The Great Cyber Budget Boom: 99% of Leaders Are Increasing Spend

Cybersecurity is on the cusp of a financial revolution. According to the 2025 KPMG Cybersecurity Survey, a staggering 99% of security leaders plan to increase their cybersecurity budgets over the next two to three years.

This near-universal commitment to increased spending—with the majority (54%) anticipating significant increases of 6% to 10%—signals a major market pivot. Cybersecurity is no longer a cost center for IT; it is a critical business imperative and a fundamental driver of enterprise risk and resilience.

"A 99% increase in cybersecurity budgets isn’t a spending trend—it’s an admission," said Dr. Eric Cole, DPS, cybersecurity expert and author of "Cyber Crisis." "Leaders now understand that cyber risk is business risk, and ignoring it is no longer survivable."

What's driving this boom, and what are the profound implications for security leaders, their teams, and the vendors competing for this historic inflow of capital?

The primary engine fueling this investment surge is the rapid maturation of AI-driven threats. Security leaders are facing a new generation of adversaries equipped with advanced tools that dramatically lower the barrier to entry for highly sophisticated attacks.

According to the report, the top threats leaders are currently grappling with include:

• AI-powered social engineering and targeted attacks (55%)

• AI-enhanced malware and ransomware (50%)

• Automated phishing attacks (49%)

The data reveal a critical confidence gap: only 35% of leaders rate their defenses as highly effective against AI-powered social engineering. This lack of confidence in mitigating the new threat vectors is accelerating the budget commitment, as leaders recognize they must out-innovate the offense.

"AI didn't just accelerate attacks—it erased the skill barrier," said Dr. Cole. "When anyone can launch a sophisticated campaign, defense must evolve from reactive tools to predictive intelligence."

Dr. Cole will be keynoting at several SecureWorld conferences in 2026, including his talk on "You are Not a CISO, You are a 'CO IS'" at SecureWorld Charlotte on March 18. According to Dr. Cole, "A CISO is, by all definitions, a Chief Officer (CO) with a focus and obsession for Information Security (IS). Thus, a true CISO is a CO with an emphasis on IS."

Col. Cedric Leighton, CNN Military Analyst; U.S. Air Force (Ret.); Chairman, Cedric Leighton Associates, LLC, offered his commentary.

"Not only will AI provide challenges from a cybersecurity perspective, but there will be a requirement soon for CISOs to integrate some form of post-quantum cryptography when current cryptographic technologies become obsolete," Col. Leighton said. "Increasing cybersecurity spending can help secure critical networks if it's done with some strategic forethought. CISOs have to recognize that the cyber threat environment is continually evolving. Threats from nation-states like China and Russia are becoming even more pernicious, and CISOs have to keep one eye on technical developments and another on geopolitical developments."

He continued, "Cyberattacks are now often part of a greater pattern of hybrid and asymmetric warfare—like what Western and Central European nations are experiencing right now. Cyber vigilance and cyber resilience go hand in hand."

For security leaders, the survey says, the influx of capital presents security leaders with an unprecedented opportunity—but also a complex challenge. The focus must shift from simply spending more to spending strategically.

1. Strategic investment in core resilience

While AI is the threat, the investment priorities reflect a renewed focus on fundamental resilience:

• Data Security and Privacy remains the top investment priority.

• Identity and Access Management (IAM) and Cloud Security follow closely behind. Specifically, leaders are investing in adaptive authentication, risk-based access (54%), and AI-powered identity analytics (46%). This move reflects the understanding that identity has become the new perimeter in a cloud-first, AI-driven world.

• AI-Driven Defense is Mandatory: 70% of organizations are already dedicating more than 10% of their budget to AI-related cyber initiatives. Leaders must use these funds to implement AI for defense, leveraging it for fraud prevention (57%), predictive analytics (56%), and enhanced detection (53%).

2. The talent imperative is now a hiring crisis

The budget boom exacerbates the most persistent problem in the industry: the talent crisis. 53% of leaders cite a lack of qualified candidates as a high-impact challenge. To fill this gap, security leaders are employing a multi-faceted strategy:

• Internal Upskilling and Compensation: Nearly half (49%) are increasing compensation and investing in internal training and upskilling for existing teams.

• Strategic Reliance on Partners: To gain specialized expertise (42%) and accelerate new technology implementation (31%), security leaders are ramping up their reliance on partners. Specialized Managed Security Service Providers (MSSPs) are increasingly relied upon (45%) to fill critical operational gaps.

