Security and risk leaders face an uncertain road ahead. While cybersecurity by its very nature has always been unpredictable, the current business environment is more volatile than what we’ve come to think of as normal. Markets are swinging wildly, geopolitical tensions are brewing, and trade disruptions are rewriting what we knew as the accepted rules. This year, security and risk leaders across the globe must enter budget planning season with boldness, build resilient plans, make strategic moves, and turn volatility into opportunity. Use our annual Budget Planning Guide 2026: Security And Risk report for an overview of priorities for security tech, staff, and services spend across regions and our recommendations for the technologies to invest in, divest from, and experiment with.

Budget Outlooks And Allocations Vary By Region

Our planning guides all provide some global spending benchmark for the relevant role. According to Information Services Group, organizations globally are projected to allocate 40% of their cybersecurity budgets to software in 2025. This outpaces spending on hardware and outsourcing combined and exceeds personnel-related costs by 11%. Additionally, more than half of global security technology decision-makers surveyed in Forrester’s Budget Planning Survey, 2025, anticipate significant budget growth in the coming year. Specifically, 15% predict an increase of more than 10%, while 40% expect budget growth ranging between 5–10%. Just 9% of North American respondents, however, expect increases of more than 10% in the next 12 months, indicating an assumption of flat budgets or modest increases due to increased economic and geopolitical uncertainty.

European Security Leaders See Differentiated Investment In 2025

The picture for security leaders in Europe is a little different. European security leaders also expect an overall increase in security budgets, with 81% reporting expected increases in their security budgets over the next 12 months. Furthermore, half of European security pros see an increase of more than 5% of their budget, with 14% seeing an increase of more than 10%. European organizations are slightly less cautious about investing in cybersecurity than their peers in North America. This likely reflects a requirement to correct historical underinvestments in cybersecurity, rather than radically different expectations of the overall economic and geopolitical-uncertainty risk outlook. European security leaders are also spending more of their budgets on increasing staffing levels (69% expect to see an increase in staffing levels, compared to 58% in North America). In addition, managed security services (MSS) spending is higher than in North America (63% expect an increase in MSS in Europe versus 54% in North America).

APAC Aspires To Uplift Staffing And Security Culture

Security budgets are also on the rise across the Asia Pacific (APAC) region, with 92% of security leaders in the region anticipating increases over the next 12 months and 22% expecting growth of more than 10%. While APAC has been catching up on cybersecurity spending in comparison to North America and Europe, this momentum will eventually slow, prompting CISOs in the region to justify their budgets and demonstrate ROI amid complex economic and geopolitical challenges. Staffing is a key focus in this region, with 80% of APAC security leaders planning to expand their teams despite persistent skill shortages. Spending priorities in APAC include on-premises security technologies, managed security services, and security awareness initiatives. These signal a response to the growing threat posed by generative AI (genAI)-enabled scams that bypass traditional language barriers. Investments in awareness and training are foundational to building a cybersecurity culture and fostering long-term resilience in a region working to overcome years of underinvestment.

Future Investments

Security organizations must prioritize investments in tools and technologies that safeguard their organization’s infrastructure, applications, and products as they evolve while also addressing critical customer, regulatory, and cyber insurance requirements. As industries race to establish standards for sensitive data usage by AI models, the time for experimentation is over. Forrester recommends focusing on expanding enterprisewide AI and ML security, securing genAI deployments, and preparing for post-quantum cryptography to future-proof your operations. Additionally, it’s time to tackle the long-standing challenge of data discovery and classification by leveraging AI-driven solutions that improve accuracy and provide visibility into data risks.

Stop Standalone Tools From Eating Your Budget

It’s also time to ditch standalone security tools that don’t integrate well or offer enough visibility. While single-function tools work for niche needs, relying too heavily on them creates inefficiencies — especially now that multipurpose platforms are more common. Focus instead on solutions that prioritize integration, automation, and productivity. Drop outdated interactive application security testing (IAST) tools and shift budgets to combined IAST/dynamic application security testing (DAST) solutions or tech that secures modern architectures such as APIs and containers. Move away from security service edge (SSE) tools and embrace unified secure access service edge (SASE) platforms to streamline operations and strengthen Zero Trust. And skip standalone cybersecurity risk rating (CRR) products. They often lack the integration needed for a full picture of your risk profile. Instead, invest in integrated third-party risk management (TPRM) and continuous monitoring solutions for better visibility and control.

Experiment Boldly

Embrace the innovation happening across your organization to keep security strategies sharp, whether budgets are expanding, holding steady, or shrinking. GenAI features already in your tech stack can help boost efficiency, cut down mundane tasks, and fill critical skills gaps — especially if hiring is frozen or teams are reduced. Investing selectively in tools that drive resilience and differentiation is key. Trust centers are becoming a must-have beyond the tech industry, centralizing compliance and security info while automating responses to security questionnaires. Automated remediation tech streamlines fixes for vulnerabilities, such as patch management and blocking risky applications, while tailored solutions for DevOps keep operations agile. And as deepfakes grow harder to detect, advanced tools that analyze artifacts, lighting, and device reputation in real time are essential to protecting identity verification and transactional integrity.

Volatility isn’t your enemy — it’s your chance to innovate. Small, strategic experiments could help your organization gain a competitive edge over those stuck in security budget planning paralysis.

Next Steps

Interested in more findings from Forrester’s Budget Planning Survey, 2025, and more bold calls from our experts on where to invest, divest, and experiment in 2026? Download our complimentary copy of the 2026 Budget Planning Guide for security and risk executives and the accompanying worksheet to help you put the report’s recommendations into action. Then, register for our upcoming webinar on August 6, where our analysts will discuss how CIOs and CISOs can align their budgets and priorities to ensure success in 2026.