Invest, Experiment, And Scale Back: Budget Priorities For CISOs In 2025

The majority of security technology decision-makers anticipate further budget increases in 2025.

Forrester Blog Network

August 8, 2024

3 Min Read
padlock icons with a background photo of a business meeting
Alamy

Security and risk (S&R) leaders today are under increasing pressure to prove the value of security investments due to increased budgets in recent years. Unlike other tech leaders, chief information security officers (CISOs) have largely avoided budget cuts, driven by a mix of regulatory pressures, customer expectations, and cyber insurance requirements. This has led to investment strategies aimed at bolstering security postures in the face of an evolving threat landscape but that has resulted in an increasingly complex computing environment due to technology sprawl.

The Current State Of Cybersecurity Spending Benchmarks

Over a third of security budgets are now allocated to software, surpassing both hardware and personnel expenses, which offers solid evidence of one of the CISO’s top challenges: technology bloat. The cybersecurity vendor ecosystem is characterized by a plethora of tools and technologies but a scarcity of skilled personnel to manage them effectively. Looking ahead, the majority of security technology decision-makers anticipate further budget increases in 2025, ranging from modest to significant, first to overcome the relentless pace of inflation and secondarily to deal with emerging security challenges. For security leaders, this will result in new tools, technologies, and vendors being introduced to an already crowded ecosystem of technologies. Our research serves as a guide to help leaders understand where others plan to spend, where they might take advantage of consolidation and innovation to make cuts, and where they should start experimenting to find new solutions that they plan to invest in for the future.

Related:Do You Have What It Takes to Be a CISO? Take the Personality Quiz

There are three key areas for CISOs to focus on in the year ahead as they plan for a future reshaped by technology disruption, adversary innovation, and economic tension:

  • Making strategic investments to enhance security. For 2025, CISOs are encouraged to increase budgets in areas that impact revenue generation and help mitigate threats from ever-improving attackers. These areas include API security and software supply chain to protect revenue-generating applications, human risk management to protect the people that operate businesses, skills and training platforms to improve practitioners, and expanding the detection surface to include OT and IoT devices to establish complete visibility across an enterprise’s technology estate.

  • Exploring emerging technologies. The dynamic nature of cyberthreats necessitates deploying emerging cybersecurity technologies, in some cases before enterprises thought they would need them. Areas ripe for experimentation in 2025 include exposure management and cyber risk quantification (which are slowly converging) to maximize visibility and contextual awareness, post-quantum security to protect their transactions and sensitive data, security data lakes to house the enormous amount of data that technologies generate, and AI and ML security to gain — and retain — competitive advantages in the marketplace.

  • Divesting from outdated solutions. As cybersecurity evolves, certain once-critical solutions are failing to adapt well to the evolving threat landscape. Our Budget Planning Guide includes recommendations for divesting from these technologies and provides strategic and tactical guidance on which solutions will work as replacements. For late adopters, eliminating these technologies already may seem surprising, but it’s necessary when they no longer counter adversary tactics, techniques, and procedures.

Related:6 CISO Takeaways From the NSA's Zero-Trust Guidance

Technologies included in the invest and experiment categories will keep CISOs aligned with broader business objectives in 2025 so that they don’t have to scramble and play catch-up as in years past. Those in the divest category no longer satisfy security use cases as they once did. Our 2025 Budget Planning Guide for S&R leaders will help you navigate through capacity constraints, budget challenges, and the need to build a robust and resilient security posture that satisfies the major constituencies CISOs must satisfy: customers and partners, cyber insurers, regulators, and shareholders.

Related:Introduction to IT Disaster Recovery Planning

To get more detail about these recommendations, download the full Budget Planning Guide 2025: Security And Risk report, and register for our upcoming webinar on September 24 to have your questions answered.

Jeff Pollard, VP, Principal Analyst

About the Author

Forrester Blog Network

Forrester Blog Network

See more from Forrester Blog Network
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Newsletter Sign-Up

You May Also Like

Editor's Choice

drawings of people with different colored brains
IT Management
Embracing Neurodiversity in IT Workplace to Bridge Talent GapsEmbracing Neurodiversity in IT Workplace to Bridge Talent Gaps
byNathan Eddy
Sep 2, 2024
6 Min Read
circuit board inside a cloud
Cloud Computing
Microclouds: The Next Big Thing in Cloud Computing or Just Another Edge Strategy?Microclouds: The Next Big Thing in Cloud Computing or Just Another Edge Strategy?
byChristopher Tozzi
Sep 5, 2024
4 Min Read
a laptop infected with a virus and above it the words linux ransomware
Linux OS
Linux Ransomware Threats: How Attackers Target Linux SystemsLinux Ransomware Threats: How Attackers Target Linux Systems
byGrant Knoetze
Sep 4, 2024
8 Min Read
Exclusive ITPro Resources
See all ITPro Resources

Featured How Tos

A cartoon of a person sitting at a computer, with speech bubbles—one from the person saying Hello and one from the computer responding with Hello
PowerShell
PowerShell Speech Recognition: How To Set up Voice Commands and ResponsesPowerShell Speech Recognition: Set up Voice Commands and Responses
Migrating From VMware Guide cover
VMWare
Migrating From VMware: Guide to a Successful TransitionMigrating From VMware: Guide to a Successful Transition
a wall and fire with the words linux uncomplicated firewall (ufw) tutorial, configure and manage
Linux OS
Linux UFW (Uncomplicated Firewall) Configuration Made EasyLinux UFW (Uncomplicated Firewall) Configuration Made Easy
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Newsletter Sign-Up
Trending

Recent What Is

a laptop infected with a virus and above it the words linux ransomware
Linux OS
Linux Ransomware Threats: How Attackers Target Linux SystemsLinux Ransomware Threats: How Attackers Target Linux Systems
data privacy quiz sample question above a desk
Data Privacy
Data Privacy Quiz: 20 Questions To Test Your KnowledgeData Privacy Quiz: 20 Questions To Test Your Knowledge