Survey Sees Drop in Cybersecurity Spending Growth Rates
A survey of 587 CISOs published this week finds security budget growth dropped to 4%, down from 8% in 2024, with more than half reporting flat or shrinking budgets.
Conducted by IANS Research and Artico Search, an executive search firm, the survey also finds security budgets as a percentage of IT spending declined from 11.9% to 10.9%, breaking a five-year upward trend. Staffing growth, meanwhile, slowed to 7%, with only 11% of CISOs reporting they are adequately staffed. The remaining 89% describe their teams as stretched thin or understaffed leading to serious organizational risk given the expanding scope of security requirements, the survey finds.
Nick Kakolowski, research director at IANS, said given recent price increases that are being instituted by cybersecurity vendors, the overall amount of spending on cybersecurity is essentially flat. Additionally, cybersecurity spending is now tracking more closely with macroeconomics, which during uncertain economic times makes organizations hesitant to increase any type of spending, he added.
In fact, the days when organizations reflexively increased spending on cybersecurity in response to new threats may be over, noted Kakolowski. CISOs are now expected to accomplish more with existing, or sometimes even less, resources by embracing automation and other innovations such as artificial intelligence (AI), he said.
The pace at which cybersecurity teams can embrace new technologies will, however, naturally vary. For example, when it comes to AI it’s already apparent a dichotomy is emerging between those that have access to these emerging technologies and those that don’t, said Kakolowski.
In theory, AI especially should make cybersecurity teams more efficient and productive, but there are often significant upfront costs that need to be incurred before the return on that investment might actually be realized. In the case of AI, there is also a significant difference between providing summarizations of threats to make analysts, for example, more efficient, and mastering more advanced use cases where AI is used to thwart threats, noted Kakolowski.
CISOs should also not assume that AI is going to make up for every talent gap or take for granted their existing staff, he added. AI is an important tool but it primarily augments cybersecurity teams rather than replacing them, said Kakolowski.
Regardless of the level of spending, the one thing that is clear is cybersecurity teams will need to become much better at prioritizing responses to threats based on their actual level of risk to the business as the volume and sophistication of cyberattacks being launched continues to increase. More challenging still, the overall size of the attack surface that needs to be defended also continues to steadily increase, so in many cases cybersecurity teams, even with the aid of AI, might be fortunate if they can simply keep pace.
In fact, savvy CISOs should be more focused than ever on reducing staff turnover and burnout by taking advantage of AI to re-engineer workflows in ways that, while not necessarily improving cybersecurity, go a long way toward making the job itself a lot less tedious and stressful than it has historically been.
