We have just published our latest report for 2025. It’s all about how CISOs and CIOs are approaching investments in cybersecurity this year. The research looks at investment priorities overall (across 24 areas), plus takes a deep dive into four focus areas. The focus areas this year are applications, cloud platforms and services, identity, and data. Feel free to get a copy if making decisions around cybersecurity strategies and investments is in your wheelhouse.
The data comes from a survey of 268 CISOs and CIOs in the United States, at organizations with more than 1,000 employees. This is the second time we’ve run this research program. The first program was run in 2023, and this program builds on and extends our earlier research.
The key takeaways from this research are:
- Cybersecurity driven by changing threat response calculus
Increasing prices for cybersecurity insurance, the growing use of AI in cyberattacks, software supply chain compromise, and return-to-office mandates for employees are the top trends and challenges driving how CISOs and CIOs approach cybersecurity in 2025. All force a reevaluation of how best to address current and emerging threats. - Cloud infrastructure security, cybersecurity talent availability, and control and
ethical processing of data top the priority stack
Out of 24 potential investment areas for cybersecurity, two thirds of organizations assigned the highest priority to cloud infrastructure, internal cybersecurity talent, and compliant data processing. They see weaknesses in their current posture that are misaligned with where they want to be and are investing the resources to do something about it. - Budgets continue to rise, showing resilience across economic cycles
Almost all organizations have received a higher budget for cybersecurity over the previous two years, and most believe they could put even more budget to productive and effective use. - Strong risk management disciplines make a significant difference
Organizations with higher efficacy in managing the business risks associated with key cybersecurity areas such as applications, cloud, and identities show much higher commitment to address security weaknesses and are spending accordingly. Being able to see what is and isn’t happening drives change. - Organizations must do the work to understand their priorities
Investment priorities for any given organization must be set within the context of their current posture, real-world threat data, and known areas of concern (and unknown areas of weakness). This is the fundamental work that cybersecurity decision-makers and influencers must coordinate.
This research was sponsored by BIO-key International, OpenText, and Salt Security.
If your firm provides cybersecurity solutions AND you would like to spread this research to your customers and prospects, please get in contact to talk about licensing options.