2 hours Ago
Insights from Chris Dimitriadis , Chief Global Strategy Officer, ISACA. As enterprises continue to refine 2025 planning and budgeting, chief information security officers, chief information officers and other technology leaders face critical decisions about what to prioritize to drive progress in their organizations. According to ISACA’s 2024 State of Cybersecurity research, budgets being too low is tied for second as a source of rising stress for cybersecurity professionals, yet only 37% of organizations plan to increase their security budgets in the new year.
Given the wide array of nice-to-haves when it comes to upgrading people, tools and technologies, zeroing in on the most important priorities—given finite budgets—isn't an easy exercise for security leaders but a necessary one. Top Five 2025 Budget Priorities Here are five budget considerations that I believe should be top of mind for CISOs and other security leaders as they finalize 2025 planning: This Viral Smart Bassinet Is 30% Off With The Snoo Black Friday Sale The 50 Best Black Friday Deals So Far, According To Our Deals Editors 1. Team Training Keeping professionals up to date in a rapidly changing environment is key for generating value, especially in organizations that are constantly trying to innovate through digital technologies.
Although individual professional development is certainly worthwhile, collectively training your security group with team training can be even more impactful. Don't underestimate the value of your entire team having a shared understanding of what security concepts are most important to the business, how to approach threats and security incidents with organizational discipline and having a common business language with which to communicate with colleagues. Another benefit is that by training the entire team, you're deepening your bench of professionals who are capable of moving into different roles and putting the team in a sturdier position when it comes to business continuity when attrition inevitably occurs.
2. Supporting Professional Certifications There's been progress among academic institutions in recent years in adding programs in cybersecurity and related fields, but most university graduates are still entering the workforce with sizable gaps in their preparedness for cybersecurity roles. Attaining a professional certification in cybersecurity and related fields, such as risk management and data privacy, can go a long way toward filling those gaps from academia or even serving as an alternate pathway for a cybersecurity career for those who didn't pursue a university degree.
Additionally, some credentials can help technical practitioners take the next step in their careers to prepare for transitioning to roles such as information security manager or other leadership positions. Enterprises would be wise to support professionals who are looking to become certified, as it's a win-win for the professional and their employer, especially when retention becomes challenging. 3.
Attending Industry Conferences And Events The event landscape has evolved considerably since the pandemic, with more virtual conferences than ever, but whether in-person or virtual, sending team members to leading industry security conferences remains a solid investment. Not only are there typically excellent sessions addressing timely challenges security practitioners are facing—along with opportunities for security practitioners to share knowledge with fellow attendees and grow their networks—but attending these events also can have a re-energizing effect on professionals by providing a break from their usual responsibilities. At a time when stress levels are on the rise for security professionals, the ability to take a short yet productive break from the grind once or twice a year is no small thing and should be supported by employers.
4. Making Targeted Investments In Automation With the rise of AI among other emerging technologies, sophisticated automation can reduce manual effort and provide the team with the opportunity to focus on the most important tasks that support the business. From risk and maturity assessment tools to audit, analysis, detection and response solutions, modern cybersecurity tools can reduce manual efforts, process whole datasets and provide insights invisible to the human eye.
Such tools are important to relieve stress levels, provide more clarity on events throughout the digital infrastructure, reduce response times and assist in a time of crisis. Although such tools are key and must be prioritized, this should be done in conjunction with employee preparedness so they can be configured and operated in a way that adds value to the business. 5.
Hiring An Entry-Level Practitioner One of the factors holding back the cybersecurity workforce is enterprises’ reluctance to hire early-career professionals for open roles, instead prioritizing those with extensive industry experience. The problem is there are only so many ready-from-day-one cybersecurity professionals available, and it can be especially difficult for smaller and medium-sized businesses, as well as public sector employers, to afford them. However, entry-level hires can be trained to perform necessary tasks such as asset management, configuration management and more—tasks for which more senior personnel would be overqualified and overpaid .
A more open-minded approach to expanding your team with entry-level hires can pay off, even if a commitment to training (and a bit of patience) is needed. Conclusion Being judicious about allocating resources is one of the most important jobs for C-suite technology leaders. By investing in the people, training, professional development and technology that will provide the most value, security leaders can put their teams and organizations on an upward trajectory.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?.
