**Safeguarding Revenue and Minimizing Business Risks: Priorities for CISOs in 2025**
In the fast-paced world of cybersecurity, CISOs face the ongoing challenge of protecting business-critical IT assets while minimizing risks to revenue. As we approach 2025, it is crucial for CISOs to align their investments with business operations to prioritize threats and controls. Forrester’s latest budget planning guide for security and risk highlights the importance of securing application security, business-critical infrastructure, and human risk management. It also advises CISOs to invest in software supply chain security, API security, and IoT/OT threat detection, which are considered core areas for business operations.
**Cybersecurity as a Business Decision**
For CISOs, cybersecurity investments need to be considered as a business decision first and foremost. The report emphasizes the need for CISOs to make trade-offs on tools and spending to maximize revenue growth and achieve solid returns on investments. To achieve this, CISOs should evaluate their tech stacks and eliminate any app, tool, or suite that contributes to tech sprawl. By taking a conservative approach to introducing new technologies and vendors, CISOs can effectively manage their budgets and prioritize revenue gains.
**Budget Increases and Tech Sprawl**
According to Forrester’s 2024 Budget Planning Survey, 90% of CISOs expect a budget increase in the coming year. However, cybersecurity budgets currently only represent an average of 5.7% of IT annual spending, which is relatively thin considering the breadth of responsibilities that CISOs have. Forrester predicts that budgets will continue to increase, with 10% of CISOs anticipating an increase of more than 10%. To make the most of their budgets, CISOs must address the issue of tech sprawl, which is eroding budget gains. By eliminating unnecessary tools and vendors, CISOs can optimize their budgets and focus on investments that truly enhance security.
**Cloud Security, New Technology, and Security Awareness**
Cloud security, upgraded security technology, and security awareness and training initiatives are predicted to drive budget increases of 10% or more in 2025. The increasing adoption of cloud environments, platforms, and integrations has made cloud security a high priority for enterprises. As more organizations build internal platforms and apps across IaaS, PaaS, and SaaS, the need for robust cloud security measures continues to grow.
**Defending Revenue: APIs and Software Supply Chains**
Protecting revenue is a core responsibility for CISOs. Forrester’s budget planning guide suggests that hardening software supply chains and API security should be top priorities. Software supply chain incidents have become increasingly prevalent, with 91% of enterprises falling victim to such incidents in just a year. This underscores the urgent need for better safeguards in continuous integration/deployment (CI/CD) pipelines. Additionally, API security is crucial in today’s DevOps-driven environment. Enterprises must define an API security strategy that integrates directly into DevOps workflows and treats the CI/CD process as a unique threat surface.
**IoT Security: A Growing Concern**
The Internet of Things (IoT) continues to be a popular attack vector for cybercriminals. Industrial control systems (ICS) and the facilities that rely on them are particularly vulnerable. In 2024, 34% of enterprises that experienced a breach targeting IoT devices reported cumulative breach costs between $5 million and $10 million. Securing IoT devices is a significant challenge for organizations, with 93% facing difficulties in this area. Implementing a zero trust approach and following NIST’s guidelines for securing IoT devices are crucial steps in reducing the threat of breaches.
**Pragmatism in Budgeting**
The fragmented and technology-heavy cybersecurity vendor ecosystem calls for pragmatism in budgeting. CISOs need to trim back on tech sprawl and consolidate cybersecurity apps, tools, and suites. Cybersecurity should be seen as a growth engine, rather than just a deterrent. CISOs can elevate their roles by aiming to become CEO direct reports and even board members, guiding their companies through the complex threat landscape.
In conclusion, as we approach 2025, CISOs must prioritize safeguarding revenue and minimizing business risks. By aligning investments with business operations and considering cybersecurity as a business decision, CISOs can maximize revenue growth and achieve solid returns on their investments. Addressing tech sprawl, investing in cloud security, new technology, and security awareness, and focusing on API security and software supply chain protection are key strategies for CISOs in the coming years. Additionally, addressing IoT security risks and adopting a pragmatic approach to budgeting will help CISOs defend revenue and navigate the evolving cybersecurity landscape with confidence.
