Cyberattacks are more frequent, severe, and disruptive than ever. According to The CISO Report, 94% of CISOs have experienced disruptions, and over 55% have faced multiple attacks. Yet, many organisations are still struggling to secure the budgets needed to keep up with escalating threats.
In APAC, the challenge is even greater — fewer boards are prioritising cybersecurity as a top investment for the coming year, leaving organisations vulnerable to breaches, operational disruptions, and billions in potential downtime costs. This widening gap between cyber risk and security funding is leaving businesses exposed.
Compounding the issue, the talent shortage remains critical. The World Economic Forum cites a global shortfall of nearly 4 million cybersecurity professionals, leaving security teams stretched thinner than ever. In such an environment, underfunded security teams are stuck playing catch-up, stretching limited resources against increasingly sophisticated attacks. If this cycle continues, businesses aren’t just risking data, they’re gambling with their bottom line.
Why boards aren’t listening — and how to make them hear you
CISOs have gained greater visibility in the C-suite, with 82% now interacting directly with the CEO, according to the same report. Yet, many still struggle to influence where it matters most — the boardroom.
The core issue? A lack of cybersecurity expertise at the top. Only 29% of boards have at least one member with a cybersecurity background, making it difficult for leadership teams to fully grasp the scale of today’s cyber risks. This knowledge gap often leads to underestimation of threats and, consequently, underfunding.
To bridge this divide, CISOs must change the conversation.
Cybersecurity isn’t just about preventing breaches; it’s a critical investment in business continuity, risk mitigation, and long-term growth. Framing security as an operational necessity won’t get the buy-in needed — linking it to ROI, operational resilience, and revenue protection will.
This means simplifying risk discussions, quantifying financial impact, and demonstrating how security investments prevent costly disruptions. When CISOs position cybersecurity as a business enabler, it strengthens their argument for securing the necessary investments.
The high cost of budget cuts
In APAC, cybersecurity is a stated priority, with 56% of organisations listing it as their top IT spending focus. Yet, only 29% of CISOs receive the necessary funding to meet security goals, while 41% of board members believe budgets are sufficient — a clear disconnect in understanding the true cost of cybersecurity.
This misalignment comes at a steep cost. AI-driven attacks are evolving rapidly, with cybercriminals automating and scaling attacks at unprecedented speeds. In fact, 93% of CISOs expect AI-powered threats to occur daily in 2025, and 53% believe AI gives attackers the advantage, making it clear that defences must evolve just as fast.
Yet, budget constraints are pushing security teams to their limits. Some 66% of CISOs cite resource shortages as a major driver of burnout and staff attrition, further exacerbating the cybersecurity talent crunch. Instead of focusing on AI-driven defences, overworked teams are stuck in firefighting mode, forced to make tough trade-offs that leave businesses increasingly exposed.
According to a separate Splunk study, companies spend an average of US$19 million annually on ransomware and extortion payouts, but the hidden costs — reputational damage, customer churn, and regulatory fines — can cripple long-term growth.
Paving the way for a resilient cybersecurity strategy
The numbers don’t lie. Downtime continues to cost APAC organisations hundreds of millions annually, with recovery times among the longest globally. With such figures at stake, the reality is clear: underfunding cybersecurity doesn’t save money, it amplifies costs over time.
Without urgent investment in talent, AI-driven defences, and proactive risk management, businesses risk being overwhelmed by the tsunami of AI-powered threats and losing their competitive edge. To close the cybersecurity funding gap, organisations need a strategic, business-first approach:
- Integrate security into business strategy: Cybersecurity must be embedded, not siloed. A consolidated approach improves visibility and ensures resources are allocated to protect the most critical assets.
- Break down silos and strengthen collaboration: Security isn’t just an IT function; it’s a company-wide priority. A strong security posture requires cross-functional alignment. From mitigating compliance risk to embedding security into the product roadmap, a unified approach ensures that cybersecurity is proactive, not reactive.
- Reframe cybersecurity as a driver of growth: Cybersecurity investments aren’t just about protection. They fuel digital transformation, enable innovation, and safeguard shareholder value.
CISOs who can demonstrate measurable ROI by linking security initiatives to revenue protection and operational resilience will have the strongest case for securing the budgets they need.
The real cost isn’t investment, it’s inaction
With cybercrime costs projected to hit US$23 trillion by 2027, the stakes have never been higher. The real risk isn’t just in what organisations spend on cybersecurity, it’s in what they stand to lose if they don’t. Those that succeed will go beyond viewing security as a cost centre and instead recognise it as a strategic advantage.
For organisations in APAC, stronger CISO-board alignment isn’t just beneficial, it is critical for survival in an increasingly complex threat landscape. The message to the board is clear: Smart cybersecurity investments today will safeguard against massive financial losses tomorrow.
