Lead With the Gap, Not the Label

We rated the majority of cybersecurity risk categories as HIGH across dozens of state agencies in a recent assessment. When I presented that finding to stakeholders, the immediate response was predictable: "so everything is critical?" And that is exactly the problem with risk level labels.

HIGH tells you something is broken. It tells you nothing about what it costs to fix it.

The Assessment That Changed How I Present Risk

The most recent enterprise cybersecurity risk assessment was the most comprehensive we had run. Dozens of agencies. Multiple risk categories. Most rated HIGH. The raw data was accurate. Agencies genuinely face serious exposure across identity management, vulnerability management, data protection, third-party risk, and more.

But presenting a wall of HIGH-rated categories as equally urgent to a budget committee produces paralysis, not investment. When everything is critical, nothing gets funded. The committee needs a way to prioritize, and "it is all HIGH" does not provide one.

The insight came from cross-referencing risk ratings with funding gap percentages, the delta between current investment and what is needed for baseline capability. The picture that emerged was completely different from the rating list.

Take two categories, both rated HIGH. One had a modest funding gap with a limited number of agencies affected. The other had a gap several times larger, affecting the majority of agencies. Same risk label. Completely different investment profile.

What the Gap Tells You That the Label Doesn't

A small funding gap means agencies have most of what they need. They have the frameworks, the personnel, the tooling. They are close to baseline. Targeted investment closes the gap efficiently. The problem is calibration, not construction.

A large funding gap means the capability barely exists. You are not refining a mature program. You are building one from scratch. The investment required is not incremental. It is a capital campaign. The budget ask, the timeline, the governance required, the legislative justification: everything is different.

When I realized this, I stopped leading with risk labels in budget conversations. I started leading with gap percentages and translating them into what they actually mean for decision-makers.

A narrow gap in Incident Response becomes: "Your agencies have functional incident response programs. We need targeted funding to bring the lagging minority into alignment with current practice."

A wide gap in Business Continuity becomes: "If a significant number of your agencies experience a major disruption today, they cannot recover systematically. We are asking for a multi-year capital investment to build that capability."

These are different asks, and they require different conversations. The risk label does not tell you which one you are having. The funding gap does.

Why This Matters for Public Sector Leaders

The challenge for state and local government CISOs is that our stakeholders, legislators, county commissioners, city councils, make funding decisions the way businesses do, but we often present risk the way technologists do.

Technical risk frameworks optimize for precision and completeness. They are designed to give practitioners a comprehensive view of the threat landscape. But legislative budget hearings optimize for clarity and prioritization. The question a legislator asks is not "what are all the risks?" It is "where should we invest first, and why?"

Funding gap percentage answers that question directly. It is a ratio that any financial decision-maker understands intuitively. A narrow gap is a maintenance investment. A wide gap is a new construction investment. The moment you frame it that way, the conversation changes.

This is also why leading with gap percentage changes the political dynamics of the ask. A narrow gap says: "you have been funding this well, and we need a small adjustment." A wide gap says: "this program has been systematically underfunded, and here is the evidence." The first is a tuning conversation. The second is an accountability conversation. Knowing which one you are in before you walk into the room makes you a better advocate.

The Metric in Practice

For a state risk portfolio, the funding gap analysis produced a clear three-tier priority structure that we could present with confidence.

The first tier, close quickly with targeted investment, included categories with narrow gaps and relatively contained agency populations. These are programs where existing investment is producing results and incremental funding produces proportional improvements.

The second tier, requires structural investment over multiple budget cycles, included categories with wider gaps affecting a majority of the agency population. These are not problems you solve in one budget cycle. The ask has to frame a multi-year investment trajectory.

The third tier, requires policy intervention before funding is effective, included areas where the gap reflects not just underinvestment but absence of governance frameworks and statutory authority. Funding alone does not close these gaps. Policy change has to come first.

This three-tier framing gave stakeholders something they could act on. Not "everything is HIGH" but "here is what we can fix this year, here is what requires a multi-year commitment, and here is what requires legislation before dollars matter."

The Simple Reframe

If you are a security leader preparing a budget presentation, try this reframe before your next meeting. Take your risk ratings and add one column: funding gap percentage, with a plain-English interpretation of what that gap means for investment type.

Narrow gap: calibration investment, tactical budget cycle. Moderate gap: program maturation, multi-year investment horizon. Wide gap: program development, multi-year capital commitment. Extreme gap: program construction, requires dedicated appropriation and executive sponsorship.

Lead with the gap. Let the risk rating provide context. The conversation you will have will be more productive, and the decisions that come out of it will be better ones.

Related

• Vault: [[HOME|Home]]