"The security industry is overwhelmed by new products while established vendors in the space make the move to platformizations of their capabilities," said Tammy Klotz, CISO at Trinseo, a specialty material solutions provider. "Security leaders are tasked to rationalize their toolkit, minimize duplication of capabilities, advance protection with new technologies, provide defense in depth, and oh yeah...manage their spend accordingly. Not an easy feat by any means."

Klotz continued, "Striking the right balance of resources is key. In my experience, most internal security teams are lean with a dependency on third parties to provide operational support. This requires a strong partnership between your organization and your MSSP/MDR provider."

Kip Boyle, vCISO at Cyber Risk Opportunities LLC, said to proceed with caution. "The budget numbers are impressive. But there's a deeper story here: 99% of leaders plan to spend more. Despite that, only 35% feel confident they can stop AI-powered social engineering," Boyle said. "That's a big gap. More money isn't creating more safety everywhere. Are teams buying tools faster than they can learn to use them well? Especially when 53% can't find enough skilled people? The vendors who win won't just sell products. They'll help teams turn those tools into real protection."

What the boom means for cybersecurity vendors

The surge in spending does not translate into an easy win for all vendors. The focus on strategic, risk-aligned spending will be highly competitive.

1. Consolidation and platform value

With budgets under scrutiny, leaders are seeking efficiency. This points toward a demand for unified security platforms that reduce complexity and overhead. Vendors who offer consolidated, integrated solutions across multiple domains (Cloud, IAM, and Data) will be strongly positioned against point-solution competitors. Vendors must clearly articulate how their platform reduces management costs and integrates defense layers.

2. AI as a feature, not a gimmick

AI is no longer a buzzword; it is a necessary core capability. Vendors must move past marketing AI as a feature and instead demonstrate tangible AI-powered outcomes, such as:

• Automated Threat Hunting: Proving how their solution automates routine tasks, freeing up the resource-strapped internal security team to focus on strategic risks.

• Risk Prioritization: Delivering predictive analytics and risk-based decision support that directly aligns with a CISO’s business objectives.

3. Partnering to solve the people problem

The 53% talent gap is the vendor’s greatest opportunity. Winning vendors will be those who bundle their technology with expert services (MSSP or professional services) to help organizations operate their solutions. A vendor that can alleviate the internal staffing strain—not just by selling a tool, but by providing the people to run it—will secure a larger portion of the increasing budget.

"We are operating in a dual reality where AI is simultaneously our greatest risk and our most critical defense. While AI-powered infrastructure attacks are already here, I expect a full-scale AI-driven 'showdown' within the next 24 months," said VJ Viswanathan, CEO at TORQE & Founding Partner at CYFORIX, a research-driven strategic risk advisory and technology engineering firm. "Success requires more than just reactive tools; it demands a strategic architectural shift toward inline, proactive detection, build resilience—a shift that has moved this risk discussion to a permanent topic at the Board table in all my recent engagements."

Viswanathan added, "However, the real 'identity fog' is being created by the explosion of non-human identities across Cloud and DevOps environments. This proliferation has made Machine Identity Management a top-five investment priority for CISOs. In this environment, the bottleneck isn't capital—it’s the complexity of scaling architectural changes amidst a talent shortage and an unrelenting M&A landscape."

We asked several cybersecurity vendor SMEs for their thoughts:

David DellaPelle, Co-Founder & CEO at Dune Security, said:

• “The boom in cybersecurity spending is no coincidence. Generative AI has shifted both the scale and sophistication of attacks, making cybersecurity investment a core business risk rather than an IT expense."

• "Cybersecurity budgets are rising, but so is attacker sophistication. Despite billions spent trying to reduce cyber risk, attackers continue to exploit human vulnerabilities through new and creative tactics. On the defensive side, the challenge is understanding where exposure is highest and prioritizing investments that meaningfully reduce enterprise risk without adding strain to already stretched teams.”

• “As budgets grow, tolerance for complexity is shrinking. Security leaders want fewer platforms that integrate seamlessly, not more point solutions that add operational drag.”

Bruce Jenkins, CISO at Black Duck, said:

• "The effectiveness of a cybersecurity program is, in my opinion, fundamentally independent of its budget size. While a bigger budget can facilitate the acquisition of sophisticated tools and dedicated staff to streamline measurement processes, core effectiveness measures remain universal."

• "In the end, a truly effective cybersecurity program should translate into palpable business benefits, such as improvements in customer trust and increased customer renewal rates. This direct link to business value inherently strengthens the CISO's position and, in an ideal world, leads to steady or even increased cybersecurity budget allocations and appropriate compensation adjustments."

