cyber
8 MIN READ
Budget submissions are starting. The question has changed.
In nine weeks, Australia closes FY26. In some organisations, FY27 cyber budget submissions are already in flight. In most, the conversation will start in May.
For CISOs going into that conversation, something has shifted. The CFO across the table has read the ASD's 2024–25 Annual Cyber Threat Report. They have seen that average business cybercrime cost is up 50% year-on-year to $80,850, that large-enterprise costs are up 219% to $202,700, and that there are now over 84,700 reported incidents a year — one every six minutes. They have also seen the headlines: SOCI penalties at $3.3 million per breach. ASIC pushing harder on cyber disclosure. APRA quarterly reporting expectations. The board's audit and risk committee asking the same question every quarter.
The CFO's question is no longer "how much do you need?"
It is: "how much risk are we carrying, in dollars, and how much of it does this budget actually buy down?"
If the answer is a heatmap and a vendor wishlist, FY27 is going to be a hard conversation.
The funding gap is real — and it is not closing on its own
Two stats frame the FY27 budget moment for Australian CISOs.
81%
of CISOs report insufficient funding
Panorays, 2025. Nearly all of us are walking into the conversation under-resourced relative to the threat surface.
~27%
higher budget approval for quantified CISOs
MarketIntelo, 2026. CRQ-equipped CISOs are reportedly winning more of the budget they ask for.
Those two numbers, taken together, are the story of the next budget cycle. The funding gap exists because most cyber budgets are still argued in maturity scores, control gaps, and threat-actor anecdotes. The CISOs closing the gap are arguing in dollars.
The shift isn't from "less budget" to "more budget." It is from "trust the CISO" to "trust the model."
What changed between FY26 and FY27
It is not just a vibe-shift. Three things have moved at once.
| Shift | What changed | What it means for FY27 |
|---|---|---|
| Regulatory | SOCI enforcement live (April 2026). ASIC sharpening cyber disclosure. APRA quarterly reporting evolving. | Boards are now signing quantified statements about risk under penalty. They need the inputs to be defensible. |
| Empirical | ASD 2024–25 report: large-enterprise cybercrime cost +219% YoY. DDoS volume +280%. Frequency flat-ish; severity exploding. | The historical "low-likelihood, high-impact" framing is breaking down. Severity is no longer hypothetical. |
| Insurance | Cyber insurance market is repricing post-2024 systemic events. Quantified posture is documented to attract 15–25% renewal discounts. | Cyber budget and insurance budget are now coupled. A CISO who can produce ALE numbers strengthens both. |
None of these changes will reverse before FY27 closes. The cyber budget conversation has been re-anchored permanently.
Why the maturity-model argument is losing power
For most of the past decade, the dominant Australian budget argument has been a maturity model — Essential Eight, NIST CSF, ISO 27001 control coverage. "We are at Maturity Level 1 in three controls. Funding gets us to Level 2."
Maturity models are useful. They are not, however, financial arguments. Three structural problems show up the moment a CFO pushes back:
- They do not aggregate. "Maturity Level 2 in patching" and "Maturity Level 2 in MFA" do not combine into a number you can put against $14.2 million of expected loss.
- They do not price control packages. Two control investments that both move you from Level 1 to Level 2 may have wildly different effects on actual loss exposure. Maturity says they're equal. They aren't.
- They do not falsify. A heatmap that says "the OT risk is amber" tells you nothing if the regulator, the insurer, or the CFO asks "compared to what?"
This is not an argument against maturity models — they are the right starting point for a control programme. It is an argument that you cannot defend a budget on them alone. The CFO is being asked to allocate scarce capital. Capital allocation is a financial decision. Cyber needs to speak in the language of capital.
What an FY27-ready cyber budget submission looks like
A cyber budget submission that survives a contemporary CFO conversation has four ingredients. None of them are exotic. Most are missing from most submissions.
1. A baseline ALE
A central estimate of annual loss across the organisation's top scenarios, with a confidence range — not a single point. This is the "what are we carrying today" number.
