The state of spending: What’s really happening inside security budgets right now

Security budgets are tight – but they’re not standing still. A new benchmark from IANS and Artico Search shows where CISOs are protecting spend, where prices (not features) are driving costs up, and why consolidation and MSSPs are shaping the next budget cycle. 

The study (now in its sixth year) draws on 628 CISO responses collected between April and September 2025, with analysis positioned to be objective and vendor-neutral.

Here’s the lowdown. 

The headline numbers

After people, software is the next biggest line item – about 30% of the total security budget on average. That allocation isn’t flat across the board: it drops to 24% at the very largest enterprises (USD $20B+ revenue) and rises to 32% for firms in the $1.1B - $5B range, which lean harder on commercial tools to scale. In absolute terms, even mid-market organisations ($401M - $1B revenue) report approximately $1.3M in annual security software spend.

Where does that software money go? SecOps tools take the biggest slice (16%), followed by endpoint security, network security, cloud security and IAM. As organisations get larger, SecOps and IAM take a bigger share, while cloud security and GRC shrink proportionally – a reflection of legacy/on-prem realities in mature enterprises versus cloud-native patterns in smaller firms.

What’s pushing spend up (and where)

Not all growth equals new capability. In SecOps, endpoint and network security, price increases were a primary driver of higher spend for at least a quarter of CISOs – suggesting teams are sometimes paying more just to stand still. Meanwhile, GRC growth is most often about regulatory compliance, IAM/AppSec/Product Security growth is typically new tech adoption, and cloud security spend often rises with infrastructure expansion (think multicloud sprawl).

The report’s expert perspective from Dave Shackleford (IANS Faculty) flags a parallel shift: as organisations advance elements of zero trust, spend is concentrating around network, workloads and IAM – with a “next push” toward data security as posture management and integrated tracking/classification tools gain traction.

Consolidation is (still) in

Tool sprawl is a serious budget problem. About 70% of CISOs have consolidated multiple tools into one or more integrated platforms, or are in the process of doing so. A further 13% are planning to consolidate, and 22% of those already on platforms intend to expand them. For organisations that use platforms, they represent about 40% of the software budget on average. 

The pull factors are practical: efficiency, data integration for better detection/response, and bundled pricing. (In today’s market, platform vendors position themselves as ecosystems rather than point tools.)

But it’s not uniform. Very small firms sometimes lack resources to make the leap, and very large enterprises often keep best-of-breed mixes (and the integration muscle to support them). But the overall curve bends towards simplification in a constrained year.

MSSPs: most programmes, selective offloading

Roughly two-thirds of security programmes use one or more MSSPs, with adoption especially common in the $1.1B - $5B band. Typical offloaded areas include threat detection and response, endpoint protection, and network security monitoring – places where 24/7 coverage and tooling depth matter. 

And the trade-offs are familiar. There’s access to expertise and speed on one side; dependence and potential visibility/control gaps on the other. As Shackleford cautions in the study, even with MDR/MSSP in the mix, “there’s still a need for in-house skills and technology mastery,” and over-reliance can become a future constraint.

What this means for CISOs going into budget season

• Protect the core. The data shows spend concentrating where it directly influences detection, response and access – SecOps, IAM, endpoint, network, cloud. That’s where budgets are most defended, and where price pressure is most acute.
• Interrogate increases. If a category’s costs are rising, first ask whether it’s price inflation or capability expansion. The benchmark indicates many teams are paying more to maintain the status quo in SecOps/endpoint/network.
• Consolidate with intent. Platform moves can reduce agents, consoles and contracts; and the bigger ROI often comes from operational savings (fewer dashboards, simpler integrations) rather than licence discounts alone. Keep best-of-breed where platforms lag (niche domains), but avoid duplicate coverage.
• Be selective with MSSPs. Use providers to scale and cover the clock, but preserve triage and playbook ownership where it’s strategically important – and plan to retain core skills in-house.
• Tie spend to outcomes. The report’s recommendations emphasise tiering vendors by criticality, negotiating bundles/multiyear deals, and linking purchases to revenue protection, compliance or risk reduction – not features.

The bottom line is that budgets are tighter, but not frozen. The centre of gravity sits with SecOps and access control, while consolidation continues (carefully), and MSSPs remain a mainstream lever. 

If you can convert licence dollars into operational savings and sharper detection/response, you’ll be aligned with where (and why) leading programmes are actually spending. 

Want to stay ahead of the cybersecurity curve? Get your pass to attend Black Hat MEA 2025, and immerse yourself in the heart of cybersecurity evolution.