• "Justifying cybersecurity investments to C-level executives and the Board requires demonstrating clear business value. This can be achieved through two primary approaches:

  • Linking Security to Business Growth: Articulate how cybersecurity initiatives directly contribute to improvements in customer trust, increased renewal rates, and the enablement of new business opportunities. Presenting metrics that correlate security program elements with these positive business outcomes provides a compelling argument for stable or increased cyber spend.

  • Demonstrating Averted Danger and Cost Avoidance: Quantify the 'danger averted' by showcasing the cyber organization's success in thwarting attacks. Metrics illustrating the number of prevented breaches, mitigated risks, or reduced downtime provide a clear return on investment through cost avoidance, justifying investments in tooling, personnel, and processes."

Ram Varadarajan, CEO at Acalvio, said:

• "Today, we are witnessing a fundamental shift in the cyber threat landscape that is causing organizations to rethink their cybersecurity spend, and it’s more severe and extraordinary than anything we've faced before. The recent Chinese state-sponsored attack against thirty simultaneous targets using autonomous AI agents marks the beginning, not the apex, of this threat. A single AI controller made thousands of requests per second, operating at speeds physically impossible for humans."

• "However, what's emerging is far more dangerous: multi-agent swarms coordinating in real-time across reconnaissance, credential harvesting, and data exfiltration. We're facing exponential coordination where hundreds of specialized AI agents will operate simultaneously across our entire attack surface. Reactive defenses can't operate at machine speed, requiring a shift in the cybersecurity stack to preemptive, AI-driven strategies. AI fighting AI, paired with offensive deception technologies, is the emergent design to catch attackers off guard and cause them to make mistakes and disclose themselves."

• "Organizations that adapt will recognize that defense is no longer about building higher walls. It's about becoming an unpredictable, moving target."

Dave Tyson, Chief Intelligence Officer at iCOUNTER, said:

• "While threat hunting remains a fundamental capability, it often occurs too late to prevent an intrusion. At that point, it becomes a race to limit the blast radius. The larger issue is that threat hunting can only be performed in environments where you have authorization. Depending on the source, between 15 and 30 percent of cyberattacks originate from an organization’s third parties. Because it is rare to be allowed to hunt in another company’s environment, a major visibility gap exists in understanding the full scope of threats targeting you."

• "Today, we are seeing a monumental shift in cyber spend toward the need for continuous monitoring of the extended ecosystem. Detecting threats in near real time allows mitigation to occur before a risk event impacts you. It is a different kind of hunt, but in today’s connected ecosystem, it is becoming a fundamental requirement."

• "Many solutions already automate components of threat hunting, and agentic AI will undoubtedly advance this further. However, as a former CISO for several large organizations, I believe it is unlikely to become fully automated for two key reasons."

• "First, training AI agents requires significant volumes of structured data and extensive optimization time. Most enterprise systems are not natively integrated to enable this. Manufacturing, marketing, legal, and strategic systems often operate independently, creating fragmented data environments. While SaaS-native organizations are more connected, legacy technical debt leaves many enterprises with disconnected data sources."

• "Second, business context is essential to prioritize threats effectively. Teaching AI-driven systems to understand which assets are most critical, and under what circumstances, is a monumental challenge for large enterprises with multiple brands, locations, and subsidiaries."

• "Looking again at the extended ecosystem, if more threats are moving to connected third and fourth parties, how does AI help in those cases? If a cyber adversary uses an MCP-enabled AI to attack your connected partners simultaneously with precision, traditional threat hunting will not detect it, nor will most third-party risk management providers. The solution lies in real-time ecosystem monitoring that identifies and alerts you when a third party is compromised, enabling mitigation before the threat impacts your operations. This becomes especially critical when the affected third party is a core supply chain partner such as Salesforce, AWS, or a manufacturing provider whose downtime or data loss could severely disrupt your business."

• "Moving forward, new and innovative approaches will continue to emerge. Automatically quarantining endpoints or assets is a valuable tactic, but this primarily addresses symptom management. The greater business value lies in identifying the root cause: why the security defenses failed, whether the strategy was sound, and what made the system vulnerable in the first place. The ability to temporarily disconnect third parties, especially those with two-way connections to your environment, is becoming a critical new capability. Leading organizations are beginning to implement this, often with human oversight involved, and this trend is expected to grow."

