Four people are seated at a table, listening to a speaker in a conference room with a presentation screen.

Allocate the Security Budget Correctly: Where Your Money Has the Greatest Impact

Yannick H.,

Feb 11, 2026

Too Long; Didn't Read

Most companies distribute their security budget according to the scatter-gun approach - many tools, little focus. The problem: 80% of your security effectiveness comes from 20% of your measures. Identity (MFA, privileged access) and endpoints are the areas that have the greatest impact on Swiss SMEs. This guide shows you how to focus your budget on what actually protects - with concrete figures and a practical prioritization framework.

Last week, I sat with a CFO. His question: "We spend more on security every year. But are we actually safer?"

Silence.

Not because no one had an answer. But because... no one really knew.

This is a problem we see with almost every client. Budgets are increasing. Tool lists are getting longer. But whether the money is being spent in the right place? A question mark.

Let me be honest: Most security budgets are misallocated. Not because someone made a mistake. But because the decision logic is missing.

Here is what we've learned from 50+ security projects.

The real problem: Too many tools, too little focus

The numbers are sobering: According to the Wiz CISO Budget Benchmark Report 2026, 58% of companies operate more than 25 different security tools. Larger firms often 50 or more.

That sounds like good defense, right?

It isn't.

More tools mean more complexity. More alerts. More blind spots between the systems. And ironically: often less real security.

(A Ponemon report confirmed this: Excessive tool complexity and resulting "alert fatigue" can even reduce the ability to respond to real threats.)

Here's the thing... Most security leaders actually know this. But budget planning still follows the same pattern: Where was a problem last year? More money there. What is the vendor selling us now? That goes on the list.

That's not a strategy. That's reaction.

The 80/20 rule for security budgets

Here's something no one likes to talk about in the industry:

80% of your security effectiveness comes from about 20% of your measures.

This is not my opinion. This is measurable. An analysis by Phil Venables (former CISO of Goldman Sachs, now Google Cloud) shows: A small set of controls bears the largest part of actual risk reduction - and these are often the least attended to.

The bad news: These very 20% are often the areas that are least invested in - and most likely to be neglected over time.

What belongs to these 20%?

1. Identity - The true perimeter

Forget everything you learned about network perimeters. The new perimeter is identity. (More on this in our article Zero Trust Demystified.)

The numbers are clear. According to the Sophos Active Adversary Report 2025:

71% of initial accesses in attacks happen through external remote services
78% of them use valid credentials

This means: Attackers aren't breaking in. They are logging in - with stolen or compromised credentials.

Where the budget should go first:

Multi-Factor Authentication (MFA) - not optional, everywhere
Privileged Access Management - Admin accounts are gold mines for attackers
Identity Threat Detection - recognize when credentials are being abused

According to the Wiz CISO Budget Benchmark Report 2026, 43% of CISOs worldwide are planning to invest exactly here for 2026. This is not a trend - this is a reaction to reality.

2. Endpoints - Where attacks happen

Your endpoints are where the work occurs. And where attacks land.

Endpoint Detection & Response (EDR) is no longer optional. The question is whether you know what's happening on your devices - or not.

A mid-sized client had 12 different "endpoint solutions" - antivirus here, encryption there, patch management elsewhere. None could actually detect when something unusual happened.

Consolidation onto a modern EDR platform not only reduced costs, but for the first time created real visibility.

3. Detection & Response - See what's happening

The best lock does no good if you don't realize someone is breaking in.

The average time for an attack to be detected is still weeks to months. During this time, attackers are causing real damage.

Investment in detection means:

SIEM/SOAR Modernization - not the 2015 solution
24/7 Monitoring - internally or via a partner
Incident Response Plan - that you have actually tested

The Swiss reality: Where we stand

The Swiss situation is... interesting.

Current figures from the SATW study "SME Cybersecurity 2025" show:

28% of Swiss SMEs say cybersecurity will not be a priority in 2025 - an increase from 18% the previous year
Only 40% feel well prepared for a cyber attack (down from over 50%)
Around 26,000 Swiss companies have been affected by actual damage from cyber attacks in the last three years (extrapolated to ~600,000 SMEs)

That sounds like a contradiction, doesn't it? Threats are increasing, but prioritization is decreasing?

The reason is often the same: Companies have invested in tools without seeing results. So the issue is downgraded.

The solution is not "invest less." The solution is "invest better."

A practical prioritization framework

Here is the framework we use for Swiss SMEs and mid-sized companies.

Step 1: Risk assessment before budget allocation

Before you allocate a franc: What are your actual risks? (Why this often goes wrong, we have described in Why Most Risk Analyses Fail.)

Not the theoretical ones. Not the ones the vendor wants to sell you. The real ones.

Which data is business-critical?
Which systems cannot fail?
Where are the most likely attack vectors?

(Hint: For most companies, email and remote access are the biggest entry points. Not the sophisticated APT attack.)

Step 2: The 80/20 prioritization

Based on your risk assessment:

Tier 1 - Fundamentals (50-60% of the budget):

Identity & Access Management / MFA
Endpoint Detection & Response
Backup & Recovery (tested!)

Tier 2 - Detection & Response (25-30% of the budget):

SIEM/Monitoring
Incident Response Capability
Network Segmentation

Tier 3 - Emerging & Compliance (15-20% of the budget):

Cloud Security
AI Security (if relevant)
Compliance-specific requirements

Step 3: Tool consolidation

Before buying new tools: Can you consolidate existing ones?

The reality: Most companies use maybe 30-40% of the functions of their security tools. The rest is shelfware.

Consolidation brings:

Lower costs
Less complexity
Better integration
Deeper expertise in the team

We have seen clients who released 25-30% of their security budget through consolidation - without any security compromise.

The ROI Proof: Why it works

"Security is insurance, not an investment" - we often hear that.

But that's not true anymore. Security ROI is measurable.

Concrete examples:

Companies with microsegmentation, MFA, and EDR report 15-30% lower cyber insurance premiums - measurable at the first contract renewal (Source: Elisity 2026 Cybersecurity Budget Benchmarks)
According to the IBM Cost of Data Breach Report 2025: Organizations with a strong Incident Response Plan reduce breach costs by an average of 1.49 million USD (More about the true costs: The Real Cost of Being Unprepared for Ransomware)
Organizations with Security AI and automation save an average of 2.22 million USD per prevented breach (also IBM study)

The Gordon-Loeb Rule provides a scientifically-based framework: never spend more than 37% of expected losses on security. But the correct allocation of this investment makes the difference.

What you can do tomorrow

Three concrete steps:

1. Create a tool inventory List all your security tools. Really all of them. Then ask: Which ones do we actively use? Which overlap? Which could be eliminated?

2. Check identity Is MFA active everywhere? Who has privileged access? When were these last checked? If you can't answer these questions, you know where to start.

3. Conduct (or hire for) a Risk Assessment Before the next budget is approved: Understand what your real risks are. Not the generic ones. Your specific ones.