As we approach 2025, it’s crucial for Chief Information Security Officers (CISOs) to prioritize revenue protection and risk management within their budgets. Investments should be closely aligned with business operations to drive these priorities.
Forrester's latest budget planning guide for security and risk emphasizes that safeguarding business-critical IT assets must be a top concern. According to the report, “CISOs should focus budget increases on addressing threats and controls in application security, personnel management, and business-critical infrastructure.”
To navigate this evolving landscape, CISOs need to intensify efforts around application security, reinforce critical infrastructure, and enhance human risk management. Forrester identifies software supply chain security, API security, and IoT/OT threat detection as essential areas for investment.
Focusing on revenue generation while safeguarding digital ventures and IT infrastructure on a constrained budget is a strategic approach for CISOs to further their careers.
Treat Cybersecurity as a Business Decision First
A key takeaway from Forrester's guide is that cybersecurity investments should be seen primarily as business decisions. The report highlights the need for CISOs to carefully assess tool and spending choices to maximize revenue growth and achieve strong returns on investment.
Forrester advises CISOs to evaluate any applications or tools contributing to technology sprawl and to eliminate them before adopting new ones.
Key Insights from Forrester's 2025 Budget Planning Guide
1. Budget Increases: Ninety percent of CISOs anticipate budget increases next year. Currently, cybersecurity budgets average only 5.7% of overall IT spending, which is minimal given CISO responsibilities to protect revenue streams and infrastructure. Forrester's 2024 Budget Planning Survey predicts continued budget growth over the next year, with 10% anticipating increases of over 10%. One-third expect increases between 5% and 10%, while nearly half foresee smaller increases of 1% to 4%. Only 7% expect stable budgets, and 3% anticipate budget cuts in 2025.
2. Control Tech Sprawl: Tech sprawl poses a significant threat to budget efficiency. Forrester warns that, on average, over one-third of CISOs’ budgets are allocated to software, exceeding hardware and personnel expenses. To combat this, Forrester suggests a cautious approach: avoid adding new tools without first removing existing ones.
3. Cloud Security Investment: Anticipated growth in security budgets will largely stem from cloud security investments. Eighty-one percent of security technology leaders plan to increase spending on cloud security in 2025, with many predicting increases of 5-10% or more. As enterprises adopt IaaS, PaaS, and SaaS, cloud security will remain a high priority.
Protecting Revenue Through APIs and Software Supply Chains
Part of every CISO's mandate is identifying new ways to safeguard revenue, especially in the context of digital initiatives pursued by DevOps teams. Key priorities include:
- Strengthening Software Supply Chain and API Security: With 91% of enterprises reporting software supply chain incidents in the past year, securing these areas is critical. Effective API security strategies integrated into DevOps workflows are essential for mitigating vulnerabilities associated with open-source libraries and legacy components.
IoT is a Growing Attacker Target
The Internet of Things (IoT) represents a significant attack vector, particularly for industrial control systems (ICS). CISA warns that vulnerable ICS assets are being targeted by nation-state actors. Forrester's research indicates that organizations experiencing breaches involving IoT devices tend to incur higher costs compared to those affected by attacks on non-IoT devices.
To protect IoT devices, adopting a zero-trust model is essential. The National Institute of Standards and Technology (NIST) provides guidelines aimed at securing IoT networks without relying solely on perimeter-based security.
Pragmatism in 2025 Budgeting
Forrester cautions that an overload of tools in a fragmented cybersecurity landscape demands a more pragmatic approach. CISOs must prioritize cybersecurity spending as a strategic business investment, encouraging a shift from viewing cybersecurity merely as a deterrent to recognizing it as a growth engine.
By advocating for their role as a strategic business leader and seeking direct reporting to the CEO—and ideally a seat on the board—CISOs can navigate the complexities of the modern threat environment more effectively.