Cybersecurity Budgets Grow According to Infosecurity Europe Survey

Cybersecurity budgets are on the rise. According to Infosecurity’s 2025 Cybersecurity Trends Report, there is set to be an average growth rate of 31% over the next 12 months.

Whilst three-quarters of organisations expect their budgets to grow, 20% anticipate increases of over 50%.

This is a significant increase on 2024, when average expected budget increases were 22%.

The growth of investment in cybersecurity is multifaceted and is being driven by the threat from daily cyber-attacks, the reputational damage organisations may face because of a cyber-incident and the constantly changing regulation landscape.

Speaking to Infosecurity, Jon Davies, Infosecurity Europe Advisory Board Member and Director – Cyber at KPMG, cautioned that a budget increase does not always make an organisation more cyber resilient.

“Although more budget allows CISOs and security leaders more flexibility, it is the return on investment that counts; are you spending it on tools, people or processes and where is the money best spent? If that money is spent on the next best shiny tool but basics like cyber hygiene are not fixed, then the organisation’s level of resilience will not improve. Prioritising budget and having a holistic view of security programmes will make any size of budget more impactful,” he said.

Companies with 500-999 staff and those with 5,000-9,999 staff expect even higher budget increases, 41% on average.

Just over 7 in 10 (71%) believe they have the budgets required to ensure their organisation is cyber-safe, another 18% said their budgets were nearly enough and 8% said they don’t have the funding they need to cover what they want. The remaining 2% hadn’t yet costed their needs.

Investment priorities include application security, network security, cloud security and DevSecOps, as organisations strive to stay ahead of evolving threats.

“Application and network security might be seeing greater investment due to an increase in perceived risk, even if the risk itself may have always been there,” said Davies.

Infosecurity found that both application and network security were set to receive on average a 34% increase in investment.

He noted that application and network risks have been amplified by the increase in software-as-as-a-service capabilities, add-ons and self-build apps. There has also been a lack of through-life management to mitigate the risks posed by these platforms. The focus, he said, has been on sprints and deployments instead.

“The risk also increases if these applications have an externally exposed surface and lack the monitoring by security teams, or business, if they have been deployed from unapproved sources. So, organisations are seeing a need to mitigate some of those risks,” Davies said.

Broken down by sector, those operating in finance and banking were found to be more focussed on cloud security, those in manufacturing more focussed on network security and those in retail/wholesale more focussed on threat intelligence. 

“Where investment is prioritised will vary by sector. Highly regulated sectors are more likely to have to make investments to improve their cyber capabilities to meet regulatory requirements, but they are also more susceptible to attacks,” Davies commented.

“These sectors are more likely to bring in third parties for audit, maturity assessments and improvements where the in-house cyber teams are stretched with day-to-day activities and need external support to improve their cyber resilience.”

Businesses are aware of the need for a well-resourced cybersecurity program, as has been reflected by the increases in budget being allocated to this endeavour.

However, a budget increase is not a silver bullet in the face of daily cyber-attacks. It is incumbent on CISOs and cybersecurity practitioners to prioritise these budgets correctly in order for the financial injection to be impactful.

“It’s about spending any budget in the right way and making sure that spend covers people, processes and technology, and ensuring that the investment is sustainable,” Davies said. “Greater budgets allow more freedom and ability to spend in the right places but do not directly relate to being less susceptible to cyber-attacks.”

It's not necessarily about how much you spend, but where. Smart, strategic investment is the only way to turn budget increases into tangible security gains.

For this research, Infosecurity surveyed 231 cybersecurity professionals between 26 November 2024 and 3 December 2024. 

ADVERTISEMENT

Enjoyed this article? Make sure to share it!

Looking for something else?