Forrester on cybersecurity budgeting: 2025, the year of CISO fiscal accountability

I am 90% Cybersecurity and risk leaders are predicting that they will see an increase in budgets in 2025, many are facing a new response time, boards want to see a strong return on investment in cyber security.

This is an impossible hope to achieve, because of this 35.9% A typical CISO’s budget is going toward software. Determining whether, how, when and under what circumstances cybersecurity program investments provide sustainable ROI is not easy to do, and such statistics are difficult to verify.

Clear budget wins are available, however. They start with automating security operations center (SOC) workflows that are multi-professional with a lot of conflicting information. Using an end-to-end detection and response system is one good place to start, with the goal of reducing the level of fatigue in SOCs so that experts can focus on the most critical threats and attempt to intervene. Another is automating patch management. CISOs need to move away from trying to do this manually with multiple teams, and replace it with the latest AI- and ML-based platforms designed to improve network patch management.

Forrester profile “Budget Planning Guide 2025: Security and Risks” provides insights into why CISOs are seeing their money saved while other areas of the organization face layoffs, budget cuts, and, in some cases, new programs being put on hold or put on hold. (Note, however, that the cybersecurity budget is, on average, just 5.7% of annual IT revenue.)

It’s Gartner latest updates (4Q 2024) for end-user applications for information security shows the strength of CISO budgets at all levels. These budgets are expected to grow from $184 billion in 2024 to $294 billion in 2028, and Gartner predicts that the market will grow at a 12.43% compound annual rate (CAGR) in four years. Security software is expected to be the fastest growing segment, according to Forrester’s latest CISO survey. Gartner predicts that security software spending will grow from $59.9 billion in 2022 to $134.3 billion in 2028, at a CAGR of 14.4%.

The 10 fastest growing segments of the market are the combined market with a small share of 12.63%, while cloud security is the fastest growing, which is expected to achieve a CAGR of 25.87% from 2024 to 2028.

2025 is shaping up to be a year of reckoning for CISOs

Stephanie Balaouras, Forrester’s vice president, group director, said recently webinars“When you think about AI, when you think about some of the risks we’re looking at, when you think about post-quantum encryption, (and) concerns about that, we’re at this point.” Gartner predicts that by 2028, 22% of cyberattacks and data leaks will include AI output.

The boards don’t stop there. While they are actually funding this inflection by approving defense budgets and, in some cases, expansion, they are focused on cutting the technology stacks and licensing fees required to keep the technology running. Board approvals to help with regulatory compliance, reduce AI risks, and reduce technology congestion will be the focus of CISOs and their teams delivering this year.

Reading between the lines of Forrester budget reportwe can see that CISOs have entered a new era of accountability.

How CISOs can leverage cybersecurity to their full potential

Cloud infrastructure, data, and software are where CISOs are prioritizing their budgets going into 2025, with data-related investments expected to make the biggest contribution.

Forrester sees the rise of AI and generative AI (gen AI) as driving significant changes in the economy. “Every Gen AI project we’ve discussed with clients is ultimately about data integration,” said Pascal Matska, senior vice president and research director at Forrester.

“You have to invest in the right practices and platforms that run AI services in the most appropriate places at the right prices, and also invest in cloud technologies such as Kubernetes and containers and modern platforms that are available to support it. You eliminate the conflicts that exist in different businesses,” Matska continued.

Security and risk leaders are expecting big changes in their budget next year to be in cloud security, investing in new security technology to drive on-premises, and security awareness and training. Each area is expected to increase by 10% or more in the 2025 budgets.

Financial protection is central to the CISO’s accountability

One of the most important takeaways from Forrester’s cybersecurity planning guidelines is how important it is for CISOs to take responsibility for protecting investments if they want to be able to leverage their ideas. VentureBeat continues to find that successful CISOs know how to lead their teams to support and protect investments, and are often included in team discussions and reporting to the CEO.

CISOs who improving the value in the income improves their performance. “When anything involves as much money as cybersecurity does, it’s an important skill. And you can’t argue that it isn’t,” said Jeff Pollard, Senior Vice President of Research at Forrester, in his keynote “Cybersecurity Drives Revenue: How to Win the Budget War” at Security and Risk Forum of the company in 2022.

