During our webinar co-hosted with our partner D&A Trust, Quentin Aguesse (co-founder of D&A Trust) and Aurélie Demeusy (Head of Marketing at Tenacy) discussed this topic, which poses a challenge for many CISOs and cybersecurity directors every year. In this article, we’ve summarized the key takeaways: the methodology, the three pillars of effective management, the mistakes to avoid, and the metrics that should be presented to senior management.
Why is developing a cybersecurity roadmap a complex task in 2026?
The current situation is marked by a paradox: cyber threats are becoming more frequent and complex—driven in particular by AI—while at the same time, budgets are stagnating or even shrinking, as highlighted by CESIN’s 2026 Barometer earlier this year.
“We’re seeing something quite paradoxical. Cyber threats are only increasing, yet at the same time, cybersecurity budgets tend to be shrinking. In other words: we have to do better with the same amount—or even less.”
Quentin Aguesse, co-founder of D&A Trust
Cybersecurity budgets generally remain at around 6.4 to 6.5 percent of the IT budget, but AI is capturing a large share of top management’s allocation decisions, with the promise of highly visible productivity gains. As a result, every euro spent on security must now be justified.
Added to this pressure is the mounting regulatory burden: NIS2, DORA, ISO 27001, NIST CSF, ISO 22301, PCI DSS… the list keeps growing, and it varies by geographic region. As for the cloud, it has not delivered on its promise of cost savings: it has mainly shifted costs, requiring the integration of new tools (CSPM, CNAPP, and many others) to maintain the same level of security.
In this context, many cybersecurity roadmaps still exist as Excel files. Often, the starting point is an audit remediation plan, which has been more or less consolidated with other requirements. The problem isn’t Excel itself, but its limitations:
- No consolidated vision,
- Rough budget tracking,
- Version and synchronization issues arise as soon as the file is shared.
All of these friction points make day-to-day management more difficult.
Building Your Cybersecurity Roadmap: The Funnel Method
The challenge: consolidating multiple sources without a prioritization method
A cybersecurity roadmap brings together requirements from multiple sources: regulations, standards, contractual requirements, risk analysis results, and audit recommendations. Without a framework for interpreting them, you end up with a massive, unreadable action plan that’s impossible to prioritize. The challenge is to transform this mass of information into a prioritized roadmap spanning several years.
→ The funnel method is exactly what's needed here.

The Funnel Method: The Levers to Activate
No. 1: Establish the non-negotiable foundation
Start with what is not up for debate: regulatory, standards-based, and contractual requirements. This is the foundation of your roadmap. DORA, for example, introduces more rigorous controls and audits that companies in the financial sector (banks, insurance companies, and their critical IT service providers) must undergo.
The measures and requirements to which your organization is subject are therefore an excellent starting point and must be included in your cybersecurity roadmap—both to secure your information systems and ensure compliance, and to avoid the financial and reputational penalties that strike fear into the hearts of executives.
No. 2: Update the risk analysis
Security involves mitigating risks and preventing feared events from occurring. An up-to-date risk analysis guides the roadmap toward measures that truly protect the business.
Whether you use Ebios RM or ISO 27005, choose the method that best suits your needs and classify your risks in an assessment matrix, supplemented by a DICP analysis. This will allow you to define your risk priorities and then link them to the previously identified requirements and measures that impact those same risks. Since compliance contributes to security, implementing these measures should reduce the likelihood and/or impact of certain risks.
No. 3: Assessing Your Cybersecurity Maturity
Assess your organization against a regulatory or standards framework, or a set of best practices. This snapshot reveals the gaps that need to be addressed and helps you identify issues you may not have noticed at first.
ISO 27001 is often used to conduct a compliance gap analysis, as this international standard is increasingly becoming a security benchmark in new business contracts.
Comparing yourself to this standard—even if it may not yet be mandatory for you—will help you identify some additional security measures that could be useful for your roadmap, projects, and goals.
Without a dedicated tool, this step can be time-consuming, but we'll show you later how to perform a gap analysis in 5 minutes.
No. 4: Apply prioritization filters
Finally, the core of the method. In the consolidated action plan, apply several filters in succession:
- The available budget,
- Technical expertise that can be drawn upon internally or externally,
- Deadlines and schedules (with all their interdependencies, since some steps are prerequisites for others),
- And finally, the tools already in place.
In fact, a fundamental trend simplifies these trade-offs: the “one-stop shop”—the desire to streamline the number of cybersecurity vendors in order to gain leverage in negotiations and facilitate the development of teams’ skills.
At the end of the funnel, you’ll receive a roadmap prioritized based on risk coverage and regulatory requirements, taking your actual constraints into account.
Pillar No. 1: Budget Planning
The challenge: to advocate for an investment that prevents losses rather than causes them
Security faces a structural disadvantage in decision-making. It doesn't make money—it prevents money from being lost. When compared to more attractive business projects that promise potential gains, this is a harder case to make before an executive committee.
