Source: Dan Nelson via Unsplash.
A recent study conducted by 451 Research, a part of S&P Global Market Intelligence examines organization’s information security budget and spending plans. It examines spending directionally, asks participants to note planned increases or decreases, and breaks that down by spending areas including people, hardware, SaaS and related categories, as well as by security product category. It also asks respondents to identify their key pain points this year, their strategic objectives in information security, and the differing importance of preventive and proactive security controls in their architecture.
The Take
Nearly all surveyed organizations (92%) plan to increase information security spending in 2025, with a projected 27% average increase, versus only 5% expecting a budget decrease. Among those increasing budgets, 57% expect an increase in the 1%-25% range, with the lower end representing maintenance spending, as simply maintaining security posture year over year requires some increased spending. About a third (35%) are well north of that range, reflecting project-level spending to enhance information security capabilities.
This year’s figure is similar to the average projected increase of 30% in 2024, but the allocation of spending is shifting. Results of the recent organizational behavior study also conducted by 451 Research, a part of S&P Global Market Intelligence indicate that the pace of hiring has moderated, from 37% adding security staff in 2022 to 18% today. Budgeting for labor is mixed: 21% of those reducing information security spending are decreasing people costs, while 18% of those increasing security spending are spending more on people. About 15% are decreasing spending on security hardware, versus 5% increasing. Meanwhile, 28% are increasing budget for cloud security, with only 6% reining that spending in.
Summary of findings
In addition to 21% of respondents projecting a significant increase in cloud security spending, top areas of significant budget increase include data security (18%), network security (13%) and application security (10%). The addition of managed security services (MSS) was the most frequently cited change to security teams in the prior organizational behavior study, but spending plans in this area are mixed: 11% of respondents note a planned decrease in MSS spending, while 17% project an increase.
Given cloud security’s prominence as an area of increased spending, it follows that cloud security (21%) is the most cited information security pain point. Unlike in prior years, there is almost no deviation on this point based on company size. Securing the cloud — often multiple clouds — has become a universal challenge. Likewise, cloud platform expertise is the skill cited as most inadequately addressed in enterprise security teams. Among pain points, data privacy (18%) comes in second, as many organizations must navigate a complex web of regulatory controls. Third is securing generative AI (GenAI), including its use within enterprises and security testing for the custom applications enterprises are building for their workforce and customers. This category first appeared in the year-ago survey, and it has remained among the top citations with the explosive growth of GenAI use.
Planned strategic objectives do not map perfectly to pain points — they can sometimes be a lagging indicator as strategy development and implementation take time — but we can draw some links. Just over a quarter (27%) of organizations note they are implementing or improving data security initiatives, corresponding to the projected increase in spending. A similar proportion (25%) are prioritizing security awareness training. Strategic plans to improve security analytics (23%) and application security (23%) round out the top four, followed closely by securing cloud infrastructure (21%).
Security controls may be preventive (automatically blocking attacks before they can occur), responsive (monitoring for attacks and facilitating corrective action) or proactive (detecting potential issues, such as with vulnerability assessment). Security professionals surveyed cite all three categories as very important, but preventive controls (66%) edge out both responsive (61%) and proactive (58%). Automated blocking allows security professionals to narrow down the universe of potential problems that require human investigation and remediation. With resource constraints as a perennial issue for internal security teams, these controls continue to rate highly.
The Security Talent Gap is More Complicated Than You Think
Want insights on Infosec trends delivered to your inbox? Join the 451 Alliance.
This content may be AI-assisted and is composed, reviewed, edited and approved by S&P Global in accordance with our Terms of Service.
