Life is hard and cumbersome for CISOs sometimes. It is in the nature of IT security that it is hard to get money before an incident is happening and convince everyone in the organization that it would be good to introduce a new security control or improve and rethink an existing control.

Here is a suggestion, use the budget to have to automate security and build it into your CI/CD pipelines. Your application folks might already be using a continuous integration and continuous deployment model to deploy and run applications. Your organization already invested in efforts to automate more, may it be through orchestrating your traditional stack that is on-premise or through usage of the cloud, which is automated and API driven by definition.

Think of what happens when security can be part of this stack and every time you roll out a new version of a application it is automatically hardened, there's code analysis, the deployment is automatically segmented and has a least-privilege policy for network access.

Drive your security and compliance through automation and make the best use of what you have as a budget and resources today.