Budgeting to protect money should start with the weakest, most vulnerable areas. This includes application security, API security, human risk management, and IoT/OT threat detection. Software providers are under siege, and 91% businesses involved in security incidents in just one year, proving the need for better security in integrated / continuous delivery (CI/CD) pipelines.

Open source libraries, third-party development tools, and APIs that were developed years ago are just a few of the risks that make software supply chains and APIs vulnerable. Continuous attacks on widely distributed open source systems, including Log4j vulnerabilitythey are adding more money to electronic security software.

Where CISOs plan to invest in new technologies

Forrester advises CISOs to consider investing in four new technology areas, summarized below:

Information management and cyber threats: As businesses begin to build their AI-based applications internally and expand into devops, cloud, and IoT environments, vulnerability risk management (VRM) and attack surface management (ASM) become increasingly important. CrowdStrike he often mentions this Falcon exposure management, when Trend Micro and others say attack top management. Combined with cyber risk quantification (CRQ) capabilities, these solutions help security leaders see what leads to significant risk reduction. CEO and founder George Kurtz CrowdStrike told VentureBeat in an interview, “One of the areas that we’ve pioneered is that we can take weak signals from different places. And we can connect that to get new information. Now we’re adding this to our third-party partners so we can look for other weak signals.” not only at the end but in all domains and gaining new knowledge.”

Post-quantum security and crypto agility: “Q-Day, “when digital computers can break modern RSA and elliptic-curve cryptography, there are still many years and many estimates. But this does not prevent businesses from investing in new technology to meet this threat today. Forrester advises prioritizing data analysis and research, especially for companies finance and government agencies.

Safe place for security: High-end shopping and integration in the area, plus Cisco to acquisition of Splunk, LogRhythm plus I’m leavingand IBM selling QRadar SaaS to Palo Alto Networks, warns us that this is an area that every CISO should pay attention to, because of the trends and potential cost savings. VentureBeat finds that businesses are increasingly exploring security lakes, such as Amazon Security Lake, Snowflakeand Google BigQueryas security data storage solutions without the high cost of traditional SIEM platforms. Forrester cautions against SIEM platforms being tied to financial integration, however. Look for security providers that offer ready integrations with leading data lakes. Cisco, CrowdStrike, Let me know, Zscaler and others provide hooks to access, analyze or create data management systems in third-party data lakes.

AI and ML security: “It’s hard to go out and do something if AI is thought of as a bolt; you have to think (itself),” Jeetu Patel, EVP and GM of security and collaboration at Cisco, he told VentureBeatciting the findings from 2024 Cisco Cybersecurity Readiness Index. “The buzzword here is that AI is being used naturally in your startup.” It’s solid advice for any CISO protecting budgets that include AI and ML software and components. VentureBeat continues to see AI-powered platforms at their core as more effective against multidomain hacking attempts. Adam Meyers, SVP of intelligence at CrowdStrike, told VentureBeat at a recent press conference that “it’s also important to note that many organizations are using their AI, so what we’re looking at next-generation threats are AI Services, because every organization in the world, I would think In the next few years, it will be driving their AI. We need to protect AI jobs.”

CISOs need to think about how to best secure the data, infrastructure, support programs and many operational infrastructures required to achieve the right security for all AI and gen AI businesses.

CIOs and CISOs need to connect in 2025 to deliver ROI

CISO-CIO collaboration will be essential in 2025. This collaboration is essential to successful acquisitions. Bob Grazioli, CIO, Ivanti advised CISOs in a recent interview with VentureBeat that “managers need to combine resources – budget, staff, data and technology – to strengthen the security of the organization. The top priority for CIOs next year will be to ensure that members of the C -suite is using AI-driven insights to inform business performance, not just technology.”

Grazioli continued, “However, investments in AI are hindered by a lack of data availability and transparency. To overcome this, data silos between departments such as (those overseen by) the CIO and CISO must be removed. AI has the potential to be A central source of information, significantly reducing workloads for IT staff and providing visibility into the organization’s risk profile increases the likelihood that CISOs will be able to deliver the results they are trying to achieve.”