Five Line Items That Need Budget Before SIEM
Budget meetings rarely collapse over the total amount. They collapse over a single line item the moment the CISO cannot answer the CFO’s question: Why this item, and why first? Anyone who positions the security budget as risk financing has the answer ready before the meeting.
Key Points at a Glance
- Risk drives the budget, not a tool list. Section 30 BSIG makes proportionality the benchmark and explicitly names implementation costs and risk exposure as decision criteria.
- There is no mandatory figure. Bitkom’s 2025 survey shows an average 18 percent IT security share of the IT budget. Bitkom and the BSI President cite 20 percent as a benchmark. No statutory fixed minimum amount exists.
- Sequence matters. Risk analysis, identity protection, backup, and basic hygiene come before a full-scale SIEM.
- The line that carries with the CFO: What risk reduction are we buying for which euro?
Related: Five Metrics the Supervisory Board Actually Understands · Which Controls Must Remain When Consolidating the Tool Stack
What Is Risk-Based Security Budgeting?
What Is Risk-Based Security Budgeting? Risk-based security budgeting assigns every expenditure to a documented risk and funds first the measures that reduce the greatest expected damage per euro spent. The benchmark is proportionality under Section 30 BSIG. A complete tool list does not replace this benchmark.
The difference becomes visible in the conversation with the CFO. A tool list answers the question “What are we buying?”. Risk financing answers the question “What risk are we reducing with this, and by how much?”. The second question survives critical follow-up; the first rarely does.
Avg. IT security share of the IT budget, Bitkom survey 2025 (n=1,002)
Benchmark from Bitkom and BSI President Plattner
requires proportionate measures, not a fixed minimum amount
The Logic Behind the Sequence
Three factors determine which line item receives funding first. The first is expected damage, roughly the product of probability of occurrence and extent of damage. The second is risk appetite, i.e., the threshold below which management consciously carries residual risk. It governs measures above the statutory baseline. The ten minimum measures in Section 30 (2) BSIG remain mandatory and are implemented proportionately. The third is cost-effectiveness: damage reduction per euro invested.
This produces a simple prioritization rule: measures with high probability of occurrence, significant damage leverage, and low costs come first. This sequence aligns with the statutory framework. Section 30 (1) BSIG requires “appropriate, proportionate and effective” measures and lists, among the criteria for proportionality, the extent of risk exposure, the size of the organization, implementation costs, as well as the probability and severity of incidents. The legislator does not require a complete tool list. It requires a reasoned balancing that does not fall below the statutory baseline.
Five Line Items That Need Budget Before SIEM
1. Documented Risk Analysis and Protection Requirements
What gets funded is the risk analysis itself: an asset and process inventory, a documented risk appetite, and a derived measures roadmap. Without this foundation, there is no shared data basis on which every subsequent budget debate is decided. This line item costs primarily staff time but steers the entire allocation. Section 30 (1) sentence 3 BSIG also requires documenting compliance with the measures. Without a documented risk position, proportionality can neither be justified nor demonstrated.
2. Identity and Access Protection
This covers multi-factor authentication, hardened identity management, special protection for privileged accounts, and regular access reviews. The risk addressed is one of the most common entry points: account takeover via stolen credentials followed by lateral movement across the network. According to Bitkom 2025, ransomware, phishing, and password attacks rank among the most frequent attack types causing damage. The protection costs little per user yet directly safeguards the most critical accounts. Multi-factor authentication is explicitly listed as a measure in Section 30 (2) no. 10 BSIG.
3. Backup and Tested Recovery
This funds multiple backups following the 3-2-1 rule, immutable or offline copies, and recovery that is regularly tested. A backup that has never been restored is an assumption, not proof. The risk is business interruption, which according to the Allianz Risk Barometer 2025 is the second-largest corporate risk worldwide, right after cyber incidents. A reliable backup reduces extortion pressure in ransomware attacks and limits downtime losses if prevention fails. The basis is set out in Section 30 (2) no. 3 BSIG.
