Data security spending in 2025: Up and to the right
Cybersecurity investments are set to increase in 2025, according to Enterprise Strategy Group's annual spending survey, and data loss prevention is leading the priority pack.
- Todd Thiemann,
-
Enterprise Strategy Group
We provide market insights, research and advisory, and technical validations for tech buyers.
Informa TechTarget's Enterprise Strategy Group recently published its annual "2025 Technology Spending Intentions Survey." The report has some fascinating insights, providing a wealth of spending intentions data that informs and reinforces many of my thoughts on the importance of data security.
Before digging into data security, let's look at some higher-level context on enterprise technology from the report. First, the survey found that "cybersecurity" and "AI, data science and machine learning" are the two leading initiatives expected to become more important over the next two years.
At the same time, AI and machine learning and cybersecurity are the two areas where enterprises said they have a problematic shortage of existing skills. So, the top two key initiatives are in areas in which there are significant skills issues. I expect smart people, along with improved technology that uses AI to streamline processes, will fill much of that gap.
Note that "cybersecurity and AI" applies to using AI to improve cybersecurity products -- AI for security -- as well as using security products to protect AI infrastructure -- security for AI. I'm focusing on security for AI in this article and how it affects data security investment plans.
Cybersecurity investments disproportionately increasing
The survey found 72% of enterprises said they plan to increase their cybersecurity spending in 2025. The cybersecurity increase was far greater than other areas of IT-related spending, including customer experience (59% of respondents said they plan to increase spending), app development (59%), data protection (56%), public cloud infrastructure (56%), data center infrastructure (43%) and more.
The annual survey is comprehensive and delves into many areas of IT generally and into cybersecurity specifically. I previously wrote about identity security investment intentions, so let's look at data security investment plans.
The data loss prevention priority
The No. 1 investment priority for respondents was data loss prevention (DLP), with 45% saying they would make significant investments in it over the next year. Rounding out the top three investment priorities are email security (39%), and data privacy and identity governance (37%).
DLP has been around for a long time. It touches on every potential data exfiltration point, from endpoints to email to cloud. Enterprises have struggled with DLP because of its significant management overhead: establishing, deploying and maintaining DLP policies; alert noise and investigation struggles -- false positive alerts that drain resources and result in alert fatigue; DLP providing inadequate context around alerts; and more. Because of the potential for false positives and missteps, DLP products are frequently deployed in "alert" mode rather than "block" mode. Making the matter even more difficult, new data exfiltration points must be considered as enterprises embrace generative AI (GenAI).
Security for GenAI infrastructure
GenAI and large language models (LLMs) bring new data security risks to the fore. If sensitive data informs your organization's GenAI and LLM infrastructure, it now faces the risk of that data leaking inside or outside of the enterprise. Competitors or adversaries can prompt for that sensitive data, or insiders could inadvertently come across data they should not see. For example, corporate development and M&A teams want to keep a pending deal secret, and HR teams need to keep layoff lists private. A copilot or private model could end up leaking sensitive data if appropriate guardrails and controls are not in place.
Security for AI requires a multilayered strategy of different data privacy and protection technologies. Security technologies that support GenAI -- including DLP, data privacy and identity governance, data access controls, risk assessment, and data security posture management for data discovery and classification -- will have an easier path to budget justification. As budgets gravitate toward strategic GenAI initiatives, tying security spend to that high-profile GenAI and LLM initiative is more likely to gain approval.
Post-quantum computing continues to be a work in progress
One item near the bottom of the technology investment priority list was quantum-safe or post-quantum encryption, with 9% of the respondents selecting it as one of their priorities. It was just above the "None of the above" option.
December 2024 saw some news about quantum computing advances, with Google announcing it had created a chip able to speed computation times exponentially over today's computers. A major worry, however, is that when capable quantum computers arrive they will be able to break currently deployed encryption algorithms. But the timing of that event is uncertain; the availability of crypto-breaking quantum computers is likely still 10 years away.
While enterprise investment priorities change over time in response to events, if you are a security or IT leader today with a bunch of fires to put out, the "2025 Technology Spending Intentions Survey" data indicated that preparing for a post-quantum encryption world is well down the list of investment priorities.
If you are an innovator in data or identity security, I want to understand what you are doing. You can reach me on LinkedIn or send an email to [email protected].
Todd Thiemann is a senior analyst covering identity access management and data security for Informa TechTarget's Enterprise Strategy Group. He has more than 20 years of experience in cybersecurity marketing and strategy.
Enterprise Strategy Group is a division of Informa TechTarget. Its analysts have business relationships with technology vendors.