Rich Seiersen, Chief Risk Technology Officer at Qualys, said:

• "This year, CISOs were faced with overwhelming noise: noise confronts the defender on three fronts. I call them the three T’s: Telemetry, Tools, Technology. Telemetry means the signals emitted by security tools; tools refer to the abundance of security solutions we have deployed or are considering; and technology signifies what our businesses are doing in terms of digital and AI transformation. It’s overwhelming."

• "Add to that the rapid pace of AI growth, both from a consumer and a B2B perspective. People are using AI for everything without your permission, including crafting core enterprise content or getting overzealous AI help with first-party development. This is the exponentiation of high-risk shadow IT brought to you by consumer-facing AI. Then there are the corporate AI initiatives that mesh on-premises stuff with SaaS via the “Model Control Protocol” (MCP). That, in turn, is theoretically taking autonomous actions in concert with other agents."

• "Leaders no longer want mere observation. They wish to know how assets, risks, threats, and business value correlate and interact. And where the biggest bang for their buck exists in eliminating risk across various attack paths. More than that, they want non-destructive action taken to eradicate high-impact risks."

Piyush Pandey, CEO at Pathlock, said:

"In terms of spend, we've seen security, specifically application security and controls automation, spending remain consistent with years past. Organizations are now better educated on the risks that occur within their application landscape, affecting transactions and data, and are taking action to secure those applications for both security and compliance purposes. Based on today’s economic climate, organizations are certainly being more thoughtful about their investments. We see an urgency being placed on solutions that have a clear path to ROI within months, rather than years. Helping customers quantify risk in real dollars, and the ability to help them put cash back on their books, eases any macro-economic concerns."  

Matt Lee, Security and Compliance Senior Director at Pax8, said:

• "Security teams are feeling the pinch from tightening budgets, and it's putting real stress on these professionals who are already stretched thin. We're seeing more organizations turn to AI-powered security tools that can take care of routine tasks like alert triage and threat detection, which means their skilled analysts can actually focus on the complex, high-value work that really needs human expertise."

• "These AI systems aren't about replacing security professionals; they're about giving overwhelmed teams the additional resources they desperately need to stay on top of threats. The key is working with technology partners who understand how to weave AI capabilities into your existing security stack without creating more headaches. Organizations that get this balance right - combining human insight with AI muscle - are managing to keep their security posture strong even when their budgets can't necessarily keep up with the growing threat landscape, and there's real appetite for solutions that provide that kind of support."

Shane Barney, CISO at Keeper Security, said: 

"Measuring the efficiency of a cybersecurity program isn’t about how much you spend—it’s about how sensibly you spend it. There are three main ways to evaluate performance:

• Track Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs): Key performance and risk indicators provide quantifiable insight. Metrics like Mean Time To Detect and Respond (MTTD/MTTR), patching cadence, reduction in high-risk vulnerabilities, phishing click rates and security training completion help gauge operational efficiency, risk reduction and user awareness.

• Leverage Security Maturity Frameworks: Industry-standard frameworks such as NIST, CIS Benchmarks and ISO 27001 help benchmark progress and identify gaps relative to your organization's size and risk profile.

• Apply Risk-Based ROI Models: Models like FAIR allow CISOs to quantify the return on security investments by showing how specific initiatives reduce risk exposure in financial terms. 

Rajeev Gupta, Co-Founder & CPO at Cowbell, said:

• "AI is revolutionizing the cybersecurity industry, and that includes cyber insurance. Unfortunately, it’s also empowering cybercriminals. The same tools used to streamline underwriting and claims are being weaponized by bad actors to launch automated, scalable cyberattacks. These attacks require no human oversight and can continuously crawl, exploit, and deploy malware across systems. With funding cuts to key cybersecurity agencies like CISA, the threat landscape is expected to worsen, putting even more pressure on insurers to evolve."

• "Generative AI’s ability to interpret complex vulnerability data, such as CVEs and exploit databases, will be essential in building more accurate and responsive risk models. Moving forward, cybersecurity best practices must evolve alongside AI adoption. Companies should verify AI tools, avoid inputting sensitive data into chatbots, and remain vigilant against increasingly sophisticated phishing attacks. Building a culture of awareness and implementing robust AI use policies will be critical to mitigating these emerging risks."

In short, the 2025 KPMG survey confirms the start of a historic era of investment. For cybersecurity professionals, it's a mandate to evolve from gatekeeper to business enabler. For vendors, it is a race to provide unified, AI-centric, and services-backed solutions that solve the dual challenge of sophisticated threats and a chronic skills shortage.