By 2025, revenue protection and business risk mitigation should be at the center of CISOs’ budgets, with business-focused investments being the priorities.
Forrester's last Security and Risk Budget Planning Guide makes it clear that securing business-critical IT resources should be a high priority next yr. “The budget increases CISOs receive in 2025 should prioritize addressing threats and controls within the areas of application security, human resources, and business-critical infrastructure,” Forrester writes within the report.
CISOs must double down on threat and control efforts to achieve application security rights, secure business-critical infrastructure, and improve human risk management. Forrester considers software supply chain security, API security, and IoT/OT threat detection to be core to business operations and advises CISOs to speculate in these areas.
For CISOs, achieving revenue growth by protecting recent digital business lines while maintaining IT infrastructure security on a decent budget is a proven solution to advance their careers.
Treat cybersecurity primarily as a business decision
The key takeaway from Forrester's planning guide is that investing in cybersecurity should be viewed in the beginning as a business decision. The report's key findings and guidelines underscore how and why CISOs must make trade-offs on tools and spend to maximise revenue growth while achieving a solid return on their investments.
Forrester urges CISOs to take a detailed have a look at any apps, tools, or suites that contribute to technology proliferation and eliminate them from their tech stack when adding recent technologies.
Key insights from Forrester’s Security and Risk Budget Planning Guide include:
- 90% of CISOs may have to expect a budget increase next yr. Cybersecurity budgets average only 5.7% of annual IT spending. That's paltry considering how extensive a CISO's role is in protecting recent revenue streams and strengthening infrastructure. Citing its 2024 Budget Planning Survey in its guide, Forrester predicts that budgets will proceed to rise over the following 12 months. Ten percent expect a rise of greater than 10 percent over the following 12 months. A 3rd expect a rise between 5 and 10 percent, and nearly half expect a modest increase between 1 and 4 percent. Only seven percent of budgets will remain unchanged, and only three percent expect reduced budgets in 2025.
- Control the spread of technological innovation now. Forrester warns that technology proliferation is the silent killer of budget profits. According to a recent study, CISOs on average spend just over a 3rd of their budget on software. That's twice as much as their hardware and staff costs. ISG study“To combat the true problem that already plagues security leaders – technology sprawl – we recommend a conservative approach to introducing recent tools and vendors with this pragmatic principle: Don't add anything recent without eliminating something else first,” Forrester writes within the report.
- Cloud security, recent on-premises security technologies, and security awareness/training initiatives are predicted to extend security budgets by 10% or more by 2025. Specifically, 81% of security technology decision makers predict that their cloud security spending will increase in 2025, with 37% expecting a 5-10% increase and 30% expecting a greater than 10% increase. The high priority of cloud security reflects the essential role that cloud environments, platforms and integrations play in the general security posture of organizations. As more organizations adopt and develop internal platforms and apps across IaaS, PaaS and SaaS, cloud security spending will proceed to grow.
Revenue protection starts with APIs and software supply chains
A key a part of every CISO's job is finding recent ways to secure revenue, especially with regard to the digital-first initiatives that enterprise DevOps teams are working additional time to implement this yr.
Here are their proposed priorities from the report:
Strengthening the software supply chain and API security is a must. Forrester argues that the complexity, variety, and volume of attack surfaces in software supply chains and API repositories are increasing, and stresses that security is urgently needed in these two areas. A daunting 91% of corporations have fallen victim to software supply chain incidents in only one yr, highlighting the necessity for higher protections for continuous integration/deployment (CI/CD) pipelines. Open source libraries, third-party development tools, and legacy APIs created years ago are only just a few threat vectors that make software supply chains and APIs more vulnerable.
Malicious attackers often attempt to compromise widely used open source components, because the Log4j vulnerability shows. Defining an API security strategy Integrating directly into DevOps workflows and treating the continual integration and continuous delivery (CI/CD) process as a singular threat surface, it’s a must have for any organization practicing DevOps today. API detection and response, remediation policies, risk assessment, and API usage monitoring are also urgently required for organizations to raised secure this potential attack vector.
IoT sensors remain a magnet for attacks
The Internet of Things (IoT) is the preferred attack vector utilized by attackers to focus on industrial control systems (ICS) and the numerous processing plants, distribution centers, and manufacturing centers that depend on them day-after-day. CISA continues to warn that state actors are targeting vulnerable industrial control facilities and today three recent notes on industrial control systems were published by the agency.
Forrester's Top Trends in IoT Security in 2024published earlier this yr and reported on by VentureBeat found that 34% of corporations affected by an attack on IoT devices were more more likely to report cumulative costs between $5 million and $10 million from the attack than corporations that experienced cyberattacks on non-IoT devices.
“In 2024, the potential of IoT innovation is nothing wanting transformative. But with the opportunities come risks. Every connected device represents a possible access point for a malicious actor,” writes Ellen Boehm, Senior Vice President of IoT Strategy & Operations for Key factor. In their latest IoT security report Digital trust in a connected world: Overview of the state of IoT securityKeyfactor found that 93% of organizations face challenges in securing their IoT and connected products.
“We're connecting all these IoT devices, and all of those connections are creating vulnerabilities and risks. I’d say that with OT cybersecurity, the general value and risks could be even higher than with IT cybersecurity. Considering the infrastructure and the varieties of assets we're protecting, there's quite quite a bit at stake,” says Kevin Dehoff, President and CEO of Honeywell Connected Enterprisesaid VentureBeat during an interview last yr.
“Most customers are still learning the state of their OT networks and infrastructure. And I believe there will likely be some awakening. We provide a real-time view of OT cyber risk,” Dehoff said.
Protecting IoT device access through Zero Trust is a must to scale back the danger of security breaches. National Institute of Standards and Technology (NIST) offers NIST Special Publication 800-207that’s well fitted to securing IoT devices due to its give attention to securing networks where traditional, perimeter-based security cannot meet the challenge of protecting every endpoint.
Pragmatism must dominate CISO budgets in 2025
“Too many tools, too many technologies, and nowhere near enough staff proceed to be the issue in a fragmented and technology-heavy cybersecurity vendor ecosystem,” warns Forrester.
Viewing cybersecurity spending as a business investment in the beginning is a priority that Forrester must focus more on with its clients, as this message is emphasized throughout the guide. The message is to curb technology sprawl, something they’ve previously expressed around the necessity to consolidate cybersecurity apps, tools, and suites.
It is time to fund cybersecurity as an engine of growth and not only as a deterrent.
CISOs can strike a balance by on the lookout for opportunities to raise their role to at least one where they report on to the CEO and, ideally, serve on the board of directors, helping to steer their organization through an increasingly complex threat landscape.
