The Great Cyber Budget Boom: 99% of Leaders Are Increasing Security Spend

A near-universal 99% of security leaders plan to increase cybersecurity budgets over the next two to three years, according to the 2025 KPMG Cybersecurity Survey. Most leaders (54%) anticipate significant spending increases of 6% to 10%, marking a pivotal shift as cybersecurity evolves from IT cost center to critical business imperative.

"A 99% increase in cybersecurity budgets isn't a spending trend—it's an admission," said Dr. Eric Cole, cybersecurity expert and author. "Leaders now understand that cyber risk is business risk, and ignoring it is no longer survivable." This unprecedented investment surge comes as organizations face increasingly sophisticated AI-powered threats that have fundamentally altered the security landscape.

Organizations wrestling with developing effective cybersecurity budget frameworks find themselves at a critical inflection point, balancing tactical needs against strategic objectives.

AI threats driving investment priorities

The primary catalyst behind this financial revolution is the rapid emergence of AI-driven threats. Advanced tools have dramatically lowered barriers to entry for sophisticated attacks, creating new challenges for security teams.

According to the survey, security leaders are most concerned about:

• AI-powered social engineering and targeted attacks (55%)
• AI-enhanced malware and ransomware (50%)
• Automated phishing attacks (49%)

Only 35% of leaders rate their defenses as highly effective against AI-powered social engineering, revealing a critical confidence gap. This lack of readiness is accelerating budget commitments as organizations recognize they must out-innovate offensive capabilities.

"AI didn't just accelerate attacks—it erased the skill barrier," noted Dr. Cole. "When anyone can launch a sophisticated campaign, defense must evolve from reactive tools to predictive intelligence."

Col. Cedric Leighton, CNN Military Analyst and U.S. Air Force (Ret.), emphasized broader implications: "Cyberattacks are now often part of a greater pattern of hybrid and asymmetric warfare—like what Western and Central European nations are experiencing right now. Cyber vigilance and cyber resilience go hand in hand."

The survey highlights that while AI presents serious threats, it's also becoming an essential defensive tool. Seventy percent of organizations already dedicate more than 10% of their security budgets to AI-related initiatives, implementing it for fraud prevention (57%), predictive analytics (56%), and enhanced detection capabilities (53%).

As the threat landscape evolves, small and mid-sized businesses face unique challenges in adopting enterprise-level protections. Comprehensive cybersecurity strategies for small businesses must balance resource constraints with increasingly sophisticated protection requirements.

Strategic spending and talent crisis

Despite increased budgets, security leaders face the challenge of investing strategically rather than simply spending more. The survey reveals organizations are prioritizing three core areas:

1. Data Security and Privacy remains the top investment priority
2. Identity and Access Management (IAM)
3. Cloud Security

Organizations are specifically focusing on adaptive authentication, risk-based access (54%), and AI-powered identity analytics (46%). This strategic shift acknowledges that identity has become the new security perimeter in cloud-first, AI-driven environments.

The budget boom is exacerbating the industry's persistent talent shortage, with 53% of leaders citing a lack of qualified candidates as a high-impact challenge. To address this crisis, security leaders are employing multiple strategies:

• Nearly half (49%) are increasing compensation and investing in internal training
• 42% are partnering with external specialists to gain expertise
• 45% are relying on Managed Security Service Providers (MSSPs) to fill operational gaps

Tammy Klotz, CISO at Trinseo, highlighted the complexity: "Security leaders are tasked to rationalize their toolkit, minimize duplication of capabilities, advance protection with new technologies, provide defense in depth, and oh yeah…manage their spend accordingly. Not an easy feat by any means."

Kip Boyle, vCISO at Cyber Risk Opportunities LLC, cautioned that increased spending doesn't automatically translate to improved security: "The budget numbers are impressive. But there's a deeper story here: 99% of leaders plan to spend more. Despite that, only 35% feel confident they can stop AI-powered social engineering. That's a big gap."

Return on Security Investment Metrics

Organizations making substantial cybersecurity investments require clear metrics to demonstrate value. Strategic approaches to cybersecurity investment increasingly incorporate quantifiable ROI measures such as:

• Reduction in mean time to detect (MTTD) and mean time to respond (MTTR)
• Decreased incident frequency and severity metrics
• Business operational continuity measurements during attack scenarios
• Compliance cost reductions through automated controls and monitoring

These metrics help security leaders communicate value beyond traditional "prevention of bad outcomes" narratives that have historically made ROI difficult to quantify.

Implications for cybersecurity vendors and services

The spending surge creates both opportunities and challenges for cybersecurity vendors. With budgets under scrutiny, organizations are seeking efficiency through consolidated, integrated solutions across multiple security domains rather than point solutions.

David DellaPelle, Co-Founder & CEO at Dune Security, observed: "As budgets grow, tolerance for complexity is shrinking. Security leaders want fewer platforms that integrate seamlessly, not more point solutions that add operational drag."

For vendors to capitalize on increased spending, they must:

1. Demonstrate platform value through unified solutions that reduce complexity
2. Implement meaningful AI capabilities that deliver tangible outcomes, not just marketing hype
3. Address the talent gap by bundling technology with expert services

VJ Viswanathan, CEO at TORQE, noted the architectural shift required: "Success requires more than just reactive tools; it demands a strategic architectural shift toward inline, proactive detection, build resilience—a shift that has moved this risk discussion to a permanent topic at the Board table."

Ram Varadarajan, CEO at Acalvio, emphasized the escalating threat landscape: "The recent Chinese state-sponsored attack against thirty simultaneous targets using autonomous AI agents marks the beginning, not the apex, of this threat. A single AI controller made thousands of requests per second, operating at speeds physically impossible for humans."

Vendor Consolidation Trends

According to recent data from Gartner's Security and IAM Solution Adoption Trends, organizations now manage an average of 76 different security tools, with enterprises struggling to integrate disparate solutions effectively. This fragmentation creates significant operational inefficiencies that new investments aim to address through platform consolidation.

How to leverage these insights

Security professionals can apply these findings by:

1. Conducting an honest assessment of your organization's readiness against AI-powered threats
2. Prioritizing investments in fundamental security capabilities like identity management and data protection
3. Developing strategic partnerships to address talent gaps while upskilling internal teams

Bruce Jenkins, CISO at Black Duck, emphasized that justifying cybersecurity investments requires demonstrating clear business value: "Linking Security to Business Growth: Articulate how cybersecurity initiatives directly contribute to improvements in customer trust, increased renewal rates, and the enablement of new business opportunities."

Matt Lee, Security and Compliance Senior Director at Pax8, noted: "These AI systems aren't about replacing security professionals; they're about giving overwhelmed teams the additional resources they desperately need to stay on top of threats."

The historic surge in cybersecurity spending marks a fundamental recognition that security has become a critical business function. For security leaders, it presents an unprecedented opportunity to transform defense capabilities while aligning security with core business objectives in an increasingly AI-driven threat landscape.