4. Vulnerability and Exposure Management
This line item funds prioritized patch management, hardening of internet-facing systems, and a deliberately small attack surface. The risk is the exploitation of long-known vulnerabilities and exposed services that no one had in view. The impact per euro is high because low-cost attack vectors are closed before anyone exploits them. The sequence is deliberate: first reduce the attack surface, then invest in monitoring. A detection tool on an unhardened environment primarily generates noise.
5. Incident Response and Logging Foundation
Rounding out the baseline are an incident playbook, a practiced escalation chain including preparation for the 24-hour reporting obligation under Section 32 BSIG, centralized collection of logs from critical systems, and targeted awareness training for high-risk groups. The risk is prolonged attacker dwell time, high forensics costs, and a missed reporting deadline. This item comes last among the top five because its expansion builds on the previous ones. However, the escalation chain and minimal logging for critical systems should be established early; the outsourced security operations center and a full SIEM can follow later.
Impact per Euro Compared
The same logic can be read as a simple map. It shows why hygiene comes before expensive platforms.
| Investment | Cost Profile | Impact per Euro | Timing |
|---|---|---|---|
| Documented Risk Analysis | low (staff time) | high | before everything else |
| Multi-Factor and Privileged Accounts | low to medium | high | immediately |
| Tested Backups | medium (storage) | high | immediately |
| Patching and Hardening of Exposed Systems | low to medium | high | early |
| Baseline Logging and Incident Playbook | medium | medium to high | after baseline hardening |
| Full-Scale SIEM | high | low, if before hygiene | only after baseline hygiene |
| Additional Standalone Tools Without Asset Foundation | high | low | lower priority |
What This Sequence Delivers to the CFO
A larger budget alone does not buy greater security. A global survey of more than 300 security leaders (Wiz 2026) shows that many organizations increase spending yet still consider their security posture inadequate. The reason rarely lies in the amount, often in the allocation. This is exactly where risk-based budgeting comes in.
For the CFO, the conversation becomes verifiable. Every line item carries a risk, an expected damage reduction, and a cost figure. Anything that goes beyond the statutory baseline and falls below the risk appetite is deliberately deferred and documented instead of being silently included. This transforms the annual budget debate from a negotiation over amounts into a decision about residual risks. The guiding question remains the same in every round: What risk reduction are we buying for which euro?
Frequently Asked Questions
Each question is collapsed. Tapping unlocks the answer.
How Much Budget Does Security Need in the Mittelstand?
No statutory mandatory figure exists. Bitkom’s 2025 survey (n=1,002) measures an average 18 percent IT security share of the IT budget in Germany. BSI and Bitkom recommend 20 percent as a benchmark. What remains decisive is the documented risk exposure under Section 30 (1) BSIG, not an industry average.
Which Security Measure Should Be Funded First?
After the documented risk analysis, typically identity and access protection with multi-factor authentication, along with tested recovery. Both address common entry and outage risks at low cost per user. Section 30 (2) nos. 3 and 10 BSIG support this priority.
Does NIS2 Require a Specific Budget?
No. Section 30 BSIG requires appropriate, proportionate and effective measures. Proportionality takes implementation costs and risk exposure into account. Neither the BSIG nor the NIS2 Directive specifies a minimum budget.
How Do I Justify the Security Budget to the CFO?
As risk financing: expected damage reduction per euro, tied to a documented risk appetite. Supporting evidence includes the prioritized measures list from the risk analysis, the damage categories from the Bitkom study, and proportionality under Section 30 BSIG as the compliance framework. The key question remains: What risk reduction are we buying for which euro?
Editor’s Picks
Editor’s PickWhich CISO Decision Rights Must Be Set Out in WritingEditor’s PickSupply Chain Risk Is a Program, Not an Audit Checklist
More from the MBF Media Network
Digital ChiefsGeopolitics Meets the Data Center Roadmap: What CIOs Must Secure NowMyBusinessFutureEU AI Act from August 2026: What labelling obligations really affect SMEscloudmagazinXFS4IoT Meets the Cloud: The ATM Becomes a Platform
Image source: AI-generated (July 2026)




