Security leaders are being asked to do more with less in 2025. While overall security budgets remain under pressure, new benchmark data shows that software commands a significant share of resources.

According to our 2025 Security Software and Services Benchmark Report, software represents the next largest allocation of spending in security budgets following staff and compensation, accounting for about 30% of the overall budget on average across company sizes. (See Figure 1.) As part of the 2025 CISO Compensation and Budget Research Study, conducted by IANS and Artico Search, we gained insights into the current state of security software within enterprise security programs. The sixth annual edition of the survey was conducted from April through August 2025, collecting data from 628 CISOs on security software, integrated platforms, solutions, and MSSPs.

Figure 1

While this figure varies by company size, the amount of budget allocated to software remains significant across businesses. For instance, larger enterprises often invest more in internal resources, customer-built solutions, and specialized services—rather than off-the-shelf software. Also being larger, these companies often have more bargaining power with their vendors. Still, software investments from companies of all sizes can often represent million-dollar expenditures and tens of millions for larger enterprises.

READ MORE:  What are the Top Security Budget Spend Priorities?

How CISOs Allocate Security Software Budgets

Security leaders are prioritizing fundamental categories with broad security impact, focusing on security operations tools. For instance, CISOs commit the largest share (16%) of software budgets, followed closely by endpoint security (12%), network security (11%), cloud security (11%), and identity and access management (IAM) software (10%).

“As more organizations have embraced various elements and aspects of Industry Zero Trust models, we’ve seen increases in spending on solutions that help organizations tackle one or more pillars of zero trust controls and governance,” says Dave Shackleford, IANS Faculty member. “For most, that starts with network, workloads, and IAM, which has driven spending in these areas, but the next major push will be in data security as DSPM [data security posture management] tools and integrated tracking and classification tools like Microsoft Purview gain traction.”

Also, as organizations grow, software spending patterns can change. For instance, larger organizations typically have more endpoints, users, and systems to secure, which can require advanced software tools to protect against threats. These larger organizations also have increased regulatory requirements and a broader attack surface, driving them to allocate more resources to SecOps and IAM software. Smaller organizations often outsource functions such as SecOps, which is cost-efficient and requires a slightly smaller share of the software budget.

DOWNLOAD NOW:  2025 Security Budget Benchmark Summary Report

What are the Top Security Growth Areas

The research revealed CISOs are prioritizing software investments in foundational areas that offer broad security impact. The top three growth categories—SecOps, cloud security, and IAM—reflect a focus on improving detection and response, securing expanding cloud environments, and managing user access in hybrid work settings. (See Figure 3.)

Figure 3

These areas of investment are critical for maintaining visibility and control across complex, distributed infrastructures. These figures suggest that organizations are doubling down on core, high-impact areas that enable visibility, control, and scalability across complex environments, while deprioritizing investments in more specialized tools. 

READ MORE:  Security Budgets Under Pressure: How CISOs Navigate Tight Budget Constraints

Top Reasons for Increased Security Spending

CISOs in this research offered various reasons for increased spending in specific categories, ranging from new technology adoption, price increases, and threat risks. (See Figure 4.)

“For most organizations, the tools and controls in place to facilitate governance and compliance initiatives may only require a new module or license expansion to accommodate better reporting and risk management around updated compliance initiatives,” Shackleford says. “When it comes to rapidly changing technology areas such as IAM and AppSec, many organizations discover they need new tools and services like CIAM and improved WAF services to properly meet security requirements. With cloud, it’s usually a matter of sprawl where CISOs realize they can’t cover the threat landscape (especially in multicloud) with current tooling and capabilities.”

Several key factors are driving sustained investment in critical security areas, even as overall budgets remain flat. These include vendor price increases, adoption of new technologies, growing regulatory and compliance pressures, and cloud expansion. As a result, categories like SecOps, cloud security, and IAM continue to receive a larger share of security spending, as the risks associated with underinvestment are deemed too high.

Figure 4

Download our 2025 Security Software and Services Benchmark Report—and gain access to valuable insights and practical strategies for managing vendors and MSSPs, especially during periods of budget constraints.

Take our CISO Comp and Budget Survey in less than 10 minutes and receive career-defining data and other valuable insights and data sets.

Security staff professionals can take our 2025 Cybersecurity Staff Compensation and Career Benchmark Survey.

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.