Cyber Security Budgets Hit Five-Year Low While Threats Escalate

Budget Decline Amid Rising Threats

Cybersecurity budgets have reached their lowest growth rate in five years, with only 47% of Chief Information Security Officers (CISOs) reporting budget increases in 2025, down significantly from 62% in 2024, according to new research from IANS Research and Artico Search.

The average security budget increased by just 4% year-over-year, half of the 8% growth seen in 2024. This decline comes at a critical time when organizations face mounting challenges from AI-driven attacks and heightened geopolitical tensions. Organizations must carefully consider how to optimize their cybersecurity budget allocation for maximum impact.

Staffing Crisis and Operational Challenges

The budget constraints have created significant staffing challenges across the cybersecurity sector. An alarming 89% of CISOs report being either stretched thin or understaffed, with only 11% indicating adequate staffing levels. This ongoing shortage of cybersecurity talent puts business continuity at significant risk.

"Cyberattacks are getting riskier and more frequent every day, putting CISOs squarely in the hot seat to keep organizations safe," says Devin Ertel, Chief Information Security Officer at Menlo Security. "It's no longer simply about the technology anymore. CISOs are expected to be risk managers, business strategists, budget balancers, and boardroom communicators, all rolled into one."

Maintaining Effectiveness with Limited Resources

Despite budget constraints, cybersecurity leaders are finding ways to maintain program effectiveness. Bruce Jenkins, Chief Information Security Officer at Black Duck, emphasizes that security program success isn't solely dependent on budget size. Organizations must strategically invest in cybersecurity measures that align with business objectives.

He outlines several critical areas that require consistent monitoring:

• Threat detection and response capabilities
• Patch management efficiency
• Security awareness training effectiveness
• Identity and access management
• Data backup and recovery systems
• Asset configuration compliance
• Cyber framework audit health

According to the National Institute of Standards and Technology, organizations should focus on measuring and optimizing existing security programs rather than solely pursuing new investments. Prioritizing critical security measures that provide the most significant risk reduction and developing clear metrics linking security initiatives to business growth and cost avoidance remain essential strategies.

This article underscores the growing challenge organizations face in maintaining robust cybersecurity programs amid budget constraints. While the current trend shows decreased funding, the importance of effective security measures remains paramount in an increasingly threatening digital landscape.