Checklist: Planning Your 2025 Security Budget

Budget season is here. This checklist helps CISOs and IT directors plan their 2025 security budget in a structured way – from inventory to compliance requirements to prioritization.

TL;DR

Budget season is here. This checklist helps CISOs and IT directors plan their 2025 security budget in a structured way – from inventory to compliance requirements to prioritization. Including benchmarks for typical cost items.

Phase 1: Inventory (Weeks 1-2)

Capture current expenses:

Ongoing licenses and maintenance contracts with expiration dates
Personnel and training costs
External service providers (MSSP, penetration tests, IR retainer)
Cloud security expenses (often hidden in cloud budgets)

Evaluate usage:

Which tools are actively used, and which are gathering dust?
Where are there overlaps between products?
Which contracts expire in 2025 and offer consolidation opportunities?

Phase 2: Define Requirements (Weeks 3-4)

Regulatory obligations for 2025:

NIS2 implementation: Reporting requirements, risk management, supply chain security
DORA (financial sector): Resilience tests, ICT risk management
EU AI Act: Compliance for high-risk AI systems
KRITIS umbrella law: Physical and cyber security for critical infrastructures

Technical gaps:

Results from penetration tests and audits
Known risks from the risk register
Findings from incidents over the last 12 months

Phase 3: Prioritization (Weeks 5-6)

Assign each planned investment to one of three categories:

Must-Have: Compliance requirements, critical gaps, expiring contracts
Should-Have: Efficiency gains, automation, consolidation
Nice-to-Have: Emerging technologies, innovation projects

Benchmarks for 2025

Industry average for IT security budget: 6-14% of total IT budget (Gartner)
EDR/XDR platform: 15-40 EUR per endpoint/year
SIEM/SOC (managed): 5,000-25,000 EUR/month (depending on data volume)
Penetration test: 8,000-25,000 EUR per engagement
Security awareness training: 20-50 EUR per employee/year
IR retainer: 3,000-10,000 EUR/month

Key Facts

6-14% of the IT budget is the industry average for security (Gartner 2024)

NIS2, DORA, and the AI Act create new mandatory expenses in 2025

Tool consolidation saves an average of 15-25% with the same coverage

Managed Detection and Response is growing as an alternative to an in-house SOC

A security budget without a business case loses support from the executive board

Fact: 95 percent of all cybersecurity incidents are due to human error, according to IBM.

Fact: The average cost of a data breach in 2025 was $4.88 million, according to IBM.

Frequently Asked Questions

How do I argue for the security budget with the executive board?

With three arguments: compliance requirements (NIS2 threatens personal liability), damage prevention (average ransomware costs in DACH: €1.2 million, according to Sophos), and insurability (cyber insurers are increasingly demanding minimum standards).

Should I invest in my own SOC or MDR?

For companies with fewer than 1,000 employees, MDR is almost always more cost-effective. An in-house SOC requires at least 5-7 analysts for 24/7 operation – personnel costs of €500,000+ annually.