How do you ensure continuous alignment in your cybersecurity budget? Can you share any examples of cross-functional collaborations that supported or improved budget alignment?

I think that to ensure continuous alignment in a cybersecurity budget, one would adopt a dynamic approach that ties security initiatives to business objectives. Regular cross-functional reviews with IT, risk management, and business unit leaders allow one to prioritize funding based on evolving threats and organizational goals.

For example, during a budget cycle, collaboration with legal and compliance teams would highlight the need for enhanced data privacy measures due to new regulations. Just overall, regular communication and a shared understanding of risk across teams ensure budget remains both proactive and adaptable.

If the challenge is not knowing whether you are spending enough on cybersecurity and whether you are spending in the right places, then you probably need to start by understanding where you face the greatest cyber risks. 
You can examine it from the top down, talk to business peers about their various initiatives, and determine whether these are covered for cybersecurity. 
It would help if you also did a bottom-up analysis where you look at all systems and get risk data (vulnerabilities, controls in place, missing ones and more). You can use the framework to evaluate where you stand. NIST, Fair have been mentioned by others. 
Even better, running a cyber risk quantification exercise. New generation tools that us AI to compile and make sense of the vast amount of cyber and risk data available have become really good at providing a good picture of where your company might face the greatest risks. 

Ensuring continuous alignment in our cybersecurity budget involves a couple of key strategies. First, having well-defined KPIs is crucial to measure our performance against goals and objectives. It's not about tracking hundreds of metrics but identifying the three or four critical items that truly impact risk management and business performance. Given the multiple stakeholders involved, it's essential to align everyone on these KPIs. When things are moving in the right direction, we gain advocacy and support; when they're not, we receive the necessary guidance to improve.

The second strategy is roadmapping. It's important to identify the capabilities and competencies we need to develop over time. Sometimes, different functions or business lines move at different paces, leading to misalignment. By synchronizing roadmaps, we can address gaps and collisions, resolving them through the financial cycle and making necessary investments.

Finally, it's vital to work both horizontally and vertically. Metrics should be communicated up to senior executive leadership to gain advocacy for our investments, ensuring cybersecurity is seen as an enabler rather than a burden. At the same time, these metrics should be shared downward so that everyone understands how our investments contribute to achieving business outcomes.

I define my security OKRs and align them with company top-level OKRs and annually present top risks, changes in the cyber landscape and then "defend" the budget that is needed for those 3. Also I use Garner's IT Key Metrics Data [year]: IT Security Measures Analysis to back-up my investments claims against this benchmark 

Building a budget aligned to risk and threats while continually ensuring clear 'business oriented' communications on how your program is doing vs risk and threats will bring a continual discussion into focus for the executive team. Using this model, to include tactical areas such as using the MITRE ATT&CK framework to show visually what your program is 'catching' vs where gaps exist is also a strong way to communicate ongoing need for budget / alignment against needed risk reduction.