Estimated reading time: 4 minutes
Guardrails After the Crash: A Curious Delay in Action
Despite high-profile data breaches and ransomware attacks, organizations are still slow to boost cybersecurity spending. It is an age-old tradition of worrying about the barn door only after the horse has escaped. The 2025 Security Budget Benchmark Report by IANS Research and Artico Search shows clear strain. Security leaders now face leaner budgets and rising threats, with little room to maneuver.
“Once again, we find that security budgets are not immune to macro conditions,” said Steve Martano, IANS Faculty and Partner at Artico Search. “The downstream effects of this are real and include reduced team morale, delayed or stalled initiatives, and a growing gap between the company’s risk appetite and operational security.”
Budget Growth Slows to a Crawl
Average security budgets grew just 4% in 2025. That’s a steep drop from 8% in 2024. It marks the slowest pace in five years. More than half of CISOs reported either flat or declining budgets. Healthcare and retail companies saw the deepest cuts. Financial services and tech showed moderate growth above 5%.
Macroeconomic pressure is driving caution. Inflation, interest rate shifts, and geopolitical tensions are leading to conservative spending. Security teams are feeling the brunt of this squeeze.
Security Left Behind in IT Spending Boom
IT spending jumped ahead, leaving security behind. Security now accounts for only 10.9% of IT budgets, down from 11.9% last year. That’s the first drop in five years. Companies are heavily investing in AI and cloud, while security teams must do more with less.
Revenue comparisons show a flatline. Security budgets as a share of company revenue held at 0.69%. Most companies increased revenue faster than they raised their security budgets.
WATCH Cyber Event Wake-Up Call: 1 in 7 Businesses Hit by Major Disruptions
Hiring Struggles Add to the Pressure
Staffing saw minimal gains. Security team sizes grew just 7% this year, the lowest increase in four years. Only 45% of CISOs added headcount. Hiring freezes and budget constraints remain widespread.
Nearly 90% of CISOs said their teams are either stretched thin or understaffed. The fallout includes project delays, lower morale, compliance risks, and an increased risk of security breaches.
Small teams suffer most. With fewer than 10 staff, they must cover a broad range of tasks. Larger teams also feel pressure, as complex environments demand more resources than current staffing allows.
Where the Money Goes: Cloud, IAM, and SecOps
When budgets increase, the funds go to priority areas. Cloud security, Identity and Access Management (IAM), and Security Operations (SecOps) are top choices. Smaller organizations focus on endpoint protection and cloud tools. Bigger companies invest more in IAM upgrades and zero trust models.
Overall, staff and compensation consume 39% of security budgets. Software takes 29%, and outsourcing gets 12%. Within software, SecOps receives the most funding at 16%. This shows its vital role in threat response and compliance.
Get The Cyber Insurance News Upload Delivered
Every Sunday
Subscribe to our newsletter!
Advice for Security Leaders
The report offers clear strategies for resource-limited environments. Align security plans with the company’s core business goals. Know what to protect. Focus on the most critical assets first.
Seek executive approval for delays when necessary. Be realistic with budget requests. Use sector-specific data and peer comparisons to justify needs. Automate where possible and optimize existing tools.
The report encourages CISOs to build consensus and explain trade-offs. Security leaders must show how budget gaps can raise real business risk.
Top Concern: Business as Usual While Risk Rises
Despite cyber threats ranking as a top-five business risk, security budgets remain in routine territory. Security is still treated like any other department. It’s subject to the same cost-cutting as marketing or HR.
Nick Kakolowski, Research Director at IANS, said security’s scope keeps expanding while budget increases lag. “This is challenging as security’s scope is rapidly increasing, putting pressure on CISOs to prioritize strategically and build organizational consensus around risk tolerances relative to budget availability,” said Kakolowski.
RELATED POSTS
