Security

Cybersecurity ROI in Higher Education: How To Win the Budget Conversation

Ongoing cybersecurity education, stakeholder communication techniques and shared metrics can help CISOs gain critical budget approvals.

Alexander Slagg

Alexander Slagg is a freelance writer specializing in technology and education. He is an ongoing contributor to the CDW family of magazines.

“The premise that cybersecurity is a back-office or administrative expense and that something might not happen — that needs to be changed,” says Fadi Fadhil, field CIO and director of field strategy at Palo Alto Networks. “CISOs and CIOs can steer that change by engaging in simplified conversations with university leadership. It’s a strategic effort, helping them understand how the investment reduces institutional risk.”

When it comes to budgeting for their cybersecurity programs, higher education CISOs must overcome some unique hurdles, ranging from the federated nature of university IT systems to the difficulty of quantifying security success.

The results of these mounting challenges include increased exposure to ransomware, a great potential for data breaches and exposure to federal fines tied to regulatory noncompliance. This creates an untenable security situation for many colleges. In the education sector, the average data breach cost $3.5 million in 2024, while the average daily cost of downtime due to a ransomware attack on an educational institution is $500,000.

Click the banner below for assistance with the cybersecurity budget conversation.

“According to the 2025 EDUCAUSE Cybersecurity and Privacy Workforce in Higher Education Report, cybersecurity teams at many institutions are operating under significant staffing and budget constraints while demands continue to grow,” says Isaac Galvan, community program director for cybersecurity and privacy at EDUCAUSE. “Budget limitations and hiring freezes continue to shape how institutions prioritize cybersecurity spending, often forcing teams to operate reactively rather than strategically.”

As a result, many CISOs are seeking more effective strategies and practices to help them acquire the budgets they need to safeguard their institutions.

The Role of Ongoing Cybersecurity Training in Budget Discussions

At a high level, one tactic that CISOs can use to help improve the outcomes of their budget conversations is providing ongoing cybersecurity training. Most budget stakeholders are not security experts, so they rely on the CISO to explain to them what’s important and where to direct the university’s security budget. This can be done through both formal and informal conversations throughout the year.

An ongoing cybersecurity training strategy can also include forming partnerships with particular stakeholders. Close relationships with key executive committee members can assist the CISO with making the case for specific budget priorities when the security budget is being considered by the full committee.

“One of the things that helps me at DeVry is that we have a cyber risk committee,” explains Fred Kwong, vice president and CISO at DeVry University. “With this group, I give a full picture of our security posture, the controls we have in place, the existing risk that we have, anything that we still need to mitigate. Then, we talk about future planning. We include several of the executive committee members as part of this group. They can help weigh in with the executive committee on where we need stronger protection and what we need to budget for.”

DISCOVER: How to ensure higher ed business continuity and sustainability with cyber resilience.

Speaking the Language of Security Budget Stakeholders

In addition to ongoing cybersecurity training and efforts, it’s important that CISOs develop a good understanding of the terms and the language that budget stakeholders respond to. Administrators speak a different language than security teams. The most compelling budget items for budget owners are the ones that are communicated in a way that connects with them. Language and word choice are important.

“Language is the key. This is about communications,” explains Fadhil. “Don’t lead with your language, talking about technical tools or security controls. Lead with something that better connects with leaders: academic continuity, research protection, student trust, regulatory exposure and operational resilience. Then add numbers to it that quantify the operational impact.”

Don’t lead with your language, talking about technical tools or security controls. Lead with something that better connects with leaders.”

Fadi Fadhil Field CIO and Director of Field Strategy, Palo Alto Networks

The importance of language and communication can’t be understated. CISOs also need to make sure there is a common understanding and shared definitions of the terms they use when talking about security budget priorities.

“We have good alignment and understanding on our definition of acceptable risk,” says Kwong. “This is really critical. We have a line we’ve drawn for our university. Anything below that line, we view as an acceptable risk. But anything above the line, we are going to take mitigating controls and steps to address it. It’s a simple idea that everyone understands.”

How Risk Assessments and Cybersecurity Metrics Support the Budget Cause

Skillfully including pertinent metrics into security budget conversations can help CISOs make a stronger, data-driven case for a security need.

“Metrics around staffing sufficiency, workload pressures, turnover and talent pipeline development may help demonstrate operational strain and workforce needs,” says Galvan. “Risk assessments can also provide meaningful data points for budget discussions by helping institutions quantify where vulnerabilities exist and where limited resources should be focused.”

WATCH: IT leaders share their CIO playbook best practices when cybersecurity threats surge.

“We do yearly risk assessments, and that gives us a fundamental understanding of where we feel there are gaps in our programs,” explains Kwong. “It also showcases the things that we’re mitigating year over year. We see how many critical issues remain that are beyond our acceptable risk definition. And those are things we need funding for. That’s easy to understand.”

It’s best to steer toward metrics that are easy to follow and commonly tracked by security teams. Reference the same metrics in every conversation, so they are an expected part of the conversation.

“There are two metrics in particular that I recommend for CISOs,” offers Fadhil. “The first is mean time to detect, the average time it takes to discover a breach. The second is mean time to respond, the average time it takes the security team to start taking action following an alert. In the budget conversations, you can then easily explain if they went up or down. You can compare it with other institutions.”

Translate Cyber Risk Into Tangible Financial Outcomes

One final suggestion is to never lose sight of the conversation’s context: Security funding is a budget conversation. An effective case for a budget needs to include a clear financial throughline that connects with the priorities of stakeholders.

“The best practice is having a strong understanding of how much revenue is generated by your organization, how much risk is being mitigated by the security program and how much residual risk still exists,” says Kwong. “I use this specific language because it is the language of finance rather than the language of security. You can say, ‘We’re X amount of basis points off here, and our cyber insurance only covers a certain amount.’ Then you can say, ‘This is where our gap remains.’ This articulates it in a way that our financial leaders understand.”

UP NEXT: How continuous threat exposure management strengthens cybersecurity.

SDI Productions/Getty Images