Stop Reacting to Audits, Start Managing Security Like a PortfolioI walked into that board audit committee meeting ready to discuss our strategic roadmap and long-term risk priorities.The conversation...
I walked into that board audit committee meeting ready to discuss our strategic roadmap and long-term risk priorities.
The conversation immediately narrowed to password rotation policies and vulnerability scan frequencies. I realized the auditor, not security and technology leadership, was steering our strategy.
That same quarter proved the point. My team spent more time responding to vendor questionnaires and audit remediation than rolling out the multi-factor authentication (MFA) we’d been requesting for years. The auditor was setting our spending priorities, and we were reacting rather than leading.
After coaching 140+ public-sector technology leaders through similar challenges, I discovered the disturbing pattern was everywhere. Organizations were using audit frameworks as substitutes for an actual strategy.
Data confirms this conclusion. Of the organizations that reported increased cybersecurity budgets in 2023, four in five reported the increases were reactive rather than routine.
Here’s how the “audit-first” cycle plays out when you’re allocating your next security dollar.
The audit report lands. The board asks for closure dates. The loudest voice pulls budget and staff attention.
Step by step:
An audit item gets flagged and escalated to leadership. The board requests a remediation plan and timeline. Funding shifts to “close the finding,” even if risk reduction is marginal.
Foundational work gets deferred. New findings emerge in the next cycle. The team repeats the loop, planning to pass audits rather than build a durable program.
I’ve seen teams prioritize password complexity rules while incomplete MFA rollouts wait in the queue. EDR coverage sits at 60%, while advanced deception tools get funding approval.
The result? Thirty-five percent of cybersecurity spending goes toward compliance and risk management, often at the expense of foundational security capabilities.
The fix was to flip the model entirely.
Treat security planning as an investment discipline. Manage capabilities like a portfolio. Define success as steady, visible reduction of risk.
I ask which capability has the highest Improvement Priority score, considering relative risk reduction, cost, and level of effort. I check dependencies so that prerequisites get funded first.
One public-sector team came to me convinced that security automation would fix their lean staffing. The baseline assessment told a different story.
Two items rose to the top ahead of automation: enforce DMARC (“Domain-based Message Authentication, Reporting and Conformance”) on their email domains and replace an aging identity platform that underpinned single sign-on.
They reallocated budget accordingly. DMARC implementation reduced spoofed inbound spam. The identity system replacement improved user experience and removed a single-maintainer bottleneck.
Rather than funding the shiniest idea, we funded capabilities with the highest Improvement Priority scores, in the right order.
This shift from audit-driven to strategic budgeting requires a practical framework.
Portfolio thinking sounds logical, but most security leaders struggle with the “how.” You need a repeatable method that works under pressure and translates to board language.
This is where the Cyber Heat Map framework becomes essential.
Instead of marching through static checklists, it uses a capability-first lens that builds a credible baseline quickly, then creates a visual heat map showing gaps and priorities.
I assess whether each capability is “not adopted”, “partially adopted”, or “fully adopted.” The framework calculates Improvement Priority scores that balance relative risk reduction against cost and level of effort.
The transparency matters. I can explain exactly how priorities emerge from the assessment, making it easy to justify decisions to executives, auditors, and my team.
It aligns with how boards already think. By treating security capabilities like a portfolio and focusing on balanced capabilities, I can show progress in plain language, map to frameworks when needed, and keep conversations centered on strategic priorities.
You can explore the detailed methodology in my article on ditching assessment busywork or learn about developing strategy using Cyber Heat Map.
The heat map changes board conversations from compliance tallies to investment stories grounded in capabilities.
I open with the heat map to establish a shared baseline, then walk through the Top 5 with a simple “why now” for each item, using portfolio language they already understand.
When the internal audit flagged password complexity gaps, our baseline showed weak identity management and incomplete multi-factor authentication. Rather than letting the finding disrupt our plans, we incorporated MFA rollout as a higher-impact, foundational fix.
The board saw a defensible tradeoff grounded in a logical implementation order, not compliance whack-a-mole.
This change is important: come with a plan, not a plea.
I bring a one-page heat map showing our capability baseline and gaps, a short Top 5 with clear reasoning for each item, and a 90-day plan that spells out what starts, what depends on prerequisites, and what we’ll defer.
I also state what we’ll pause in order to fund the higher-priority items. That stewardship signals I’m managing a portfolio, not presenting a shopping list.
I layer this 90-day operating rhythm on top of annual budget and audit cycles. At the start of each quarter, I bring the updated baseline and priorities, and then we agree on execution. The message to leadership stays consistent. I show them the overall cybersecurity capability landscape using a tool like Cyber Heat Map. Then I can explain a defensible set of priorities and how I’ll execute on them and report progress.
The Cyber Heat Map approach keeps conversations focused on the complete system, not one control at a time. When user impact matters, I bundle related changes into a single, coherent release and explain the timeline up front.
Remember that board meeting where I realized the auditor was steering our strategy? The portfolio approach changes that dynamic.
Now I walk in with data-backed priorities, clear tradeoffs, and a defensible roadmap. The auditor becomes a valuable input, not the decision maker. Leadership sees steady progress toward strategic goals, not reactive scrambling to close findings.
By doing that, I move discussions away from audit-driven spending. Instead, I manage cybersecurity investments like a portfolio.
Ready to build your own cybersecurity portfolio roadmap? Join a Cyber Pathfinder Workshop and create your baseline and Top 5 priorities in three guided sessions.
Christian “Chris” Schreiber is a cybersecurity strategist and advisor who helps technology leaders cut through vendor noise and focus their limited resources where they matter most. He is the founder of CampusCISO® and the creator of Cyber Heat Map®, a cybersecurity planning platform used by 140+ technology and information security leaders. Chris previously served as a university CISO and held strategic roles in the private sector. Read more about Chris →
Complete Your Cybersecurity Assessment and Roadmap in Days
Join Cyber Pathfinder™ Workshop for $299
Build your own living roadmap in days, not months.
Includes a founder-led kickoff and 30-day access to planning tools and weekly live coaching.
No sales pitch. No contract. Just results.
Secure Your Seat Now
$299 • Limited seats each week
