If you read my earlier post, you’ll know I have a soft spot for pointing out the things nobody likes to mention in cyber budgets. The unglamorous costs. The awkward line items. The ones you only discover after you’ve submitted a neat, comprehensive document to the board.

Think of this as another coffee chat with your critical friend: no vendor slides, no buzzwords, just straight talk about where your budget might spring a leak.

1. Data Growth Means Security Budget Growth

Every business is becoming a data business, whether you like it or not. Customer transactions, product telemetry, development pipelines, audit trails—everything generates data. What often gets missed is that security has to scale with that growth. 

Collecting logs for compliance or monitoring might look cheap at the start, but as the business grows, the SIEM bill (or your cloud provider’s storage invoice) will balloon. Growing log ingestion, long-term retention, retrieval fees, and even cloud provider “egress charges” when you move data out for audits or investigations. In addition, regulators often require data retention for 5 or even 10 years in some cases.

Recommendation: When scoping budgets, assume log volume and retention needs will grow by at least 25–30% annually. Lock in tiered storage pricing with your provider (hot vs. cold tiers) and budget for SIEM optimisation tools that reduce ingestion (e.g., log filtering). You may also want to move data into cold storage as swiftly as possible, after 2-4 weeks at the latest.

2. Security Debt With Interest

Security debt is a bit like technical debt’s edgier cousin. “Temporary” firewall exceptions and unpatched test environments are increasingly fashionable targets that attackers will actively look for and exploit. 

Decision makers often budget for the “fix” once, but not for the continued upkeep or real-world rework required when quick fixes stack up over the years. 

Security debt also creates firefighting cycles: instead of addressing risks in a planned manner, teams may get into a cycle of emergency interventions. Paying premium rates for last-minute remediation and continued overtime for overworked staff benefits no one. 

Recommendation: Treat security debt like financial debt: establish a rolling “debt paydown” budget line, equal to about 10% of annual security spend (your mileage my of course vary). Use this to fix old exceptions, patch legacy systems, and retire unused accounts proactively. This prevents small gaps from snowballing into costly, urgent crises.

3. The Human Burnout Factor

Cybersecurity is a human sport. Even the best tools fail without skilled operators—and those operators are increasingly burning out. High turnover in security teams means gaps in knowledge transfer, disrupted projects, and expensive recruitment. 

The reality is: when you budget for people, you also need to budget for churn. Hiring replacements costs money, onboarding costs time, and while the seat is vacant (the cybersecurity industry, like many other areas in tech has been suffering from a long-term shortage of skilled persons), you’ll likely need to hire contractors to keep projects moving. 

Recommendation: Build staff churn into the plan. Assume 15–20% attrition per year in cybersecurity roles and budget accordingly for recruitment, onboarding, and temporary external support. Where possible, invest in automation and knowledge management so institutional memory doesn’t vanish with each person leaving. Where staff turnover is particularly stubborn and above industry levels, seek support from relevant stakeholders. 

Closing Thoughts: Predictable Strain

Data will grow, old security gaps will accumulate, and people will eventually tire under constant pressure. None of these are “black swan” events.

A budget that is realistic and acknowledges hairline cracks gives your business resilience when facing the boardroom or the regulator.

Check out this Cyber Budget Survival Guide next, to see how small investments can make a big impact: