Research from IANS Research and Artico Search finds that cyber budgets have reached the lowest growth rate in five years, with only 47% of CISOs reporting a budget increase this year (down from 62% in 2024).

According to the research, the average security budget rose by only 4% year-over-year. For context, the average budget rose by 8% year-over-year in 2024. 

While budgets may be slowing, cyberattacks are not. With AI-driven attacks and geopolitical tensions, cyber threats remain a challenge for CISOs and their teams.

Devin Ertel, Chief Information Security Officer at Menlo Security, remarks, “Cyberattacks are getting riskier and more frequent every day, putting CISOs squarely in the hot seat to keep organizations safe. And it’s no longer simply about the technology anymore. CISOs are expected to be risk managers, business strategists, budget balancers, and boardroom communicators, all rolled into one. This amplified accountability, combined with a cybersecurity talent shortage, has raised the value of experienced CISOs significantly.”

Slimmer budgets lead to less adequate staffing, the report suggests. As cyber budgets become smaller, a mere 11% of CISOs report being sufficiently staffed. 89% report being stretched thin or unstaffed, which can lead to greater cyber threats for an organization. 

Cybersecurity Effectiveness in an Era of Decreased Budgets

Bruce Jenkins, Chief Information Security Officer at Black Duck:

The effectiveness of a cybersecurity program is, in my opinion, fundamentally independent of its budget size. While a larger budget can facilitate the acquisition of sophisticated tools and dedicated staff to streamline measurement processes, core effectiveness measures remain universal. Every cybersecurity leader, whether managing a $4 million or a $40 million budget, should prioritize the consistent measurement of these critical risk areas:

• Threat Detection and Response: Quantifying the speed and efficacy of identifying, containing, and remediating security incidents.
• Patch Management: Assessing the percentage of systems and applications that are up-to-date with the latest security patches.
• Security Awareness Training: Evaluating the human element's resilience through metrics like phishing click-through rates and incident reporting rates.
• Identity and Access Account Management: Monitoring the adoption of strong authentication and the regularity and thoroughness of access reviews.
• Data Backup and Recovery: Verifying the integrity of backups and the success rate of data recovery operations.
• Asset Configuration Compliance: Ensuring that systems and devices adhere to established secure configuration baselines.
• Cyber Framework Audit Health: Measuring adherence to recognized cybersecurity frameworks (e.g., NIST CSF, ISO 27001, CIS 18) and the resolution of audit findings.

These measures provide tangible insights into cyber program posture, regardless of the financial resources deployed. 

Ultimately, a truly effective cybersecurity program should translate into tangible business benefits, such as improvements in customer trust and increased customer renewal rates. This direct link to business value inherently strengthens the CISO's position and, ideally, leads to stable or even increased cybersecurity budget allocations and appropriate compensation adjustments.

Justifying cybersecurity investments to C-level executives and the Board requires demonstrating clear business value. This can be achieved through two primary approaches:

1. Linking Security to Business Growth: Articulate how cybersecurity initiatives directly contribute to improvements in customer trust, increased renewal rates, and the enablement of new business opportunities. Presenting metrics that correlate security program elements with these positive business outcomes provides a compelling argument for stable or increased cyber spend.
2. Demonstrating Averted Danger and Cost Avoidance: Quantify the danger averted by showcasing the cyber organization's success in thwarting attacks. Metrics illustrating the number of prevented breaches, mitigated risks, or reduced downtime provide a clear return on investment through cost avoidance, justifying investments in tooling, personnel, and processes.