Getting cyber spend right: balancing risk and compliance

Organisations too often swing between extremes in setting their cybersecurity budgets. On one side, spend is driven purely by governance, risk and compliance obligations, resulting in a control environment shaped more by regulators than by actual business risk. On the other, spend is driven solely by risk assessments, which may be rigorous but lack alignment to external expectations and legal obligations.

Neither approach on its own is sufficient. The most effective strategy combines both: using structured risk assessment to ensure spend is proportionate and targeted, while ensuring that governance and regulatory compliance obligations are fully met.

The role of risk assessment

The simple equation Risk = Threat × Vulnerability × Impact provides clarity. It ensures that security controls respond to real exposure, not hype. By identifying relevant threat actors, assessing the likelihood of exploitation and quantifying potential business impact, risk assessment drives proportionate investment. This avoids wasteful spending on countermeasures that do not reduce exposure.

The role of Governance, Risk and Compliance (GRC)

We understand, however, that risk assessment alone is not enough. There is a vast regulatory landscape which demands demonstrable governance and compliance. This includes frameworks such as NIS2, DORA, ISO/IEC 27001 and the NCSC Cyber Assessment Framework – all designed to improve cyber security, but differing in scope, focus and legal status. An organisation cannot simply argue that a risk was deemed low and therefore ignored if legislation or regulation mandates specific controls. GRC provides the external accountability, governance discipline and assurance that risk-based decisions are not only sensible, but also defensible.

The benefits of combining both

By applying risk assessment through the lens of compliance, organisations gain three key advantages:

1. Proportionality – Spend is tied directly to real-world risks, ensuring resources are used efficiently.
2. Defensibility – Decisions align with regulatory obligations and can be explained to auditors, regulators, boards and customers.
3. Resilience – The control environment covers both the risks most likely to harm the organisation and the governance requirements that shape its licence to operate.

What this means for your security strategy

The organisations that achieve the best outcomes are those that integrate both disciplines. Risk assessment ensures that every control is appropriate and proportionate. Governance, risk and compliance obligations ensure those controls are aligned to law, regulation and customer expectation. The result is a security budget that is not arbitrary but is efficient, defensible and sustainable.

In an era of constrained budgets and heightened regulatory oversight, this dual lens is not optional – it is essential.

At Softcat, our v-CISO and GRC services help organisations put this balanced approach into practice. Through structured assessments, tailored governance frameworks and board-level insight, we help our customers to invest where it matters most, eliminating waste while strengthening resilience. Whether through a short diagnostic or a retained v-CISO engagement, we help ensure that every pound spent on cybersecurity delivers measurable value and supports long-term business confidence.

If you’d like to find out more, contact your Softcat Account Manager or our Sales team. You can find out more about our cybersecurity services here.