2026 CISO Budget Workbook

The first true financial model in the ciso.diy catalog. Previous products track data or assess posture. This one does financial math.

Input five values on the Assumptions tab — revenue, IT budget, employee count, industry, maturity level — and the entire rest of the workbook calculates itself. Every benchmark, every talking point, every ROI number flows from those five inputs.

Why 2026 specifically: $240B global security spending (Gartner, 12.5% YoY growth); 85% of CISOs increased budgets in 2025, 90% expect another increase (Wiz); 70% of orgs now dedicate 10%+ of security budget to AI (Reco 2026); 58% run 25+ security tools — the tool rationalization moment; $4.88M breach cost + $2.22M AI savings per breach (IBM 2026). These numbers are pre-populated as live benchmarks.

Three budget-sizing methods — the Executive Summary tab calculates all three simultaneously and takes the median:

% of IT Budget: IT × 12% (Gartner benchmark) % of Revenue: Revenue × 0.75% (IANS 2026) Per-Employee: Employees × $2,700 (Deloitte 2026)

Using the median defends against both over-budgeting and under-budgeting. This is sophisticated financial modeling — most budget templates pick one method and go.

16-tab architecture flows from inputs to outputs:

Inputs: Cover → Assumptions (single source of truth) Core calculations: Executive Summary (three methods + auto-median) → Budget Build (50+ line items, 12 categories, quarterly spread) → Benchmark Comparison (your plan vs 2026 industry data, color-coded variance flags) Detail layer: Headcount Plan (51% personnel line with fully-loaded costs) → Tool Inventory (58% sprawl problem addressed) → AI Security Budget (standalone 2026 category: discovery, governance, DLP, deepfake, red team) → Compliance Budget (18 frameworks with cost ranges) Strategic layer: Cyber Risk Quantification (ROI math for boards) → Quarterly Cash Flow → Multi-Year View (3-year projection at 12.5% growth) Operational: Board Talking Points (10 pre-written sentences with your actual numbers via TEXT() formulas) → Variance Tracker (actual vs plan) → Scenario Modeling (10 pre-calculated what-ifs) Reference: Glossary & Sources

12 budget categories pre-populated: Personnel (CISO, engineers, analysts, GRC, recruiting, training, contractors), Software (EDR, SIEM, IAM, PAM, email, vuln mgmt, CNAPP, SSPM, GRC, DLP), Hardware (firewalls, FIDO2 keys, HSMs), Cloud (provider-native, WAF, secrets mgmt), Compliance (SOC 2, ISO, PCI, HIPAA, pen testing, counsel), IR Readiness (retained firm, tabletops, playbooks, forensic tools), Training (awareness platform, phishing sims, exec + dev training), Third-Party (vendor risk, SBOM), AI Security, Insurance, Consulting (vCISO, MSSP), Contingency (5–10% reserve).

Cyber Risk Quantification tab — the business case layer:

Baseline ALE: $4.88M × 29% = $1.41M expected annual loss without program With program: 60% probability reduction + $2.22M AI savings per breach Residual ALE: $309K Risk Reduction: $1.10M/year ROI Ratio: typically 2–5x for mature programs Payback Period: months for risk-reduction value to equal budget investment

Converts "I need $1.2M for security" into "Our baseline expected annual loss is $1.4M; this $1.2M investment reduces expected loss to $309K — net benefit $1.1M/year, payback in 13 months." Boards fund the second statement. The first gets haggled.

Board Talking Points tab — 10 pre-written sentences that use Excel TEXT() formulas and string concatenation to pull your actual numbers into complete spoken sentences. Fill in Assumptions, the talking points update automatically.

User Guide — 23 sections, 760 paragraphs. Strongest sections: Section 4 (three budget-sizing methods with strengths and weaknesses), Section 7 (personnel planning with fully-loaded costs + contractor math), Section 8 (2026 tool consolidation playbook, 6 steps), Section 9 (AI security carved out separately + discovery-first principle), Section 11 (CRQ for boards: budget-speak vs risk-speak), Section 17 (8 common budget mistakes), Section 18 (30-minute CFO meeting structure, minute-by-minute), Section 19 (10-minute board slot structure), Section 20 (industry-specific adjustments for Financial Services, Healthcare, SaaS, Retail, Manufacturing, Public Sector).