2. A scenario decomposition
The baseline ALE broken down by scenario (ransomware, regulated data exposure, third-party outage, supply-chain compromise, OT availability loss). The CFO needs to see which risks dominate the number.
3. A treated ALE per option
For each proposed investment, the expected reduction in ALE — not just in the central estimate, but in the upper tail. The upper tail is what the board actually cares about.
4. An assumption ledger
Every input that drives the model, who supplied it, when it was last reviewed. This is what makes the submission auditable, and what makes the CFO and CRO able to defend it.
The combination is not theoretical. It is how FAIR (Factor Analysis of Information Risk) — the dominant CRQ standard — has been used by quantified CISOs for years. What has changed in 2026 is the cost and time required to produce it. What used to require a $200K consulting engagement can now be produced in days, on platforms built for the job.
The unscannable problem in budget context
The hardest part of an FY27 ALE-based submission is not the maths. It is the assets you cannot measure directly.
For a SOCI-regulated entity — energy, water, ports, transport, healthcare, financial services — the systems that drive the most consequence are typically the systems that automated tooling cannot reach. Active scanning of an OT/SCADA network is a known cause of operational disruption. Agents cannot be installed on legacy or air-gapped hosts. Third-party vendor systems sit outside your administrative reach. Embedded medical and industrial devices are resource-constrained.
If your CRQ submission silently drops the unscannable estate out of the model, you have understated your risk and lost the strongest argument for the spend you are asking for.
The remedy is structured expert elicitation: a calibrated panel of OT engineers, ICS pen testers, vendor specialists and threat analysts producing probability estimates for events that have not been directly measured. The output is the same FAIR-compatible ALE the scanner-driven view produces, with the same defensible confidence intervals. The OT, legacy and third-party estate becomes part of the budget argument, not a footnote on the risk register.
This is the design CyQuantiFi was built around. It is also the part of our platform that is patent-protected.
Five things to do before your FY27 submission
If you are heading into FY27 budget conversations in the next eight weeks, here are five concrete actions that will measurably improve the defensibility — and the success rate — of your submission.
1
Pick five scenarios and quantify them.
Don't try to ALE the entire organisation in one cycle. Pick the five scenarios most likely to appear in a board conversation — ransomware on operational systems, supply-chain compromise, regulated data exposure, OT availability loss, third-party material outage — and produce an ALE for each.
2
Set a dollar-denominated risk appetite.
Replace "low / medium / high" tolerances with explicit ALE ceilings per scenario or per asset class. This gives the board something to anchor the budget against. Risk appetite needs to be in the same unit as the loss estimates it is sitting next to.
3
Translate every line item into ALE impact.
Each proposed investment should carry an expected reduction in ALE — central estimate and upper-tail. Items that don't move ALE belong in operating cost, not in the risk-reduction budget.
4
Cover the unscannable estate.
If your model excludes OT, legacy or third-party assets, your CFO is being asked to fund a number that is missing the most consequential scenarios. Use structured expert elicitation to extend coverage before you submit.
5
Show the assumption ledger.
Bring the model inputs, sources and review dates with you to the budget meeting. The single biggest CFO trust-builder in a quantified submission is the visible audit trail. Don't make them ask for it.
The bottom line
The cyber budget conversation has changed because the people across the table have changed. CFOs now read ASD reports. Boards now sign attestations under penalty. Insurers now demand quantified inputs to renew. ASIC and APRA now expect financial-language risk reporting.
In that environment, the CISO going in with a maturity argument is going in with last year's tools. The CISO going in with a baseline ALE, a scenario decomposition, a treated ALE per option, and a visible assumption ledger is going in with the language the rest of the company uses to allocate capital.
Both CISOs are facing the same threat surface. Only one of them is going to walk out with the budget they need.
Six weeks. Pick five scenarios. Quantify them. Then have the conversation.
See what a quantified FY27 submission looks like
CyQuantiFi runs a "Maths not Vibes" working session — we take ten of your highest-consequence scenarios and produce an ALE-backed budget brief in ~10 working days. No commitment, no procurement.
