Enterprises are increasingly spending more on security software and services than they are on staff, a radical shift in security budgeting that will transform the role of the CISO at many organizations, as well as the roles of remaining in-house staff.
Gartner predicts a 15% growth in security spending next year on software and services, partly fueled by adoption of AI technologies, from $184 billion this year to $212 billion by the end of 2025.
Security software markets such as application security, data security and privacy, and infrastructure protection will all grow substantially, while spending on cloud-native security products will take off, growing from $6.7 billion in 2024 to $8.7 billion in 2025.
At the same time, security services spending is expected to increase 15.8% to $86.1 billion. Security consulting services, security professional services, and managed security services are predicted to grow faster than the other security segments — an expansion driven by the long-standing global cybersecurity skills shortage as much as anything else, according to Gartner.
All this despite enterprise security budgets experiencing moderate increases of around 8%, with a third of CISOs reporting flat budgets or budgets in decline.
The end result? An evolving remit for CISOs and their teams, with a focus on strategic planning and integration over traditional day-to-day security tactics.
Cybersecurity workforce growth stalls
Among the key signals of changes ahead is the seeming deprecation of budgeting for in-house security staff.
The extent of the cybersecurity skills shortage was laid bare in preliminary findings from ISC2’s latest annual Cybersecurity Workforce Study. According to the cybersecurity professional certification organization, the global active cyber workforce has barely increased in the past 12 months, growing just 0.1% to reach 5.5 million worldwide even though the skills gap (like national budget deficits) rose 19% year on year to reach 4.8 million globally.
Two in five (39%) of the 16,000 cybersecurity professionals surveyed by ISC2 said a lack of budget was the top reason for cyber shortages, replacing the shortage of talent rationale commonplace in previous editions of the workforce study.
A quarter of respondents (25%) have observed layoffs (up 3% from 2023) and over a third (37%) have reported budget cuts (up 7% from 2023).
Hiring freezes and fewer promotions are becoming more commonplace despite the forecasted increase in security spending on software and services and the all-too-obvious imperative for CISOs to bolster cyber resilience in multiple sectors of the economy.
Shifting budget away from addressing skills shortage has practical effects. The latest edition of IBM’s annual Cost of a Data Breach Report found that more than half of all breached organizations are facing high levels of security staffing shortages.
Caught between a rock and a hard place, organizations are turning to managed services and external consultants to fill in the gaps, with third-party hacks and regulations on the rise, even as staffing levels stay the same — or worse, decrease.
One way to solve the budgeting portion of the equation, apparently, is to get hacked. A recent study from IANS Research found that security budgets tend to see the highest increase only after a breach or when there’s a big change in an organization’s risk appetite — evidence that enterprises are being reactive rather than proactive in their approach to cybersecurity funding.
Says Panayot Kalinov, former deputy head of IT turned senior software developer at Casinoreviews.net: “This puts CISOs in a tricky spot — how do you justify asking for more money or resources when nothing’s on fire yet?”
CISOs to shift to risk management and security orchestration
“Expected to do more with less,” CISOs are shifting their focus, Kalinov adds. “Instead of beefing up their internal teams, they’re focusing on risk management, regulatory compliance, and keeping C-suite executives aware of the evolving security landscape,” Kalinov says.
James Neilson, SVP of international sales at cybersecurity vendor OPSWAT, believes the increasing allocation of security budgets toward software and services rather than staff reflects the CISO’s evolving role from managing internal teams toward becoming a more strategic, technology-driven leader.
“This trend also indicates that they’re taking on a more prominent role in risk management, ensuring that outsourced services complement internal capabilities while maintaining agility in response to evolving threats,” Neilson says.
As a result, security organizations are also undergoing a shift from traditionally siloed, in-house approaches toward a more integrated, outsourced, and technology-driven model, Neilson argues. This may mean hiring fewer but more specialized in-house professionals, including roles that oversee vendor management and strategy, as well as product integration, automation, and management, he says.
“Organizations increasingly rely on elements of external managed services and advanced automation tools to manage cybersecurity, focusing internal resources on understanding the business and its risks, defining higher-level strategy, oversight, and risk management,” Neilson contends.
AI changes the SOC game
That last bit about relying on advanced automation tools brings AI into the equation, as increased spending on software and services likely includes more money allotted to AI capabilities vendors are baking into their wares.
