The expansion of security budgets has slowed, indicating the end of rapid growth in the sector, according to a survey of 755 CISOs.

The report, conducted by IANS Research in collaboration with Artico Search, found that while the average budget increase now stands at 8%, up from 6% in 2023, growth was modest compared to the significant growth rates of 16% in 2021 and 17% in 2022.

A notable portion of organizations is seeing little to no budget change, with a quarter of CISOs reporting flat budgets and 12% facing cuts.

In cases where budgets are growing, external pressures such as cybersecurity incidents, breaches and the rising risks tied to AI adoption are often key drivers.

Internal factors, including company growth, mergers and acquisitions, also play a role in driving these increases.
Meanwhile, staff expansion within security teams has significantly slowed, with growth dropping from 25% in 2023 to just 12% this year.

More than a third of CISOs report maintaining a consistent headcount, reflecting a cautious approach to hiring.
Despite this measured growth, security spending continues to outpace both overall IT expenditures and revenue growth.

Over the past five years, the share of IT spending allocated to security has risen from 8.6% to 12.4%, while security budgets as a percentage of revenue have grown from 0.50% to 0.72%, underscoring the increasing importance of cybersecurity within organizations.

Another recent survey found CISOs are struggling to manage cybersecurity effectively due to a lack of strategic support from other C-suite executives.

Understanding Risk, Aligning the Business

Nick Kakolowski, senior research director at IANS Research, said given the slowdown in security budget growth, organizations should follow a few key best practices to maximize the effectiveness of their current IT security spending.

“Aligning with the business is the closest thing to a silver bullet,” he said. “There is no one-size-fits-all solution in security.”

He explained the information security teams that understand how security can smooth the path to business growth and reduce organizational risk tend to be the most satisfied with their budget situation, almost regardless of how their budgets are changing.

“The continued digitization of everything is creating an environment in which security is intrinsically tied to business growth strategies,” Kakolowski said. “We expect security budgets to increase as a result.”

However, as security normalizes as the cost of doing business, he said he expects budget growth to continue largely at an incremental pace, with the days of large groups of businesses racing to catch up on security spend after a big breach starting to fall into the rearview mirror.

He added that cross-functional collaboration is essential in getting ahead of emerging areas of risk.

“CISOs are increasingly asked to own areas of digital risk that the business doesn’t fully understand,” Kakolowski said.

Bringing together cross-functional stakeholders to develop an informed, shared view of how to govern issues like AI adoption allows infosec to lead and inform those risk conversations without taking on the unrealistic burden of owning risk that belongs to the business.

Slowing Staffing, Maintaining Posture

As security staffing growth slows, Kakolowski said CISOs should be looking to implement strategies to maintain a strong security posture with a consistent or reduced headcount.

“The first thing: Take great care of the people you have,” he said. “Invest in their development, give them long-term growth opportunities, and think about how you care for the whole human, not just the employee.”

He pointed out security is stressful work and has far-reaching implications on employees’ lives.

“From there, we’re seeing increased interest in automation and investment in broad security platforms that can unify a range of functions under a single toolset to reduce day-to-day management overhead,” Kakolowski said.

From his perspective, security risk is a business risk and should be treated equally.

“Forecast growth opportunities, model risks, perform cost analysis, and make sure governance leaders understand the risks and can make informed decisions on how to guide the business,” he said.

He added that although the “what to do” is simple, the “how to do it”, is something the industry is wrestling with.

“Just two examples include issues, including risk quantification and a pressing need to educate the C-suite and boards on core cyber principles,” Kakolowski said.