5 Key Goals to Guide Cybersecurity Budgets in 2025

Ransomware can stop a company in its tracks in a matter of minutes, and phishing scams – powered by generative AI – are sneakier than ever, slipping past even the most watchful eyes and vigilant defenses. As 2025 nears, chief information security officers face a dilemma: how to defend against relentless threats on modest budgets.

It’s not that these CISOs aren’t fairly funded. Most industry experts say cybersecurity spending accounts for between 9% and 20% of larger IT budgets. Just a few years ago, those budgets were growing at double-digit rates as organizations sought to ensure their suddenly remote employees were working as safely and securely as possible.

That era has now clearly passed, as cybersecurity budgets reveal some stark new challenges for security teams.

With AI-assisted cyberattacks on the rise, it’s essential to know how exposed your organization really is. Here’s how – get a comprehensive risk score in just 5 days.

This year, for instance, CISOs saw their cybersecurity budgets rise an average of 8% compared to 16% and 17% hikes in 2021 and 2022, respectively, according to a recent IANS + Artico Search survey.

With such modest increases against economic uncertainty, security leaders have had to be much more discerning in allocating funds. Staffing accounted for about a third (37%) of the average budget in 2024, according to the survey. Yet, the survey found that headcount increases dropped from 31% to 12% this year. Off-premises software and outsourcing costs account for another 43%. By comparison, training – a critical line of defense in an era of AI-powered phishing – accounted for 4%, the IANS + Artico Search found.

For many CISOs, the directive has been clear: Defend the fort but keep costs down – a challenge that demands accountability for every dollar.

“Security spending is a core part of IT budgets, but we’re still seeing CISOs forced to justify ROI on every dollar they spend,” notes Frank Dickson, IDC cybersecurity analyst.

Where to allocate cybersecurity budget in 2025

So, are CISOs doing things right? Yes, for the most part – at least from a money management standpoint. But if security teams aren’t aligning spending to a few key trends, they could struggle to address them down the road – and at a much higher cost.

Security spending is a core part of IT budgets, but we’re still seeing CISOs forced to justify ROI on every dollar they spend.

Here are five considerations that should guide every budgeting decision going into the new fiscal year:

1. Phishing-resistant MFA and passwordless solutions

Traditional multifactor authentication (MFA) methods are increasingly under siege. MFA bombing, man-in-the-middle attacks, and novel social engineering tactics have exposed vulnerabilities in what used to be the go-to security fix.

Forrester recommends organizations use MFA apps with “number matching” layers on top of one-time passwords (OTPs) as an interim step. Number matching is an MFA security feature where users receive a push notification to enter a series of numbers to authenticate themselves.

Forrester also recommends embracing phishing-resistant MFA solutions built on public key cryptography schemes like FIDO2, an open standard for passwordless authentication that is powering passkeys – digital credentials that allow users to sign into sites without usernames and passwords.

[Read also: The new thinking on password security might surprise you]

A successful MFA strategy will demand a larger slice of the budget, but reducing the risk of credential theft and keeping successful breaches at bay should easily justify the expenditure.

2. Platform integration and tool consolidation

Tool sprawl is a costly side effect of rapid security investment. With multiple tools across various functions, security teams often need help managing and optimizing their tool stacks. According to a recent Gigamon survey, 76% of CISOs feel overwhelmed by the volume of threats they deal with daily. As a result, six in 10 CISOs cited tool consolidation and optimization as their top priority for remediating blind spots.

By consolidating tools and investing in well-integrated platforms with existing infrastructure, companies can reduce operational complexity, improve response times, enable faster detection and remediation, make automation more effective, and free personnel to focus on higher-priority projects or tasks.

“Many CISOs are looking at optimization within their tool stack,” says Nick Kakolowski, senior research director at IANS. “Financial pressures have led to interest in consolidation. At the same time, limited staff resources to make the most of tools are pushing teams to look for ways to minimize sprawl and automate.”

3. Automation – doing more with less

Staffing constraints are real, and CISOs know it. Automation is essential for security teams to maintain the same level of protection with fewer people.

Financial pressures have led to interest in… ways to minimize sprawl and automate.

Dickson recommends focusing on tools that enhance detection capabilities and streamline responses, reducing the mean time to detection (MTTD) and mean time to repair (MTTR). “Automation isn’t just about spending on tools; it’s about spending on tools that allow you to save elsewhere, like slowing headcount growth,” he says.

[Read also: Orgs that automate report cost reductions, productivity boosts, systems availability and more – here’s why]

GenAI is one area where automation is showing promise. From automating threat analysis to triaging alerts, AI tools can help security teams manage threats without adding to their headcount. However, CISOs need to proceed cautiously. GenAI tools should be carefully integrated into existing security environments since their efficacy hinges on seamless interaction with other platforms.

4. Prioritize training and insider threat awareness

With attackers using AI to craft ultra-realistic phishing scams and automate their delivery to email addresses at scale, low investment in human risk management could be a fatal flaw in an organization’s strategy. People, after all, are often the weakest security leak in any organization.

“Training has to be an important aspect of every cybersecurity budget,” says Dickson.

More than ever, phishing simulations, behavioral analysis, and human risk management tools should occur regularly in every organization. Enhanced training programs that focus on identifying and avoiding AI-driven phishing scams can empower employees as the first line of defense. Implementing policies to monitor insider activities and using behavioral analytics to flag unusual actions can also help detect insider threats before they escalate.

5. Cloud security and deep observability

The widespread adoption of hybrid and cloud environments makes visibility across all data flows critical, but most organizations need a better handle on this. Eight out of 10 CISOs, for example, cite blind spots in hybrid cloud infrastructure as one of their top concerns, according to the Gigamon survey.

The fundamental truth about the cloud, of course, is not lost on CISOs: Deep observability is costly.

[Read also: Looking to embrace the agility and scalability of cloud-native tech? First, you must bridge a critical divide that threatens to upend cloud security]

Yet it’s increasingly seen as a foundational layer of security for hybrid environments. Nearly 85% of CISOs in the Gigamon survey emphasized the importance of packet-level data for identifying cyber threats in real-time, highlighting the need for robust monitoring solutions in 2025 budgets.

Cybersecurity budget basics – align cyber risk with business goals

No CISO should budget against these priorities for the short term. Indeed, one of security leaders’ most significant mistakes is approaching budgets as annual allocations instead of making them part of strategic, multiyear plans, says Dickson. Thinking in three-to-five-year planning cycles will enable CISOs to align security investments more closely to business goals, making each dollar deliver measurable value, he adds.

For fiscal year 2025, CISOs should balance immediate needs with long-term strategies, reallocating resources to phishing-resistant MFA, platform integration, automation, employee training, and cloud security to not only defend against rising threats but also demonstrate that cybersecurity investments support the company’s resilience and future growth.