To receive industry-leading AI updates and exclusive content, sign up for our daily and weekly newsletters. Learn more
As we move towards 2025, protecting revenue and minimizing business risk will take up the majority of CISOs’ budgets, and aligning investments with business operations will need to be a priority.
Forester’s latest Security and Risk Budget Planning Guide Looking ahead to the coming year, Forrester is clear that securing business-critical IT assets must remain a top priority: “Any budget increases CISOs receive in 2025 should prioritize addressing threats and controls across application security, workforce, and business-critical infrastructure,” Forrester said in the report.
CISOs must strengthen threat and control to gain application security authority, protect business-critical infrastructure, and improve people risk management. Forrester sees software supply chain security, API security, and IoT/OT threat detection as core to business operations and encourages CISOs to invest in these areas.
Securing IT infrastructure on a tight budget while protecting new digital business and enabling increased revenue is a proven way for CISOs to advance their careers.
Treat cybersecurity as a business decision first
The most valuable lesson to be taken from Forrester’s planning guide is that investing in cybersecurity must first be considered a business decision. The report’s key findings and guidelines highlight why and how CISOs must make trade-offs between tools and spending to ensure a return on investment while maximizing revenue growth.
Forrester urges CISOs to take an in-depth look at the apps, tools, and suites that are contributing to tech sprawl and remove them from their tech stack as they add new technologies.
Key insights from Forrester’s security and risk budget planning guide include:
- 90% of CISOs expect their budgets to increase next year. The average cybersecurity budget is 5.7% of annual IT expendituresThat’s a small number considering the breadth of the CISO’s role to protect new revenue streams and harden infrastructure. Forrester, citing its 2024 budget planning survey in its guide, predicts that budgets will continue to increase over the next 12 months. Ten percent expect an increase of more than 10% over the next 12 months. A third expect an increase of 5% to 10%, and nearly half expect a more modest increase of 1% to 4%. Only 7% expect their budgets to remain the same, and only 3% expect budgets to be reduced in 2025.
- Take control of technology proliferation today. Forrester warns that technology sprawl is the silent killer of growing budgets: A recent survey found that on average, CISOs are dedicating just over a third of their budget to software, double the amount spent on hardware and surpassing even labor costs. ISG Survey“To address the real problem already plaguing security leaders – technology sprawl – we recommend taking a conservative approach to introducing new tools and vendors, based on the pragmatic principle of not adding something new without first eliminating something,” Forrester wrote in the report.
Source: Forrester 2025 Budget Planning Guide for Security and Risk Management Leaders
- Cloud security, upgraded and new security technologies running on-premise, and security awareness/training initiatives are expected to drive security budgets up by over 10% in 2025. Notably, 81% of security technology decision makers expect spending on cloud security to increase in 2025, with 37% anticipating an increase of 5-10% and 30% anticipating an increase of 10% or more. The high priority of cloud security reflects the critical role that cloud environments, platforms and integrations play in an enterprise’s overall security posture. As more enterprises adopt and build on-premise platforms and apps across IaaS, PaaS and SaaS, spending on cloud security will continue to increase.
Revenue Protection Starts with APIs and the Software Supply Chain
At the core of every CISO’s job is finding new ways to protect the bottom line, especially with the digital-first initiatives that enterprise DevOps teams have been working overtime to deliver on this year.
The priorities suggested by the report are:
Strengthening software supply chain and API security is a must. Forrester claims that the complexity, diversity and volume of attack surfaces across software supply chains and API repositories are exponentially increasing, highlighting the urgent need for security in these two areas. 91% In just the past year, companies have fallen victim to software supply chain incidents, highlighting the need to better secure continuous integration/deployment (CI/CD) pipelines. Open source libraries, third-party development tools, and legacy APIs created years ago are just a few of the threat vectors that make software supply chains and APIs more vulnerable.
As the Log4j vulnerability shows, malicious actors often seek to compromise widely distributed open source components. Defining an API Security Strategy Direct integration into the DevOps workflow and treating the continuous integration and continuous delivery (CI/CD) process as a unique threat surface is a requirement for all companies practicing DevOps today. API detection and response, remediation policies, risk assessments, and monitoring of API usage are also urgently needed to help companies better protect against this potential attack vector.
IoT sensors remain a target for attacks
The Internet of Things (IoT) is the most common attack vector used by attackers to attack Industrial Control Systems (ICS) and the many processing plants, distribution centers, and manufacturing centers that rely on them on a daily basis. CISA We continue to warn that nation-state actors are targeting vulnerable industrial control assets, and today Three New Industrial Control Systems Recommendations Published by the agency.
Forrester’s Top IoT Security Trends for 2024A report published earlier this year and featured in VentureBeat found that 34% of companies that experienced a breach targeting IoT devices were more likely to report cumulative breach costs of between $5 million and $10 million compared to organizations that experienced cyberattacks on non-IoT devices.
“In 2024, the potential for IoT innovation will be truly transformative. But with opportunity comes risk: each connected device is a potential access point for malicious attackers.” write “We are excited to be working with NVIDIA to bring IoT to market in a new way,” said Ellen Bohm, senior vice president of IoT strategy and operations. Key FactorsA recent IoT security report stated: Digital Trust in a Connected World: Taking a Look at the Current State of IoT SecurityAccording to a Keyfactor survey, 93% of organizations have challenges securing IoT and connected products.
“We’re connecting all these IoT devices, and all of those connections create vulnerabilities and risks. I think with OT cybersecurity, the value at risk and the overall danger can be even higher than it is with IT cybersecurity. The danger is considerably higher when you think about the type of infrastructure and assets that we’re protecting,” said Kevin DeHoff, the company’s president and CEO. Honeywell Connected Enterprisehe said in an interview with VentureBeat last year.
“Most customers are still learning about the current state of their OT networks and infrastructure, and I think there will be some realizations along the way. We’re providing a real-time view of OT cyber risk,” Dehoff said.
Ensuring access to IoT devices is secured using Zero Trust is essential to mitigate the threat of a breach. National Institute of Standards and Technology (NIST) provide NIST Special Publication 800-207is perfectly suited to protecting IoT devices because it focuses on protecting the network, where traditional perimeter-based security cannot meet the challenge of protecting all endpoints.
Pragmatism Will Need to Be at the Center of CISO Budgets in 2025
“A fragmented, tech-heavy cybersecurity vendor ecosystem continues to have an overabundance of tools and technologies and a shortage of talent,” Forrester warned.
With that message emphasized throughout the guide, Forrester believes treating cybersecurity spending as a business investment first is a priority that its clients need to embrace more of — a message that Forrester has previously conveyed about the need to consolidate cybersecurity apps, tools and suites in order to curb technology sprawl.
It is time for cybersecurity to be funded not just as a deterrent, but as an engine for growth.
CISOs can strike a balance by exploring opportunities to elevate their role as a direct report to the CEO, ideally joining the board of directors to guide their companies through an increasingly complex threat landscape.