Cybersecurity spending is beginning to slow this year, with average security budgets growing 4% year over year, just half of the recorded growth in 2024 and the lowest rate in five years.
That's according to the 2025 Security Budget Benchmark Report released by IANS Research and Artico Search, which surveyed more than 580 chief information security officers (CISOs) across multiple industries throughout the US and Canada. Many CISOs confessed they are grappling with flat or reduced budgets, indicating a growing challenge in the industry.
These changes are fueled by geopolitical tensions, tariff policies, and changing inflation and interest rates. In response, companies are becoming more cautious, refraining from spending and hiring, leading to resource constraints that "are likely to set off a cascading series of events, ultimately elevating business risk and increasing the likelihood of compliance gaps," the researchers wrote.
"Nearly all CISOs reported security teams are understaffed or low on staff, citing hiring and budget constraints as the primary cause," said the researchers. "They also noted staffing shortages led to delays and cancellations of security initiatives."
Budgets are lowest in industries like healthcare, professional and business services, retail, and hospitality, however, budget growth in financial services, insurance, and tech remained above 5%.
The CISOs of companies in industries that are experiencing growth are prioritizing spending on cloud security solutions and identity and access management (IAM) enhancements, as well as SecOps automation and zero-trust architectures.
For organizations that are not experiencing growth, some are turning to AI to fill the gaps, taking up roles that ordinarily might be done by entry-level security professionals, enabling more senior analysts to focus on higher-value work. But this isn't a long-term solution, as it requires significant investment and leaves a future generation of analysts without entry-level technical skills.
"The downstream effects of this are real, and include reduced team morale, delayed or stalled initiatives, and a growing gap between the company's risk appetite and operational security," said Steve Martano, IANS faculty member and partner at Artico Search.
Moving forward, the researchers recommend that organizations ensure their security initiatives are relevant and effective and to use their limited resources strategically so that their organization's risks get appropriate attention.