Also identification is one thing, but good security should mean the vulnerability didn't occur in the first place.
Then you also need to get budget for identifying vulnerabilities.
After that you need budget to research how costly the vulnerability could be.
But before getting those budgets you need budget again to propose all of that and data to prove its value.
Unless you use your own time to do all of that or accidentally stumble upon something.
I think the only realistic way to get any sort of budget is if a deep enough incident actually happens. And this will only last maybe for a year until most of the decisionmakers have been rotated with new ones wanting to only deliver again.
Also identification is one thing, but good security should mean the vulnerability didn't occur in the first place.
Then you also need to get budget for identifying vulnerabilities.
After that you need budget to research how costly the vulnerability could be.
But before getting those budgets you need budget again to propose all of that and data to prove its value.
Unless you use your own time to do all of that or accidentally stumble upon something.
I think the only realistic way to get any sort of budget is if a deep enough incident actually happens. And this will only last maybe for a year until most of the decisionmakers have been rotated with new ones wanting to only deliver again.