But AI is a doubled-edged sword that cuts both ways — enabling enterprises to automate many security-related tasks while empowering threat actors to develop more convincing phishing scams and to rapidly scale up their attacks. And that’s not to mention the rising need to defend enterprise AI systems, which, in a rush to implement, many companies are failing to harden.
Here, the cybersecurity shortage isn’t helping, says Aaron Rosenmund, senior director of content security and curriculum at online learning platform Pluralsight.
Rosenmund tells CSO: “The shortage of cybersecurity professionals is a well-known issue, with 71% of organizations having unfilled cybersecurity positions. This shortage leaves security teams understaffed and burned out, a problem exacerbated by the rise of AI.”
All told, AI is bringing several factors to bear on cyber teams, and CISOs’ strategies need to evolve to address them.
“[CISOs should] focus on upskilling your cybersecurity team in AI-based defense strategies, and leveraging AI to reduce the burden of their job will be beneficial,” Rosenmund argues. “Tasks like inbound message filtering, summarizing incident reports, process automation, and filtering bug bounty challenges can all be automated.”
Rosenmund continues: “Supporting employees with resources to stay informed on the way threat actors use AI and upskill on knowledge gaps will make for a more engaged and better-equipped team ready to defend against criminals.”
Shifting roles, hybrid orchestration
These collective changes mean that the role of the CISO in many organizations is shifting from a leader who builds and runs internal teams to more of an orchestrator who oversees and integrates the work of external vendors and service providers in conjunction with in-house staff.
By adopting a more hybrid approach — combining internal teams with external services — organizations can still successfully chart a path toward enhanced resilience and agility, assuming CISOs can get that orchestration right.
“In essence, the role of the CISO is becoming more strategic and collaborative,” says Jamie Beckland, CPO at security testing vendor APIContext. “CISOs must focus up and out — on contextualizing risk more effectively to their boards; and on maintaining strong relationships with partners and key suppliers.”
The continued shift toward software, services, and automation also means that internal staff can shift their focus to “higher-value tasks”, according to Martin Greenfield, chief exec of cybersecurity controls monitoring firm Quod Orbis.
“As organizations invest in AI-driven solutions and managed services, cybersecurity teams are liberated from mundane, repetitive tasks such as control testing, evidence gathering, and policy writing,” Greenfield tells CSO. “This strategic pivot allows CISOs to focus their teams on leveraging insights derived from automated systems, fostering a more proactive and data-driven approach to security.”
The long-term outlook on cyber staffing
Still, the shift away from in-house security work may have long-term impacts, Kalinov argues.
“In the long run, this approach raises some big questions about the future of cybersecurity careers,” Kalinov says. “If more money is funnelled into software and managed services, what happens to the talent pipeline?”
Kalinov adds: “Companies are investing in tech and external services to patch the gaps, but they can’t ignore the need for skilled staff.”
Beckland, however, argues that the increased reliance on managed services and security software doesn’t detract from the importance of in-house security professionals.
“With the shortage of qualified professionals, organizations find it more feasible to invest in external solutions that can be rapidly deployed and scaled,” according to Beckland. “This doesn’t diminish the importance of in-house teams but reshapes their focus towards oversight, strategic planning, and integration of these services into the organization’s broader security posture.”
Rick Holland, field CISO at threat intelligence firm ReliaQuest, agrees that outsourcing “monotonous, time-consuming tasks” can benefit in-house security staff, whose time is freed up to take on more engaging work.
“Instead of a ‘defence in depth’ strategy, many organizations have adopted an ‘expense in depth’ approach, where multiple controls overlap existing capabilities and remain partially implemented,” according to Holland.
Concurrently, Holland argues that resource and staffing constraints often lead to inefficient strategies, which only accelerate the need for enlisting outside help.
“Security teams, overwhelmed by daily threats, struggle to fully leverage their software,” Holland says. “These challenges are driving the demand for security services.”
CISOs at a crossroads
In the end, CISOs find themselves at a difficult crossroads.
“Building all of your own capabilities and expertise internally won’t scale for most businesses,” Marshall Erwin, CISO at Fastly, tells CSO. “At the same time, if a CISO relies too much on third parties, they will find they don’t have the security expertise needed to address the most critical incidents or challenges.”
Erwin advises CISOs to consider what expertise they need internally based on their specific risk profiles and appetites, and what capabilities and services they can rely on externally without putting their organizations at greater risk.
All in all, the changes underscore a role evolution for CISOs in which they must align security with business objectives while still keeping a pulse on day-to-day operations.
But they won’t be going it alone. Finding the right partners may be more important than ever.