Forrester CISO Budget Priorities for 2025 Focus on APIs and Supply Chain Security

As we enter 2025, CISO budgets must focus on securing revenue and minimizing business risk, and prioritize investments aligned with business operations.

Forrester latest safety and risk budget planning guide explains that securing business-critical IT assets should be a priority for the next yr. “The budget increases that CISOs receive in 2025 should prioritize addressing threats and controls related to the security of business-critical applications, people, and infrastructure,” Forrester writes in the report.

CISOs must double down on threats and controls to achieve rights to application security, secure business-critical infrastructure, and improve human risk management. Forrester considers software supply chain security, API security, and IoT/OT threat detection as critical business enablers and advises CISOs to take a position in these areas.

Driving profits by protecting emerging digital businesses while keeping IT infrastructure secure on a tight budget is a proven path to profession advancement for CIOs.

Approach cybersecurity first and foremost as a business decision

The most useful takeaway from Forrester’s planning guide is that cybersecurity investments must first be considered a business decision. Key findings and guidelines in the report highlight how and why CISOs must make trade-offs between tools and spending to maximise revenue growth while generating solid returns on investment.

Forrester urges chief information security officers (CISOs) to take a close look at any application, tool, or technology stack that contributes to technology proliferation and remove it from their technology stacks as they add recent technologies.

Here are some key takeaways from Forrester’s guide to budgeting for security and risk:

• 90% of chief information security officers will see their budget increase next yr. Cybersecurity budgets average just 5.7% of annual IT spending. That’s not much, considering how broad the CISO’s role is in protecting recent revenue streams and strengthening infrastructure. Forrester cites its 2024 Budget Planning Survey in the guide, predicting that budgets will proceed to grow over the next 12 months. Ten percent anticipate a 10%-plus increase over the next 12 months. A third expect a 5% to 10% increase, and nearly half expect a modest 1% to 4% increase. Just seven percent of budgets will remain the same, and just three percent anticipate budget cuts in 2025.

• Take control of technology growth now. Tech growth is the silent killer of budget gains, Forrester warns. CISOs, on average, see just over a third of their budgets come from software, doubling what they spend on hardware and outpacing their personnel costs, in keeping with a recent ISG study“To combat the real problem that already plagues security leaders—technology bloat—we recommend a cautious approach to introducing new tools and vendors, guided by this pragmatic principle: Don’t add something new without first getting rid of something else,” Forrester writes in the report.

• Cloud security, improved on-premises security technology, and security awareness and training initiatives are expected to extend security budgets by at least 10% in 2025. Interestingly, 81% of security technology decision makers predict that their cloud security spending will increase in 2025, with 37% expecting a 5% to 10% increase and 30% expecting a 10% increase. The high priority given to cloud security reflects the critical role that cloud environments, platforms, and integrations play in the overall security posture of enterprises. As more enterprises adopt and build in-house platforms and applications across IaaS, PaaS, and SaaS, cloud security spending will proceed to grow.

Revenue Defense Starts with APIs and Software Supply Chains

A fundamental a part of every CISO’s job is finding recent ways to guard revenue, especially with digital-first initiatives, and enterprise DevOps teams are working additional time to implement them this yr.

Here are their suggested priorities from the report:

Strengthening the software supply chain and API security is a must. Arguing that complexity, variety, and the variety of attack surfaces are spreading across software supply chains and API repositories, Forrester emphasizes that security is urgently needed in these two areas. Staggering 91% enterprises suffered software supply chain incidents in just one yr, underscoring the need for higher security for continuous integration/deployment (CI/CD) pipelines. Open-source libraries, third-party development tools, and legacy APIs created years ago are just a few of the threat vectors that make software supply chains and APIs more vulnerable to attacks.

Malicious attackers often try to compromise widespread open source components, as the Log4j vulnerability illustrates. Defining an API Security Strategy that integrates directly with DevOps workflows and treats the continuous integration and continuous delivery (CI/CD) process as a unique threat surface is table stakes for any enterprise currently adopting DevOps. API detection and response, remediation policies, risk assessment, and API usage monitoring are also urgent for enterprises to higher secure this potential attack vector.

IoT sensors remain a magnet for attacks

The Internet of Things (IoT) is the hottest attack vector used by attackers to focus on industrial control systems (ICS) and the quite a few processing plants, distribution centers, and manufacturing centers that use them every day. CISA continues to warn that nation-state entities are targeting sensitive industrial control assets and today three recent warnings about industrial control systems were published by the agency.

Forrester’s Top IoT Security Trends for 2024A 2019 study published earlier this yr and covered by VentureBeat found that 34% of enterprises that experienced IoT device breaches were more more likely to report total breach costs of $5 million to $10 million in comparison with organizations that suffered cyberattacks on non-IoT devices.

“In 2024, the potential for IoT innovation is nothing short of transformative. But with opportunity comes risk. Every connected device is a potential entry point for a malicious actor.” I’m writing Ellen Boehm, Senior Vice President of IoT Strategy and Operations at Key factorIn its latest report on IoT security, Digital Trust in a Connected World: Navigating the State of IoT SecurityKeyfactor found that 93% of organizations struggle to secure their IoT and connected products.

“We’re connecting all these IoT devices, and all of those connections create vulnerabilities and threats. I think for OT cybersecurity, I would say the value and the stakes in general may be even higher than for IT cybersecurity. When you think about the infrastructure and the types of assets we’re protecting, the stakes are pretty high,” Kevin Dehoff, president and CEO Honeywell Combined Enterprisehe told VentureBeat in an interview last yr.

“Most customers are still learning about the state of things in their OT networks and infrastructure. And I think there will be some awakening. We provide real-time visibility into OT cyber threats,” Dehoff said.

Providing zero-trust protected access to IoT devices is fundamental to reducing the risk of breaches. National Institute of Standards and Technology (NIST) provides NIST Special Publication 800-207which is ideal for securing IoT devices, given the emphasis on securing networks where traditional perimeter security fails to handle the challenge of protecting every endpoint.

Pragmatism must dominate CISO budgets in 2025

“Too many tools, too many technologies, and far too few people remain a common problem in the fragmented, technology-driven cybersecurity vendor ecosystem,” Forrester warns.

Treating cybersecurity spending as a business investment is a priority. Forrester believes its clients must adopt more of this, given how this message is emphasized throughout the guide. The message is intended to curb the technology sprawl they previously conveyed about the must consolidate cybersecurity applications, tools, and stacks.

It is time for cybersecurity to be funded as a driver of growth, not only as a deterrent.

Chief Information Security Officers (CISOs) can balance the scale by trying to elevate their role to a CEO with a direct report and, ideally, a seat on the board to assist their corporations navigate an increasingly complex threat landscape.