For a given value of effective
All that the suits need is support for the claim that they are "Taking cyber [security] seriously.". The amount spent and the trend in that amount sound very detailed and very objective without having to leave the world of pounds and pence. If they have benchmarked their spending against industry norms they'll get extra points for thoroughness even if the outcome of the benchmarking isn't talked about.
This is part, a depressingly effective part, of managing the only aspect of risk that the stratospherically high-ups care care about - reputational risk.
The question of whether corporate or personal reputation is more seriously considered is left as an exercise for the commentariat.