Lead With the Gap, Not the Label
Why funding gap percentage is a more actionable security metric than risk level ratings — and how it changes the budget conversation.
Jason Walker
State CISO, Florida
We rated 7 of 10 cybersecurity risk categories as HIGH across 32 Florida state agencies last December. When I presented that finding to stakeholders, the immediate response was predictable: "so everything is critical?" And that's exactly the problem with risk level labels.
HIGH tells you something is broken. It tells you nothing about what it costs to fix it.
The Assessment That Changed How I Present Risk
The December 2025 Enterprise Cybersecurity Risk Assessment was the most comprehensive we'd run. Thirty-two agencies. Ten risk categories. Seven rated HIGH. The raw data was accurate — agencies genuinely face serious exposure across identity management, vulnerability management, data protection, third-party risk, and more.
But presenting seven HIGH-rated categories as equally urgent to a budget committee produces paralysis, not investment. When everything is critical, nothing gets funded. The committee needs a way to prioritize, and "it's all HIGH" doesn't provide one.
The insight came from cross-referencing risk ratings with funding gap percentages — the delta between current investment and what's needed for baseline capability. The picture that emerged was completely different from the rating list.
Incident Response: HIGH risk, 13% funding gap, 11 of 32 agencies affected. Business Continuity and Disaster Recovery: HIGH risk, 58% funding gap, 20 of 32 agencies affected. Same risk label. Completely different investment profile.
What the Gap Tells You That the Label Doesn't
A 13% funding gap means agencies have most of what they need. They have the frameworks, the personnel, the tooling — they're close to baseline. Targeted investment closes the gap efficiently. The problem is calibration, not construction.
A 58% funding gap means the capability barely exists. You're not refining a mature program; you're building one from scratch. The investment required is not incremental — it's a capital campaign. The budget ask, the timeline, the governance required, the legislative justification — everything is different.
When I realized this, I stopped leading with risk labels in budget conversations. I started leading with gap percentages and translating them into what they actually mean for decision-makers.
"We need to close a 13% gap in Incident Response" becomes: "Your agencies have functional incident response programs. We need $X to bring the lagging third into alignment with current practice."
"We need to close a 58% gap in Business Continuity" becomes: "If any of these 20 agencies experiences a major disruption today, they cannot recover systematically. We're asking for a multi-year capital investment to build that capability."
These are different asks, and they require different conversations. The risk label doesn't tell you which one you're having. The funding gap does.
Why This Matters for Public Sector Leaders
The challenge for state and local government CISOs is that our stakeholders — legislators, county commissioners, city councils — make funding decisions the way businesses do, but we often present risk the way technologists do.
Technical risk frameworks optimize for precision and completeness. They're designed to give practitioners a comprehensive view of the threat landscape. But legislative budget hearings optimize for clarity and prioritization. The question a legislator asks is not "what are all the risks?" — it's "where should we invest first, and why?"
Funding gap percentage answers that question directly. It's a ratio that any financial decision-maker understands intuitively. A 13% gap is a maintenance investment. A 58% gap is a new construction investment. The moment you frame it that way, the conversation changes.
This is also why leading with gap percentage changes the political dynamics of the ask. A 13% gap says: "you've been funding this well, and we need a small adjustment." A 58% gap says: "this program has been systematically underfunded, and here's the evidence." The first is a tuning conversation. The second is an accountability conversation. Knowing which one you're in before you walk into the room makes you a better advocate.
The Metric in Practice
For Florida's risk portfolio, the funding gap analysis produced a clear three-tier priority structure that we could present with confidence.
The first tier — close quickly with targeted investment — included Incident Response and Configuration Management, both under 40% gaps with relatively contained agency populations. These are programs where existing investment is producing results and incremental funding produces proportional improvements.
The second tier — requires structural investment over multiple budget cycles — included Business Continuity, Identity Management, and Data Protection, all with gaps above 40% affecting more than half the agency population. These aren't problems you solve in one budget cycle. The ask has to frame a multi-year investment trajectory.
The third tier — requires policy intervention before funding is effective — included areas where the gap reflects not just underinvestment but absence of governance frameworks and statutory authority. Funding alone doesn't close these gaps. Policy change has to come first.
This three-tier framing gave stakeholders something they could act on. Not "seven things are HIGH" but "here's what we can fix this year, here's what requires a multi-year commitment, and here's what requires legislation before dollars matter."
The Simple Reframe
If you're a security leader preparing a budget presentation, try this reframe before your next meeting. Take your risk ratings and add one column: funding gap percentage, with a plain-English interpretation of what that gap means for investment type.
Under 20%: calibration investment, tactical budget cycle. 20-40%: program maturation, 2-year investment horizon. 40-60%: program development, multi-year capital commitment. Above 60%: program construction, requires dedicated appropriation and executive sponsorship.
Lead with the gap. Let the risk rating provide context. The conversation you'll have will be more productive, and the decisions that come out of it will be better ones.