Ahead of the RSA Conference, we launched our 2025 State of Security Study which surveyed 500 security leaders to learn how they are navigating an increasingly complex and threatening landscape. The annual study tracked the influence of AI on security, the impact of geopolitical tensions and cyber threats, and which security vendors are most desired and seen as most innovative in the field. Findings revealed that spending is up, and AI and geopolitical tensions are impacting strategy. Additionally, 80% of organizations anticipate rising information security budgets in the next 12 months, with cloud security protection for generative AI and large language models (LLMs) the top priorities.
More than half (51%) intended to expand the number of security vendors in their organization’s portfolio in 2024, but now fewer – 40% – intend to diversify their vendor mix. Today, nearly half (48%) expect no change in the number of vendors they rely on. A third of organizations say they are expanding their number of security vendors to respond to new threat vectors (32%) and a quarter are expanding to enable business growth (24%).
Other key findings include:
- The highest priority areas of information security are vulnerability management, identity security, data security, endpoint security, and cloud security. DevSecOps, Web application security, and decentralized network security are the lowest priorities.
- Threat exposure management is of growing interest to respondents, as well as vulnerability prioritization, across all respondents to the survey. Executives in the C-suite, as well as respondents from financial industry organizations, rated these trending areas of security technology especially high in evaluation rates.
- Though nearly a quarter (23%) say they have no plans to spend on AI related security tools, an equal proportion (23%) are already spending in this area. The remaining 54% of respondents plan to spend on AI security tools in the next year.
- Despite the industry hype around AI agents to monitor and respond to cybersecurity threats, only 3% say they have fully implemented AI agents across multiple systems, with another 15% indicating partial implementation in select areas or use cases. Collectively 50% of respondents either have no plans to deploy AI agents (16%) or are considering it for the future but with no timeline in place (34%).
- 43% of respondents note a rise in threats tied to geopolitical tensions, but only 12% have significantly increased their budgets in response and 55% have made no change. This highlights the tension between threat awareness and constrained budgets.
- Security roles have expanded, with 65% of respondents also managing aspects of IT infrastructure and 55% managing business continuity planning. In-house staffing is more common in large enterprises and Global 2000 firms, while small and midsize businesses tend to lean more on outsourcing, often due to the persistent skills gap and difficulty recruiting security talent with expertise in complex hybrid environments.