After years of steady growth and increasing executive visibility, enterprise cybersecurity programs are facing a period of financial constraint fueled by global market volatility and fluctuating inflation.

According to the newly released IANS Security 2025 Budget Benchmark Report, developed in partnership with Artico Search, security leaders are contending with stagnant budget growth, a reversal in IT-to-security spending ratios, and a continued slowdown in staffing expansion. To obtain a thorough assessment of the current state of security budgets and staffing, IANS and Artico Search conducted their sixth annual CISO Compensation and Budget Research Study from April to August 2025, gathering data on security budget and staffing trends from 587 CISOs.

These shifts mark a departure from the trends that defined the post-pandemic recovery years, and they come at a time when cyber threats are becoming more complex, persistent, and resource-intensive to defend against.

DOWNLOAD NOW: Security Budget Benchmark Summary Report

Security Budget Growth Falls to 4%

A key takeaway from the report is that average annual security budget growth dropped to 4%, a sharp decline from 8% in 2024 and the lowest growth rate in five years. Just 47% of CISOs reported an increase in their security budgets this year, down significantly from 62% last year and 78% in 2022. Even more concerning, a majority (54%) now report flat or shrinking budgets, reflecting the deepening impact of macroeconomic volatility on cybersecurity investments. (See Figure 1.)

Figure 1

CISOs in healthcare, professional and business services, and retail and hospitality were most likely to report flat or reduced budgets, as these industries face higher levels of financial pressure stemming from global economic uncertainty, inflation, and sector-specific instability. Some industries—such as financial services, insurance, and technology—fared better, with security budget growth rates remaining above 5%. However, even among these better-positioned sectors, few are immune to the resource allocation challenges that are emerging as companies reassess spending priorities.

These data points indicate a shift in how security programs are being positioned within organizations. While cyber risk remains a board-level concern, it is increasingly being weighed against a broader set of operational and financial demands.

“Once again, we find that security is not immune to macro conditions. Most CISOs are not receiving budget increases despite security typically being identified in the top five risks for companies,” said Steve Martano, IANS Faculty and partner in Artico Search’s cyber practice.

LEARN MORE: Security Budget Benchmark Summary Report

Another significant finding in this year’s data is the drop in security budget as a percentage of IT spend, which fell from 11.9% in 2024 to 10.9% in 2025. This one-point drop breaks a five-year trend in which security was steadily commanding a larger share of overall IT resources.

This reversal signals a rebound in broader IT investments, particularly in areas such as AI and cloud infrastructure, which are absorbing larger portions of organizational technology budgets. Overall IT spending is picking up, but security isn’t benefiting proportionately, according to the data. (See Figure 4.)

Figure 4

A couple of factors could be driving the shift. First, many organizations are returning to large-scale investments in core IT modernization efforts that were delayed during the economic uncertainty of 2023. Second, some companies—particularly those in highly regulated industries—have already made their major foundational security investments in identity and access management (IAM), endpoint protection, and compliance. For these organizations, security spending is beginning to level off.

Still, this spending shift might not align with the real-time threat landscape. The tools and platforms purchased during prior growth cycles still require ongoing tuning, integration, and support—functions that become harder to fulfill as budget ratios shrink and headcount growth slows.

READ: Security Budget Benchmark Summary Report

Staffing growth also slowed this year, dipping to just 7%—the lowest level recorded in the past four years. Only 45% of CISOs were able to add headcount in 2025, down from 51% in 2023 and 67% three years ago. Nearly half (47%) reported flat team sizes, while the remainder experienced reductions. (See Figure 11.)

Figure 11

The report notes that only 11% of CISOs believe their security teams are adequately staffed. More than half (53%) reported that they are either somewhat or severely understaffed, and more than one-third (37%) report being “stretched thin.” (See Figure 13.)

This widespread understaffing creates a ripple effect across the organization. CISOs cite project delays, cancelled initiatives, and increased compliance risk as direct consequences of personnel constraints. Additionally, lean teams are more prone to burnout, which can lead to attrition, knowledge loss, and reduced morale—challenges that are difficult to solve without additional hiring flexibility.

Interestingly, many CISOs indicated that while they may be able to secure budget for new tools, they lack the staffing to utilize them fully.

"We continue to hear that CISOs have budget for tooling but not for staff increases, which leads to teams not being staffed adequately to take advantage of a tool’s full capabilities. As AI capabilities create efficiencies in repeatable tasks, more team members are able to find the time to utilize a platform’s capabilities,” Martano said.

Figure 13

CISOs Navigating a Constrained Budget Future

The findings from the 2025–2026 IANS Security Budget Benchmark Report reveal that CISOs are operating in an environment in which financial caution is overriding growth, even as threats continue to evolve. Budget growth is tapering, IT priorities are shifting, and security teams are being asked to deliver more without additional resources.

For CISOs, this means more efficient use of tools, greater reliance on automation, and increased efforts to build resilience with constrained inputs. Security may no longer be a budgetary exception—it’s now part of the broader organizational effort to do more with less.

Download our Security Budget 2025 Benchmark Summary Report—and gain access to these and other valuable insights and guidance to overcome budget obstacles.

Take our CISO Comp and Budget Survey in less than 10 minutes and receive career-defining data and other valuable insights and data sets.

Security staff professionals can take our 2025 Cybersecurity Staff Compensation and Career Benchmark Survey.

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.