Here are three key areas of expense CISOs must budget for in 2025 / 6:
• Salaries and benefits, training, managed Security Service Providers( MSSPs) and consultants: These remain the largest portion of a cybersecurity budget( around 35 – 37 % for large enterprises). The demand for skilled cybersecurity professionals continues to outpace supply, driving up compensation. Investing in ongoing training for existing staff is crucial to keep up with new threats and technologies. This includes specialised training for areas like cloud security, AI security, and incident response. Many organisations, especially smaller and mid-market ones, will continue to rely on MSSPs for continuous monitoring, incident response and access to specialised expertise. Consultants are also budgeted for specific assessments, strategy development, and technology integration.
• Cloud security, AI and Machine Learning security, extended detection and XDR & SASE: As cloud adoption accelerates, significant investments are needed for Cloud Access Security Brokers( CASB), Cloud Workload Protection Platforms( CWPP) and Cloud Security Posture Management( CSPM) solutions. With the rise of AI-driven attacks, CISOs are prioritising investments in AIpowered security tools for threat detection, response, and automation. This includes securing AI agents and employee use of AI tools. These integrated platforms offer a unified approach to threat detection and response, improving visibility and streamlining operations aligning with a move away from disparate standalone tools.
• Incident response planning platforms, testing and validation and cyber insurance: Dedicated incident response platforms, automated detection, incident tracking, and post-analysis tools are integral to minimising the impact of cyber incidents Regular penetration testing, red teaming, and continuous security validation tools are crucial to assess the effectiveness of security controls and identify vulnerabilities before they are exploited. The cost and requirements of cyber insurance continue to influence security investments, as organisations aim to meet policy criteria and mitigate financial risk. tight – it delivers real insight and immediate value by validating risks and enabling effective remediation.
With solutions like Invicti, DAST is not just about detection – it’ s about actionable proof. Using proof-based scanning, vulnerabilities are verified automatically to minimise false positives and help teams act faster.
DAST can also reveal gaps that static analysis can’ t reach, including logic flaws and runtime misconfigurations. When integrated into CI / CD workflows, it supports scalable security across development lifecycles without adding friction.
Platforms that prioritise risk over noise
Instead of layering on more scanning tools, organisations benefit from consolidating around intelligent, risk-focused platforms. For example, Invicti’ s unified AppSec platform offers a combination of automated discovery, API security testing and predictive risk scoring – all designed to streamline prioritisation and reduce waste.
As attackers get smarter, tools need to match their sophistication. This includes identifying exploitable flaws, automating validation and giving developers the context they need to fix issues fast.
Strategic clarity for today’ s CISO
CISOs must now blend technical fluency with financial acumen. Security cannot afford to be a black box – leaders must articulate where dollars are going and how they translate to reduced exposure. Reports from Splunk emphasise that executive stakeholders are increasingly looking for risk alignment and transparency in security spending.
By focusing on the highest-value tools and aligning investments with real-world risks, CISOs can make the case for AppSec as a strategic enabler – not just an insurance policy.
WWW. INTELLIGENTCISO. COM 27