Like a knuckle sandwich slowly forming in the hand of the overworked IT pro, security resources are tightening.
Growth of security spending budgets—and security staff—has lagged for the first time in five years, according to IANS Research. And money is more likely to go to tools than people, according to the report’s researchers.
“We are seeing incredibly small budget availability for staff and much more willingness to spend on tools than people,” Nick Kakolowski, senior research director at IANS told us, referring to conversations he’s had with CISOs.
A 2024 Information Services Group survey, referenced in Forrester’s budget planning guide for 2025, revealed that software made up 35.9% of security budgets, while personnel made up 28.3%.
From 2020 to 2024, security budgets as a percentage of IT spending “grew steadily” from 8.6% to 11.9%. In 2025, the party slowed down, dipping for the first time in five years to 10.9% growth.
The IANS report, released in August, cites budget constraints across org departments, due to uncertainty caused by global market volatility, fluctuating inflation and interest rates, and unclear tariff policies.
“Cyber is not immune to macro conditions. Despite that, there’s still investment in the function,” Steve Martano, partner at Artico Search,which contributed to the IANS report, said.
“Most organizations have a baseline of security at this point, so the transformational days of having to really spend a lot on program build in terms of capex versus opex for most organizations: that’s already been done—not all organizations, but most,” he told us.
Staff changes.
- IANS found that the security teams, like budgets, are growing, just less than they used to. The average growth rate of the size of security teams reached 7%, according to the newly published research—the lowest increase percentage in the past five years.
- Only 45% of CISOs were able to “add net new headcount,” a decline from 67% three years ago, and 51% in 2023.
- 47% of CISOs kept their team size flat in 2024.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Jill Knesek, CISO at financial operations platform BlackLine, shared in an email that budget growth “has slowed” for the company, “but not significantly.” Knesek shared that the company has invested in “cloud-agnostic security tools that provide a holistic view” of the company’s security posture, as well as products that automate software development and data collection for security audits.
“Leveraging automation, machine learning and AI capabilities will provide better efficiencies in our operations,” wrote Knesek. “This is allowing for the growth of our business while not requiring a like-for-like increase in security headcount.” Knesek noted that the company continues to add headcount “strategically.”
For CISOs and security pros facing tighter budgets and the same number of security threats, Martano recommends practitioners tie their security responsibilities to business needs.
“There’s an opportunity for an information security leader or a CISO to really take charge in the assessment of those products, and to really have a perspective on if and how those products maybe change a risk profile for an organization,” he said. “CISOs should have a voice in that room, and they should think of themselves as AI thought leaders internally. It would really be helpful to their career and would be helpful to their company.”