The 2025 Security Budget Benchmark Report from IANS Research and Artico Search paints a clear picture - even in a constrained financial environment, CISOs are making deliberate, high-impact spending choices. Security leaders are prioritizing functions that deliver operational resilience, regulatory compliance, and improved response capabilities.

According to the newly released IANS Security 2025 Budget Benchmark Report, developed in partnership with Artico Search, security leaders are contending with stagnant budget growth, a reversal in IT-to-security spending ratios, and a continued slowdown in staffing expansion. To obtain a thorough assessment of the current state of security budgets and staffing, IANS and Artico Search conducted their sixth annual CISO Compensation and Budget Research Survey from April to August 2025, gathering data on security budget and staffing trends from 587 CISOs.

READ MORE: Security Budgets Under Pressure: How CISOs Can Navigate Tight Budget Constraints

Staff and Tools Command the Largest Slice of Security Budgets

Staff and compensation continue to dominate budget allocations at 39%, reaffirming that skilled talent is still your program’s most valuable asset. Software follows at 29%, with outsourcing at 12%. These proportions have remained stable over the past five years, but the breakdown of software spend is evolving—and that’s where the strategic shifts are happening. (See Figure 6.)

Figure 6

DOWNLOAD NOW: Security Budget Benchmark Summary Report

Security Software Spend: SecOps and IAM Take Priority

Within software budgets, SecOps leads at 16%, reflecting its central role in detection, response, and compliance activities. Endpoint security is a close second at 12%, with network security and cloud security each receiving 11% of the allocation.  IAM is also becoming a priority, with nearly all CISOs owning identity programs outright—a significant shift from just five years ago. (See Figure 8.)

Spending patterns change with organization size:

• Larger enterprises invest more in SecOps and identity and access management (IAM), while maintaining on-premises software and hardware to support legacy systems.
• Smaller, cloud-native firms allocate more to cloud security and GRC, reflecting their lighter reliance on legacy platforms.

“Responsibility and ownership of IAM programs is a prime example of CISOs’ increased scope. Five years ago, most CISOs did not have direct accountability and ownership of identity programs; today, nearly all CISOs have that under their remit. IAM is an area of investment for most programs, with an increased share of software budget going toward IAM programs YOY,” said Steve Martano, IANS Faculty and partner in Artico Search’s cyber practice.

Figure 8

Practical Guidance for Tight Security Budgets

For CISOs facing flat or limited budget growth, aligning security strategy to business priorities has never been more critical.

Tying your roadmap directly to enterprise growth initiatives, market expansions, or M&A activity makes it far easier to defend and grow funding. Strategic prioritization is equally important—protecting the organization should take precedence, with less critical initiatives deferred until resources allow. These trade-offs must be communicated in clear business terms so executives understand the impact. Finally, CISOs can often unlock more value from their existing stack by leveraging automation and underused tool features, freeing resources to address coverage gaps that can’t wait for the next budget cycle.

This year’s data confirms what many security leaders are already seeing: while growth is slowing, priorities are becoming more precise. SecOps, IAM, and cloud security remain the pillars of modern security programs, with spending strategies increasingly shaped by organizational maturity and infrastructure realities. By aligning investments with business objectives and optimizing the use of existing resources, CISOs can maintain resilience—even when financial flexibility is limited.

Download our Security Budget 2025 Benchmark Summary Report—and gain access to these and other valuable insights and guidance to overcome budget obstacles.

Take our CISO Comp and Budget Survey in less than 10 minutes and receive career-defining data and other valuable insights and data sets.

Security staff professionals can take our 2025 Cybersecurity Staff Compensation and Career Benchmark Survey.

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.