Security budgets stall when leaders frame cyber risk as missing controls instead of explaining how risk affects growth, regulation, downtime, and the ability to operate.
Madhuri Nandi, Head of Security at Nuvei, outlines a strategy-first approach that translates cyber risk into business decisions the board already understands.
The solution is to anchor security planning in long-range business strategy, use scenario-based storytelling over metrics, modernize governance for AI speed, and place risk ownership with the business, not the CISO.
A security budget is won long before the budget meeting. It takes shape inside the company’s long-range business plans, where growth targets, regulatory exposure, and operational risk are already being decided. When security leaders anchor their case in those priorities and explain risk in plain business terms, security becomes part of how the company grows and stays operational, not a line item to be defended.
That approach reflects how Madhuri Nandi leads security today. As Head of Security at payment processing fintech Nuvei, and with nearly two decades of experience across large, complex enterprises including Woolworths Group, Nandi focuses on positioning security as a function that supports growth rather than slowing it down.
"The first step is always strategy. Before talking about controls or budgets, security leaders need to understand where the business is going, what initiatives are being planned, and what risks leadership is willing to carry over the next three to five years. If security can’t connect risk reduction to business outcomes, the investment case will never land," says Nandi. Her framework starts in the C-suite, long before any technology is discussed. The first job is to understand the goals of the CTO, CIO, and CFO in order to translate security work into their language. The process requires pushing risk decisions to business leaders by articulating impact in terms they already understand.
Risk vs. reward: Many security leaders stall the conversation by stopping at the label of "high risk" instead of explaining what that risk actually does to the business, Nandi says. "If a control is missing, the real question is what happens next. Does the business stop operating, do we face compliance penalties, do we lose customer trust, or do we put sensitive data at risk?" She points to a common scenario with new APIs that power critical functions and handle customer information. "If that data is exposed, the business may be absorbing millions in regulatory penalties," Nandi explains. "The decision is no longer about a control. It becomes a clear business choice about whether the company can operate while carrying that level of financial and operational risk."
Storytelling over stats: She stresses that effective communication starts well before the boardroom and has little to do with dashboards. "You need to understand who is sitting on your board and how they think, and that often means getting insight from executives who already have strong relationships there," she says. When the conversation turns to funding, numbers alone are not enough. "Metrics come later, after the budget is approved and the work is underway," Nandi says. "At the budget stage, the discussion comes down to dollars and risk. The board's secret language is scenario-based storytelling."
Drawing on her experience as a SOC analyst earlier in her career, Nandi sees the current AI moment as an acceleration of long-standing security operations rather than a clean break. The most significant change is speed, with analysis and response times shrinking dramatically. That pace, she says, reinforces the need for flexibility in security strategy, allowing investment and controls to shift as technology, threats, and business priorities evolve.
Keeping up with AI: In practical terms, Nandi says AI is collapsing security response timelines without removing the need for people. "What used to take an analyst three or four hours to piece together across multiple systems can now be correlated in seconds, giving a clear picture of what is happening," she says. The impact shows up in how teams work, not in smaller headcounts. "AI makes the team faster and more responsive, but it does not eliminate roles. Those roles become more mature, and the work has to be shared, because no single person can sustain machine-speed alerting in a traditional eight-hour shift."
Governance lags: She argues that the speed gains from AI expose a structural flaw in how most organizations govern security. "You have changes and configurations happening in seconds or minutes, but governance still happens once a quarter, and that simply does not scale," she says. Quarterly reviews, she adds, are fundamentally out of sync with automated systems. "That model does not suit agentic AI anymore." Even as automation expands, accountability cannot be automated away. "You cannot empower AI to act autonomously without oversight," she says. "It is not a legally approved entity, so every action still requires a human who governs it and owns the accountability."
At its core, Nandi’s framework is about resetting accountability, not just securing funding or deploying technology. She sees the industry’s persistent burnout problem as a consequence of misplaced ownership when breaches occur. "When something goes wrong, the blame almost always lands on the CISO. But a security leader does not create risk. The business function that introduces the risk owns the decision to accept it, transfer it, or close it."
She draws a simple comparison to make the point unmistakable. "If a crime happens, you do not blame the police. Their role is to respond. If a house is left unlocked and a burglar gets in, securing that house is the owner’s responsibility." Until organizations make that distinction explicit, Nandi argues, security leaders will continue to carry risks they do not control and burn out under accountability that was never theirs to begin with.
