Full Report
A new EY report found that cybersecurity teams are a major vehicle for business growth, and CISOs should push for a seat at the top table
Analysis Summary
# Industry News: Cybersecurity Budget Contraction vs. Proven Business Value
## Summary
New research from Ernst & Young (EY) indicates that enterprise cybersecurity teams are contributing a median value of \$36 million in business growth per initiative they participate in. However, this realization of value is juxtaposed against a significant operational challenge: cybersecurity budgets, as a percentage of annual revenue, have nearly halved over the last two years, dropping from 1.1% to 0.6%. This signals a disconnect between the demonstrated commercial impact of security functions and executive investment priorities.
## Key Details
- **Date:** Approximate date of reporting/study release (May 29, 2025, based on publication date).
- **Companies Involved:** Ernst & Young (EY) (Conducted the survey).
- **Category:** Market Analysis/Industry Benchmark Study.
## The Story
The EY survey of global security leaders highlights a fundamental shift in the perceived, and actual, role of the cybersecurity function. Security teams are no longer just cost centers; they are value drivers, contributing significantly (11% to 20% of the value produced) to enterprise-wide initiatives. For large organizations (over \$20bn revenue), this impact can reach \$154 million per project. Despite this proven financial contribution, organizational investment is decreasing, with budgets shrinking to 0.6% of annual revenue. Furthermore, only 13% of CISOs are involved early in urgent strategic decision-making, and 58% struggle to articulate their value beyond simple risk mitigation, underscoring a major communication gap with the board.
## Business Impact
### For the Companies Involved
- **Positive:** Organizations leveraging security expertise within broader initiatives are seeing substantial monetary benefits, indicating that "Secure Creators" (a subgroup identified in the study) are realizing higher ROI from strategic security integration.
- **Negative:** A significant portion of businesses are paradoxically defunding a function that demonstrably drives growth, potentially increasing latent risk while expecting continued high performance on a restricted budget.
### For Competitors
- Competitors whose CISOs successfully bridge the communication gap and secure adequate funding may gain a competitive edge by integrating security earlier into innovation and market expansion projects, framing security as an enabler rather than a blocker.
### For Customers
- If companies reduce investment while expanding strategic involvement, customers face increased risk exposure if security initiatives are under-resourced. Conversely, customers benefit when security is used to enable trusted digital products and services.
### For the Market
- The data suggests the market is not yet mature enough to universally view cybersecurity as a revenue enabler. The 50% budget reduction indicates that many boards still operate under a traditional, cost-focused risk-aversion model for security spending.
## Technical Implications
The finding that security functions contribute to 11-20% of initiative value implies that the security teams driving this growth are likely involved in areas like secure software development lifecycles (DevSecOps), cloud migration strategy, or enabling trusted data sharing for monetization—areas that require deep technical integration into business processes.
## Strategic Analysis
- **Market Positioning:** The dichotomy between value creation and budget reduction highlights a structural immaturity in how boards allocate capital for digital transformation. The market is bifurcating between high-maturity "Secure Creators" and lower-maturity organizations focused solely on baseline compliance.
- **Competitive Advantage:** The primary strategic advantage lies with CISOs who can translate security metrics into business outcomes (e.g., "Security enabled $50M in faster time-to-market by reducing compliance delays").
- **Challenges:** The primary challenge is organizational buy-in and executive literacy regarding FinSecOps (Financial Security Operations). CISOs are struggling to move from being technologists reporting on threats to business executives reporting on integrated value.
## Industry Reactions
- **Analyst Opinions:** Analysts are likely emphasizing the need for CISOs to aggressively utilize this data to advocate for stable or increased funding, positioning security as critical infrastructure for growth, not just defense.
- **Expert Commentary:** Experts will likely urge CISOs to improve boardroom narrative quality, focusing on revenue enablement, competitive differentiation, and customer trust, rather than relying solely on incident counts or vulnerability scores.
- **Market Response:** The market focus will likely shift toward vendors and consultants who can provide tools and services to help CISOs quantify and articulate security's business value explicitly.
## Future Outlook
- **Predictions and Expectations:** Future success will likely be tied to the subset of organizations that treat security investment similarly to R&D—as a driver of innovation. We should expect increased pressure on security purchasing decisions to prove direct linkage to revenue goals.
- **What to watch for:** Increased emphasis in CISO job descriptions and performance reviews on commercial outcomes beyond simple risk reduction metrics.
## For Security Professionals
Security practitioners must evolve their focus from purely technical efficacy to measurable business contribution. Understanding the financial model of the organization and how security underpins revenue-generating or cost-saving projects will become essential for career progression and securing necessary tooling budgets.