Making smart cybersecurity spending decisions in 2025

December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.

Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from USD 183.9 billion to USD 212 billion. Security services lead the way for the segment expecting the most spending growth, with security software coming in second and network security as the third area of growth.

“The continued heightened threat environment, cloud movement and talent crunch are pushing security to the top of the priorities list and pressing chief information security officers (CISOs) to increase their organization’s security spend,” said Shailendra Upadhyay, Senior Research Principal at Gartner in a recent press release. “Furthermore, organizations are currently assessing their endpoint protection platform (EPP) and endpoint detection and response (EDR) needs and making adjustments to boost their operational resilience and incident response following the CrowdStrike outage.”

While spending decisions and increases are likely due to many different reasons, Gartner points to two main reasons for the predicted increase.

• Generative AI: Garter said that because of organizations using Generative AI, they will need to take additional steps to secure their environment. The IBM Framework for Securing Generative AI lays out five steps: Securing the data, securing the model, securing the usage, securing AI model infrastructure and establishing sound AI governance. Many organizations will need to purchase additional software, such as application security, data security and privacy and infrastructure protection, due to the increased use of generative AI.
• The global skills shortage: Many organizations are facing a skills shortage where they do not have the in-house talent to manage their cybersecurity needs. As a solution, many are hiring help to reduce their risks, such as security consulting services, security professional services and managed security services. Gartner points to the costs of these services as a driving factor in high predicted spending, making services a high-growth area of cybersecurity.

Instead of simply making a single line item on your organization’s budget that encompasses cybersecurity, accurate budgeting starts with breaking out all of the components of an effective cybersecurity program.

Consider the following in your budget:

• Labor costs: Besides salaries for all full-time employees, consider any additional services you need to purchase. For example, outsourcing penetration testing falls into this line item. Additionally, consider if you need to hire managed services for any portion of your cybersecurity.
• Technology: Think about all types of software needed, which includes antivirus, encryption tools and firewalls. Consider if you will be using generative AI for cybersecurity as well as additional tools needed to protect the organization from attacks on generative AI tools used for daily business tasks. Be sure to also include hardware costs, such as any infrastructure upgrades needed to run any new technological tools, especially generative AI.
• Training: Many organizations only consider the budget for training and certifications for their cybersecurity staff. However, be sure to allocate funds for cybersecurity training for the entire organization. By thinking outside the box and setting aside sufficient funds, you can make a big impact in reducing cyberattacks caused by employee errors.
• Incident Response: After a breach or attack happens, organizations need funds to contain the breach and manage the response. Costs that often occur include legal fees, PR firms, overtime, data breach notification, identity theft protection and loss of revenue.

While many organizations consider business disruption and potential risk when creating their cybersecurity budget, many overlook how the budget impacts the cybersecurity team.

The ISACA State of Cybersecurity 2024 and Beyond found that 66% of cybersecurity professionals stated their role is more stressful. Not surprisingly, the top reason (81%) stated was that the threat landscape is increasingly complex. However, the budget being too low (45%) tied for second with worsened hiring retention challenges and staff not being skilled/trained.

The report found that more than half (51%) felt that their budgets were underfunded, an increase from 47% sharing that sentiment in 2023. Additionally, only 37% expect that their budgets will increase in 2025. Adding to the stress, only 40% had a high confidence that their team was prepared to handle a cyberattack. While at the same time, 47% expect a cyberattack on their organizations.

As business leaders are working on budgets, here are some ways to reduce employee stress related to the 2025 budget.

• Include your hands-on cybersecurity team members in the budget discussions. When employees feel that their perspectives and ideas are heard, they are less likely to be resentful. Additionally, they can see first-hand the tradeoffs involved in budgeting as well as the impact of each decision on other line items. 
• Ask employees to share their current challenges. By starting with understanding their problems, you can then use these issues to drive the budget decisions. If team members jump to the technology solutions, steer them back to first discussing the problems.
• Have your cybersecurity team research and get estimates. Once you move to the solution portion of budgeting, ask cybersecurity team members to research tools and get estimates. Since they will be the ones using the tools on a daily basis, getting their buy-in on specific solutions can help increase satisfaction as well as improve the accuracy of the budget.
• Show team members the draft budget. Budgeting often means making hard decisions. By showing the team the draft budget and asking for their input, they feel heard and also can see the tradeoffs that are necessary as part of the budgeting process.

While the increase in cybersecurity spending is a positive trend overall, the most important thing is how companies use their higher investments. By making the right choices for your specific organization, you can reduce risk while also improving employee satisfaction.