Security and risk (S&R) leaders today are under increasing pressure to prove the value of security investments due to increased budgets in recent years. Unlike other tech leaders, chief information security officers (CISOs) have largely avoided budget cuts, driven by a mix of regulatory pressures, customer expectations, and cyber insurance requirements.
This has led to investment strategies aimed at bolstering security postures in the face of an evolving threat landscape but that has resulted in an increasingly complex computing environment due to technology sprawl.
The current state of cybersecurity spending benchmarks
Over a third of security budgets are now allocated to software, surpassing both hardware and personnel expenses, which offers solid evidence of one of the CISO’s top challenges: technology bloat.
The cybersecurity vendor ecosystem is characterized by a plethora of tools and technologies but a scarcity of skilled personnel to manage them effectively. Looking ahead, the majority of security technology decision-makers anticipate further budget increases in 2025, ranging from modest to significant, first to overcome the relentless pace of inflation and secondarily to deal with emerging security challenges. For security leaders, this will result in new tools, technologies, and vendors being introduced to an already crowded ecosystem of technologies.
Our research serves as a guide to help leaders understand where others plan to spend, where they might take advantage of consolidation and innovation to make cuts, and where they should start experimenting to find new solutions that they plan to invest in for the future.
There are three key areas for CISOs to focus on in the year ahead as they plan for a future reshaped by technology disruption, adversary innovation, and economic tension:
Making strategic investments to enhance security. For 2025, CISOs are encouraged to increase budgets in areas that impact revenue generation and help mitigate threats from ever-improving attackers.
These areas include API security and software supply chain to protect revenue-generating applications, human risk management to protect the people that operate businesses, skills and training platforms to improve practitioners, and expanding the detection surface to include OT and IoT devices to establish complete visibility across an enterprise’s technology estate.
Exploring emerging technologies. The dynamic nature of cyber threats necessitates deploying emerging cybersecurity technologies, in some cases before enterprises thought they would need them.
Areas ripe for experimentation in 2025 include exposure management and cyber risk quantification (which are slowly converging) to maximize visibility and contextual awareness, post-quantum security to protect their transactions and sensitive data, security data lakes to house the enormous amount of data that technologies generate, and AI and ML security to gain — and retain — competitive advantages in the marketplace.
Divesting from outdated solutions. As cybersecurity evolves, certain once-critical solutions are failing to adapt well to the evolving threat landscape. Our Budget Planning Guide includes recommendations for divesting from these technologies and provides strategic and tactical guidance on which solutions will work as replacements.
For late adopters, eliminating these technologies already may seem surprising, but it’s necessary when they no longer counter adversary tactics, techniques, and procedures.
Technologies included in the invest and experiment categories will keep CISOs aligned with broader business objectives in 2025 so that they don’t have to scramble and play catch-up as in years past. Those in the divest category no longer satisfy security use cases as they once did.
Our 2025 Budget Planning Guide for S&R leaders will help you navigate through capacity constraints, budget challenges, and the need to build a robust and resilient security posture that satisfies the major constituencies CISOs must satisfy: customers and partners, cyber insurers, regulators, and shareholders.
First published on Forrester Blog.