Join our daily and weekly newsletters for the latest updates and exclusive content on our industry-leading AI coverage. Learn more
By 2025, protecting revenue and reducing business risk should dominate CISO budgets, with investments aligned with business processes being prioritized.
Forrester’s latest Security and Risk Budget Planning Guide says securing business-critical IT assets should be a top priority in the coming year. “The budget increases that CISOs will receive in 2025 should prioritize addressing threats and controls in the security of business-critical applications, people, and infrastructure,” Forrester writes in the report.
CISOs need to double down on threats and controls to secure applications, secure business-critical infrastructure, and improve human risk management. Forrester sees software supply chain security, API security, and IoT/OT threat detection as essential to business operations and advises CISOs to invest in these areas.
Generating revenue gains by protecting new digital businesses while keeping IT infrastructure secure on a tight budget is a proven way for CISOs to advance their careers.
Treat cybersecurity as a business decision first.
The most important takeaway from Forrester’s planning guide is that cybersecurity investments should be viewed as a business decision first. The report’s key findings and guidelines underscore how and why CISOs must make trade-offs between tools and spending to maximize revenue growth while achieving strong returns on their investment.
Forrester urges CISOs to take a close look at any application, tool or group that contributes to technology expansion and drop it from their technology stacks as new technologies are added.
Critical insights from Forrester's Budget Planning Guide for Security and Risk include:
Ninety percent of CISOs will see their budget increase next year. Cybersecurity budgets represent an average of just 5.7% of annual IT spending. That’s small, given how much the CISO’s role is expanding in protecting new revenue streams and strengthening infrastructure. Forrester cites its 2024 Budget Planning Survey in the guide, and expects budgets to continue to increase over the next 12 months. Ten percent expect a more than 10% increase in the next 12 months. A third expect a 5% to 10% increase, and nearly half expect a modest 1% to 4% increase. Only seven percent of budgets will remain the same, and only three percent expect budgets to shrink in 2025.
Take control of technology expansion now. Forrester warns that technology expansion is the silent killer of budget gains. Chief information security officers on average see just over a third of their budgets coming from software, doubling what they spend on hardware and also outpacing their staff costs, according to a recent ISG study. “To combat the real problem that really haunts security leaders — technology expansion — we recommend taking a conservative approach to introducing new tools and vendors with this practical principle: Don’t add something new without eliminating something else first,” Forrester wrote in the report.
Source: Forrester's 2025 Budget Planning Guide for Security and Risk Leaders
Security budgets are expected to grow by 10% or more through 2025, driven by cloud security, new security technologies developed and run on-premises, and security awareness and training initiatives. Notably, 81% of security technology decision makers expect their cloud security spending to increase in 2025, with 37% expecting a 5-10% increase and 30% expecting a 10%+ increase. The high priority on cloud security reflects the essential role that cloud environments, platforms, and integrations play in an organization’s overall security posture. As more organizations adopt on-premises platforms and applications across IaaS, PaaS, and SaaS, cloud security spending will continue to grow.
Revenue defense starts with APIs and software supply chains.
Finding new ways to protect revenue is a core part of every CISO’s job, especially digital-first initiatives that enterprise DevOps teams are working harder on this year.
The following are the priorities proposed by the report:
Enhancing the security of the software supply chain and APIs is imperative. Arguing that the complexity, diversity, and size of attack surfaces across software supply chains and API repositories are increasing, Forrester asserts that security is urgently needed in these areas. A staggering 91% of companies fell victim to a software supply chain incident in just one year, underscoring the need for better safeguards for continuous integration/continuous deployment (CI/CD) pipelines. Open source libraries, third-party development tools, and legacy APIs created years ago are just a few of the threat vectors that make software supply chains and APIs more vulnerable.
Malicious attackers often seek to compromise widely distributed open source components, as the Log4j vulnerability illustrates. Defining an API security strategy that integrates directly into the DevOps workflow and treats the continuous integration and continuous delivery (CI/CD) process as a unique threat surface is critical for any DevOps organization today. API detection and response, remediation policies, risk assessment, and monitoring of API usage are also imperative for organizations to better secure this potential attack vector.
IoT sensors remain attack magnets
The Internet of Things (IoT) is the most common attack vector used by attackers to attack industrial control systems (ICS) and the many processing plants, distribution centers, and manufacturing centers that rely on them every day. The Cybersecurity and Infrastructure Security Agency continues to warn that nation-state actors are targeting vulnerable ICS assets, and today the agency published three new ICS guidelines.
Forrester's Top Trends in IoT Security in 2024 report, published earlier this year and covered by VentureBeat, found that 34% of organizations that experienced a breach targeting IoT devices were more likely to report cumulative breach costs of between $5 million and $10 million compared to organizations that experienced cyberattacks on non-IoT devices.
“In 2024, the potential for IoT innovation will be less transformational. But with opportunity comes risk. Every connected device represents a potential access point for a malicious actor,” wrote Ellen Baum, senior vice president of IoT strategy and operations at Keyfactor. In its recent IoT security report, Digital Trust in a Connected World: Navigating the State of IoT Security , Keyfactor found that 93% of organizations face challenges securing IoT and connected products.
“We’re connecting all these IoT devices, and all of these connections create vulnerabilities and risks. I think with OT security, I would argue that the value at stake and the risks in general are probably higher than they are when it comes to IT security. When you think about the infrastructure and the types of assets that we protect, the risks are very high,” Kevin DeHoff, president and CEO of Honeywell Connected Enterprise, told VentureBeat in an interview last year.
“Most customers are still learning about the state of their OT networks and architecture,” DeHoff said. “I think there is some awareness that will come. We provide real-time visibility into OT risks.”
Ensuring that access to IoT devices is protected using zero trust is essential to reducing the risk of breaches. The National Institute of Standards and Technology (NIST) provides NIST Special Publication 800-207, which is relevant to securing IoT devices, given its focus on securing networks where traditional perimeter-based security systems are not up to the challenge of protecting every endpoint.
Pragmatism Should Dominate CISO Budgets in 2025
“Too many tools, too many technologies, and not enough people are still the norm in a fragmented, technology-heavy cybersecurity vendor ecosystem,” Forrester warns.
Forrester sees treating cybersecurity spending as a business investment first and foremost as a priority that its clients should embrace more, given the message emphasized throughout the guide. The message is to reduce technology sprawl, something the company has previously made about the need to standardize cybersecurity applications, tools, and suites.
It's time to fund cybersecurity as an engine of growth, not just one used for deterrence.
CISOs can strike a balance by looking for an opportunity to elevate their role to a direct report to the CEO and, ideally, be on the board of directors to help guide their companies through an increasingly complex threat landscape.
