The cybersecurity industry is facing a fiscal reckoning. According to the newly-released 2025 Security Budget Benchmark Report from IANS Research and Artico Search, security budget growth has slowed to just 4% year-over-year—its lowest level in five years and a sharp drop from 8% in 2024.
The slowdown comes amid global economic uncertainty, as geopolitical instability, fluctuating interest rates, and tariff policies continue to challenge executive decision-making. For cybersecurity leaders, the message is clear: do more with less.
Budget strain hits hiring and team capacity
Perhaps most alarming is the direct impact on staffing. Only 47% of CISOs reported any budget increase this year, down from 62% in 2024, while 39% saw their budgets remain flat. With limited funds, hiring has taken a hit: cybersecurity team growth has slowed to 7%, the lowest in four years.
Only 11% of CISOs say their teams are adequately staffed. The remaining 89% report being stretched thin or outright understaffed, leaving organizations exposed at a time when the threat landscape is becoming increasingly complex.
"Security teams everywhere are feeling the pinch from tightening budgets," said Matt Lee, Security and Compliance Senior Director at Pax8. "We're seeing more organizations turn to AI-powered security tools that can take care of routine tasks like alert triage and threat detection, which means their skilled analysts can actually focus on the complex, high-value work that really needs human expertise."
Security spending lags behind IT growth
Security spending is also losing ground to broader IT investments. For the first time in five years, the percentage of IT budgets allocated to security declined—from 11.9% to 10.9%. While IT departments ramp up spending on AI and cloud technologies, cybersecurity budgets are no longer keeping pace.
Amy Lindenmeyer, CFO at Keeper Security, pointed to the need for deeper collaboration between CFOs and CIOs in this environment. "Operational efficiency, profitability, and productivity all factor into the multifaceted pressures facing business leaders," she said. “For true optimization, both [CFOs and CIOs] must bring their expertise to share—balancing cost analysis with new and emerging technologies.”
The case for smarter security investments
While budgets tighten, expectations remain high. CISOs are increasingly expected to function as risk managers, business strategists, and boardroom communicators—on top of being technology leaders.
“Cyberattacks are getting riskier and more frequent every day, putting CISOs squarely in the hot seat,” said Devin Ertel, CISO at Menlo Security. “This amplified accountability, combined with a cybersecurity talent shortage, has raised the value of experienced CISOs significantly.”
In response, organizations are prioritizing tools with clear, fast ROI. “We see a priority being placed on solutions that have a clear path to ROI within months, rather than years,” said Piyush Pandey, CEO at Pathlock. “Helping customers quantify risk in actual dollars—and the ability to help them put cash back on their books—eases any macro-economic concerns.”
Budget ≠ effectiveness
Despite shrinking resources, experts caution against equating budget size with program strength. Bruce Jenkins, CISO at Black Duck, argues that the fundamentals still matter most.
“The effectiveness of a cybersecurity program is, in my opinion, fundamentally independent of its budget size,” Jenkins said. "Whether managing a $4 million or a $40 million budget, every cybersecurity leader should prioritize the consistent measurement of critical risk areas."
Jenkins highlighted several core areas that should be continuously measured regardless of budget, including threat detection and response, patch management, security awareness training, access management, and framework audit health.
Making the business case for cybersecurity
As CISOs look to protect—and potentially grow—their budgets in a challenging economic climate, aligning cybersecurity with business outcomes is key. Jenkins emphasized two strategies:
-
Linking security to business growth: Show how cybersecurity enables customer trust, increases renewal rates, and supports new business opportunities.
-
Demonstrating cost avoidance: Quantify averted threats and minimized downtime as clear returns on cybersecurity investments.
Ultimately, a well-articulated security strategy that translates into business value may be the most powerful tool a CISO has—especially when dollars are scarce.
"Organizations that get this balance right—combining human insight with AI muscle—are managing to keep their security posture strong even when their budgets can't necessarily keep up," said Pax8's Matt Lee.
As 2025 unfolds, cybersecurity leaders will need to walk a careful line—balancing risk, resilience, and ROI in an environment where every dollar counts.
Follow SecureWorld News for more stories related to cybersecurity.
