Today's CISOs wear many hats. They are expected to be experts in technologies, negotiators, strategists, influencers, and a source of inspiration throughout the value chain. As cybersecurity threats evolve and grow, the role of the Chief Information Security Officer (CISO) is becoming even more critical.
Cybersecurity Budgets are Booming
Fortunately, unlike other tech leaders, CISOs have largely avoided budget cuts, reflecting the importance organizations place on cybersecurity. The question is how CISOs will spend their money in 2025.
Gartner's information security budget forecast for 2025 foresees a marked increase in cybersecurity investments. Global spending in this sector is set to reach $212 billion, reflecting a 15.1% rise from 2024. This substantial growth means the board is taking notice and recognizing cybersecurity as a critical business enabler.
In addition, Gartner predicts that AI and generative AI (GenAI) will also fuel increased investments in security. The analysts said 17% of total cyberattacks will involve GenAI, which will require additional cybersecurity resources to protect it. This will lead to an expected 15% increase in security software spending.
The Cloud's the Limit
The forecast says next year's cybersecurity budget planning will carry on prioritizing software and services, and application security, data security and privacy, and infrastructure protection will all be a focus, too. Software currently represents about 35.9% of global cybersecurity budgets, with a strong focus on cloud-based solutions. For larger enterprises, this proportion can be as high as 39.4%.
The Cloud Security Alliance's (CSA's) Annual SaaS Security Survey Report: 2025 CISO Plans & Priorities also highlights the growing importance of SaaS security for entities that use SaaS applications." For years, SaaS security has been an afterthought. However, the landscape depicted in this year's survey paints a dramatically different picture, one where SaaS security has surged to the forefront of corporate agendas," the CSA said.
The CSA survey revealed that a whopping 80% of firms are prioritizing SaaS security, another 41% are making it a high priority and nearly the same number (39%) a moderate priority.
Trimming the Tech Fat
Forrester agrees that a big whack of the cybersecurity budget will be earmarked for software, with over a third of spending surpassing allocations for hardware and personnel. This shift, the analysts said, highlights a challenge for CISOs in 2025: managing technology bloat.
This is because the cybersecurity vendor landscape is saturated with myriad tools and technologies, yet the industry suffers from a dearth of skilled professionals to manage them effectively. This adds to an already complex computing environment, with CISOs grappling with a sprawling mix of technologies and the need for integration and consolidation.
Looking ahead, Forrester said most security leaders anticipate continued budget increases in 2025 in the hope of keeping up with inflation and meeting emerging security challenges. However, merely adding new tools won't suffice. With increased budgets comes the expectation of demonstrating tangible value in security investments.
Therefore, CISOs will need to make strategic choices about where to invest, where to consolidate, and where to experiment with new solutions. This process will involve not only investing in innovative technologies but also divesting from outdated ones that no longer serve the organization's purpose.
Revenue-Driven Defense
Forrester also believes that next year, CISOs will need to prioritize security investments that directly impact revenue generation and mitigate advanced threats. Specific areas of focus include:
- API Security and Software Supply Chain: These areas are critical as they protect revenue-generating apps from increasingly sophisticated attacks. With many applications relying on third-party APIs and components, securing these is key for business continuity.
- Human Risk Management: Employees are a human firewall of defense against cyber threats. By investing in skills and training platforms, CISOs can strengthen the organization's human layer of security. This investment also addresses the skills shortage in cybersecurity, giving the team the capabilities needed to manage complex security environments.
- Expanded Detection Surface: With the rise of the Internet of Things (IoT) and Operational Technology (OT), CISOs must focus on expanding their detection capabilities across the entire technology estate. Visibility into OT and IoT environments is essential for identifying and mitigating threats that could impact critical operations.
The Compliance Crunch
In 2024, global regulators introduced new policies and legislation focused on cybersecurity and privacy, particularly in areas like AI and third-party risk management. With 2025 around the corner, entities will be forced to adopt more proactive security measures to limit the financial and operational impacts of cyber events. This task will fall on the shoulders of the CISO, who will play a central role in navigating constantly evolving regulations and maintaining compliance.
Additionally, the rising costs associated with data breaches are expected to surpass regulatory fines, and Forrester predicts that breach-related class actions will become a significant financial burden for organizations. CISOs will need to work closely with legal and compliance teams to address these risks and build robust defense strategies.
In some cases, Forrester analysts expect Western governments could even restrict entities from using certain third-party or open-source software over national security concerns, and companies will need to be more transparent about their software supply chains and even replace non-compliant components.
Charting the Course: What's Next for CISOs in 2025
As CISOs look ahead, simply managing cybersecurity threats is a thing of the past. They'll need to align their strategies with broader business objectives, prove the value of their security investments, and add to the bottom line.
How can they do this? By making clever, targeted investments, exploring emerging technologies, and ditching outdated solutions that are holding them back. If they do this, they can build resilient businesses that stay a step ahead of shifting threats.
Editor's Note: The opinions expressed in this and other guest author articles are solely those of the contributor and do not necessarily reflect those of Tripwire.
