overall, it often leaves some of the less glamorous areas underfunded. This usually includes the small print of operations like all the follow-up activities, the inevitable battle with shadow IT, and the new vulnerabilities that surface once projects transition into business-as-usual. These “after-costs” rarely make headlines, yet they’re the ones most likely to drain precious time and resources. 

As a rule of thumb, I like to suggest the 80/20 principle as a useful starting position, so let's dig into the less obvious 20%.

1. Compliance and Governance Creep

Passing audits is often framed as a compliance checkbox, but every audit produces a to-do list. At least some of those remediation tasks aren’t optional if you want to keep your certifications, win new contracts, or renew insurance. So why are we not setting money aside for post-audit remediation? Perhaps there's a perception of the cost of the audit being "all-inclusive". 

We've looked at a similar challenge around the cost of remediating weaknesses and vulnerabilities after a pentest. (Further reading is here [link to first blog]).

With compliance, the bulk of the spend comes from maintaining a state of compliance proactively, which includes fixing gaps exposed by an audit, but also ensuring housekeeping tasks are not forgotten. Typical follow-on tasks include: remediations, new policies, chasing people for corrective actions, periodic risk assessments and reporting to the board.

Now add customer-driven audits into the mix. Whilst ISO 9001 and 27001 are a good starting point, enterprise customers may still require a custom security questionnaire running north of 300 security and compliance questions, a good portion of which is likely duplicating information provided elsewhere. 

Recommendation: Budget realistically for audits as an ongoing workload, not a one-off event. Plan for staff backfill during audit season, and consider automation (GRC platforms, policy libraries) to reduce repeat effort. In addition, allocate a full 10% of compliance spend for customer audit responses and evidence management.

2. Insurance Fine Print

Cyber insurance has shifted from being a safety net to a compliance checklist. In addition to carving out the budget for premiums, meeting requirements is also becoming increasingly challenging. Insurers now expect MFA everywhere, documented incident response, tested backups, and sometimes vendor monitoring. If you don’t meet these standards, you either pay higher premiums or lose coverage. 

Common exclusions include: attacks via third-party vendors, regulatory fines, or even ransomware payments in certain jurisdictions.

Recommendation: When getting quotes for renewal, ask for a list of mandatory controls, and calculate the total cost of ownership of insurance to include both the premium and the cost of maintaining said security controls. Budget at least 5–10% of policy cost for uplift spend annually.

In certain geographies, combination products also exist. For example, going through Cyber Essentials certification and meeting all requirements includes a Cyber Liability Insurance product (for UK-domiciled organisations with a turnover under £20m).

3. The Curse of Shadow IT  

It has become incredibly simple and in some cases very cheap to purchase services on a monthly subscription. Marketing analytics, LinkedIn extensions, and websites that offer quick and easy solutions to everyday problems like converting T&Cs from PDF to Word. Let's face it, most of us serving in a leadership role have been there one way or the other. 

When time is tight, teams reach for whatever helps them push through, and sometimes that means cashing out the cost of a brew for a one-off SaaS tool just to clear a roadblock. 

We often picture shadow IT as dusty old bits of kit left behind in a cupboard, but in a cloud-first business, it’s more of an invisible fog that touches almost every part of operations. Worse, security incidents may originate from these unmanaged platforms, so security teams end up firefighting as well as cleaning up.

The complexities of Shadow IT certainly deserve their own topic; subscribe to our LinkedIn feed to learn more in the coming weeks. But for now, let's quantify this nebulous mess (pun intended). 

Recommendation: Budget annually for shadow IT discovery and remediation. Build in both tooling (asset discovery platforms, SaaS inventory) and follow-up spend (migration, consolidation). Up to 5% of IT spending should be earmarked for asset clean-up and rationalisation.

Bottom Line

Our advice is simple: always budget for the lifecycle of a tool or service. Every audit leads to action items, every insurance policy to compliance costs, and every project to forgotten systems that need cleaning up.

Check out our Cyber Budget Survival Guide next to see how small investments can make a big impact.

Let us know if this was helpful, and share your views and experiences with those still looking to tackle their 2026 budget daemons.