The levers to activate
1/ Make decisions based on factual data
A corporate cybersecurity budget cannot be justified based on intuition alone. Assign a budget and man-hours to each security project, and track the actual use of these resources. This is what allows you to move from a discussion of principles to a well-documented decision-making process.
Management is particularly receptive to roadmap presentations that are quantified, precise, and fact-based. By announcing and justifying the necessary financial and human resources, you establish a specific figure in their minds and strengthen your credibility.
2/ Monitor consumption in real time
A three-year roadmap is bound to change—that’s a given. But by tracking your spending in near real time, you know how much you have left and can adjust course in response to new constraints. This level of precision in management is what makes the difference between a roadmap that stays on track and one that veers off course.
By having this specific level of tracking data readily available at all times, you’ll be in a stronger position to request additional funding by clearly demonstrating that the allocated resources are insufficient—or, conversely, that you’ve achieved your goals while spending less than expected.
Pillar No. 2: Engaging External Stakeholders and Business Units
The challenge: moving cybersecurity beyond the scope of the CISO alone
Cybersecurity is no longer just the CISO’s responsibility. It involves service providers, auditors, and even internal departments for whom it is not their core business. The problem is fragmentation: when everything is exchanged via email, the right evidence is never where it needs to be. The wrong version, someone on vacation, information that can’t be found when the audit takes place.
→ Centralizing information thus becomes essential for the success of the management process.
The levers to activate
1/ Centralize and maintain a history of
Bringing together evidence, communications, and decisions in one place prevents gaps in traceability. Being able to demonstrate to an auditor that you are following up on nonconformities from the last audit—with up-to-date reporting—sends a strong signal of professionalism. Maintaining a history also allows you to document the reasoning behind decisions: why a particular measure was handled this way rather than another, who was involved in the project, who made the most recent changes, and so on.
2/ Tailor the follow-up to each contributor
Example: Let’s take HR, which is often responsible for raising awareness—through follow-ups, quizzes, and contract negotiations with service providers. Giving them a focused view of how compliance is progressing in their area fosters a sense of unity and accountability. Everyone sees how they’re contributing, stakeholders gain more autonomy, and the roadmap progresses more smoothly.
Pillar No. 3: Track progress using reliable metrics
The challenge: providing a reliable snapshot of compliance
A roadmap is tracked not only in terms of its progress but also in terms of its compliance with a specific standard. The question is simple: As of June 17, where do you stand with your ISO 27001 compliance? Without a reliable, date-specific answer, it’s impossible to reassure stakeholders or set priorities.
The levers to activate
1/ Manage based on relevant metrics
A snapshot of progress toward a target certification helps ensure effective management and reassures stakeholders. It serves as a common benchmark shared between the security team and senior management. However, care must be taken to use the right metrics for the right audience: operational teams will be more interested in technical metrics, while senior management will be more interested in broader metrics related to risk or compliance.
2/ Ensuring long-term performance
Implementing a measure is not enough. You must also verify that it remains effective through regular checks. This is the difference between putting a policy in place and ensuring that it remains effective over time. Regular monitoring over time gives you greater peace of mind during audits and provides better protection against risks by helping you maintain your overall level of security.
The Role of a GRC Platform in Defining and Steering Your Roadmap
The three pillars mentioned above have one thing in common: they become difficult to manage in a spreadsheet. And there are many drawbacks:
- Numerous static and scattered files,
- Keeping chornophage up to date,
- Increased risk of errors,
- Lack of traceability and history,
- And many others.
An GRC platform provides exactly the structure needed to make governance truly operational. To see how Tenacy is used to build and manage a cybersecurity roadmap, we invite you to watch the recording of our webinar, where Julian Fernandez (Pre-Sales at Tenacy) demonstrates how it works.
Model Your Organization Before Taking the Reins

It all starts with an accurate representation of your organization: entities, sites, and subsidiaries. For each component, you associate its security objectives, regulatory requirements, users, and risks.
This dual approach—based on compliance and risk—then allows you to consolidate scores across a geographic region or the entire organization. You gain consolidated visibility, from the local site up to the group level.
This is a prerequisite of the funnel method: you cannot establish the regulatory framework and then apply your prioritization filters without first defining the scope to which they apply.
Bring standards together rather than treating them as silos
This is where the gap with Excel really widens. Compliance frameworks share a great many common requirements: access management, risk management, business continuity, awareness, and incident management. In a spreadsheet, keeping track of how these requirements map to one another is a real headache.
.png)
“Once I declare that I have implemented an awareness-raising process, I am meeting requirement 7.3 of ISO 27001, as well as all the requirements of every standard that calls for awareness-raising.”
Julian Fernandez, Pre-Sales at Tenacy
An GRC platform links requirements together upstream, and it is precisely this intelligent linking of requirements that allows you to generate gap analyses in just a few minutes. You enter a metric once, and the maturity score is updated across all relevant frameworks. This convergence process, which has already been completed, saves a considerable amount of time.
In practical terms, this feature automates the first step of the funnel (establishing the regulatory and standards framework), whereas a spreadsheet previously required you to manually maintain a tedious system of cross-references. It also directly addresses one of Excel’s limitations mentioned above: the lack of a consolidated view whenever requirements overlap.
Turning Gaps into a Collaborative Action Plan
Based on an assessment, you identify your non-compliances and automatically generate a cybersecurity action plan: measures related to unmet requirements are turned into concrete projects. Each project is broken down into tasks, each with an assigned manager, a planned and actual cost, and required documentation. Managers receive automatic reminders as deadlines approach. You can track progress using a Gantt chart or Kanban board and monitor actual costs by contributor category. You no longer have to manually follow up with everyone involved.
This feature addresses Pillars 1 and 2. Tracking planned costs against actual costs provides the factual data you need to manage your budget and monitor spending in real time. Assigning tasks to internal or external contributors—complete with automatic reminders—is the tool that allows you to engage business units without having to follow up with each one via email. Finally, the requirement to submit proof for each task ensures the centralization and record-keeping called for by Pillar 2.

Ensuring Long-Term Performance
Beyond deployment, a GRC platform ensures that systems remain in operational condition. Control plans verify that processes continue to function effectively: holding a security committee meeting every three months, conducting security clearance reviews, and so on. Each control performed is documented, with the evidence immediately available in the event of an audit.
This is the practical implementation of Pillar 3: tracking progress is not enough; performance must be secured over time. Whereas the pillar established the principle that “implementing a policy does not guarantee that it will produce the desired results,” the monitoring plans turn this into a well-equipped monitoring mechanism.
“The power of this tool lies not only in measuring the build, but also the run: ensuring that metrics are sustained over time and that checks remain effective.”
Julian Fernandez, Pre-Sales at Tenacy
Tailor the information to each audience
An administrator profile manages the entire system. A contributor profile—whether internal or external—sees only the actions and controls assigned to them in a dedicated dashboard. Dashboards are generated automatically and tailored to each audience. Senior management receives a concise executive overview, while business units receive an operational view.
This targeted dashboarding builds on Pillar No. 2, which is to give each contributor a view of what concerns them (thereby fostering a sense of unity), and it preemptively avoids one of the mistakes detailed below: overwhelming management with technical details instead of providing them with a big-picture view.
That leaves the issue of trust: entrusting your strategic data to a SaaS platform. This can be addressed through hosting solutions (sovereign hosting providers, the SecNumCloud offering, etc.) that guarantee where your data is stored and who has access to it. An ISO 27001-certified SaaS platform like Tenacy also serves as proof of a managed information system.
Mistakes That Weaken a Cybersecurity Roadmap
There are three mistakes that come up regularly on the field. Knowing them is the first step toward avoiding them.
Mistake #1: Settling for just one update a year
Updating your roadmap once a year, before the audit, does not allow you to keep pace with technological and regulatory changes. Continuous review—at least quarterly—is much more in line with reality.
Mistake #2: Listing projects without specifying costs or resources
A roadmap that is reduced to a list of projects—without a budget or a person in charge—cannot be used to make a case for securing resources or to build trust. A roadmap is managed based on all of its metrics: progress, cost, schedule, and risk.
Mistake #3: Getting into technical details too quickly
Getting bogged down in a project’s technical hurdles without keeping the big picture in mind tends to derail roadmaps. Management then sees only the negatives and loses sight of the bigger picture. It’s better to have a clear executive overview, supplemented by business-specific perspectives tailored to each audience.
Which metrics should be presented to the Executive Committee?
The choice of COMEX cybersecurity indicators determines your ability to make trade-offs. Here are the most telling benchmarks.
- The roadmap's progress rate for the current period provides a solid initial indication: project completion, supplemented by budget monitoring that either reassures or raises concerns.
- When reporting on compliance status, it is worth considering which framework to use. The NIST CSF, with its six functions (Govern, Identify, Protect, Detect, Respond, Recover), is often easier for senior management to understand than the four main themes of ISO 27001. However, if you are pursuing ISO 27001 certification, you should, of course, report on compliance with that standard.
- The risk indicator lends itself well to a heat map. Showing the progression from gross risk to net risk visually demonstrates that the treatment plan is moving forward. If there are many risks, the top 5 are often sufficient.
- Major incidents always catch management’s attention: they provide an opportunity to reignite discussions about projects that were wrongly deprioritized. From a GDPR perspective, metrics such as the completeness rate of the processing register, the impact assessments conducted, or the identified violations are all relevant (the GDPR can quickly become costly).
For more tech-savvy executive committees, it’s possible to take things a step further: exposure scoring and attack surface analysis, identifying groups of attackers likely to target your sector, SOC or MITRE coverage, and so on. Few frameworks go that far, but this approach resonates with certain executive teams.
Conclusion: From a Static File to Dynamic Control
Developing a coherent, sustainable, and measurable cybersecurity roadmap is not a one-time exercise. It requires a clear prioritization method, oversight of all key metrics (progress, cost, schedule, risk), and communication tailored to each audience. This is precisely where a spreadsheet reaches its limits and a GRC platform takes over: convergence of reference frameworks, collaborative action plans, operational maintenance, and customized dashboards.
.png)
.png)
