Technology bulge challenges CISOs

Unlike other technology leaders, chief information security officers (CISOs) have largely avoided budget cuts, motivated by a mixture of regulatory pressures, customer expectations and cyber insurance requirements.

Surprisingly, more than a third of security budgets are allocated to software today, leaving hardware and personnel expenses at the bottom, pointing to a significant challenge that many CISOs face: technological bloat, says the study ‘Budget Planning Guide 2025: Security And Risk’, published this month by Forrester.

Looking ahead to 2025, most security technology decision-makers expect budget increases. And the resources will be earmarked mainly for three main areas:

1 – Strategic investments to increase security

As we look ahead to 2025, CISOs are encouraged to increase budgets in areas that affect revenue generation and help mitigate evolving threats. Here’s where we recommend focusing:

• API and software supply chain security: Protect the applications that generate revenue
• Human risk management: Protecting the people who run your company
• Skills and training platforms: Empower your professionals
• Expanded detection surface: Include OT and IoT devices for total visibility

2 – Exploring emerging technologies

The dynamic nature of cyber threats requires the implementation of emerging cyber security technologies. Here are the areas ready for experimentation in 2025:

• Exposure management and quantification of cyber risks
• Post-quantum security
• Data lake security
• AI and ML safety

3 – Replacing outdated solutions

As cyber security evolves, certain once-essential solutions are failing to adapt. It’s time to say goodbye to technologies that no longer effectively combat adversaries’ tactics, techniques and procedures.

Security professionals and vendors often characterise cyber security as an ‘arms race’, and rightly so. Defenders improve, attackers evolve and the cycle repeats itself. Unfortunately, many cyber security solutions that organisations still rely on have failed to keep up with the cyber security arms race and, as a result, need to be decommissioned in favour of solutions that better meet their current and future threat models and control requirements.

By investing strategically, experimenting with emerging technologies and discarding outdated solutions, CISOs will be able to stay ahead of the curve and prove the value of their security investments.

After all, like any C-level, security and risk leaders haven’t come through the recent macroeconomic headwinds without facing budgetary challenges. But a combination of increased regulatory pressure, higher customer expectations and cyber insurance requirements has meant that CISOs have avoided the belt-tightening that many of their fellow technology leaders and executive board colleagues have faced.

Guys, another important point

The rapid adoption of emerging technologies in organisations is generating a shift in security and risk skills requirements, from the one-off knowledge assessments that most cyber security certifications offer to demonstrable and verifiable skills and experience.

As organisations face an increase in untested talent and a reduction in mid-career professionals, the need to verify the necessary skills through practical laboratories as part of the hiring process is fundamental.

‘The lack of employees with security skills was a key challenge in many organisations,’ explains Forrester analyst Jess Burn. ‘Investing in technology rather than training only widens the skills gap, as professionals struggle to keep up with learning new tools rather than developing proficiency in key domains.’