It’s about time. Organizations are finally confirming—with increased budget spends—that cybersecurity is fundamental to business, key to innovation, reducing enterprise risk and boosting resilience.  

Nearly all of the security leaders (99%) in the 2025 KPMG Cybersecurity Survey plan on upping their cybersecurity budgets in the two-to-three years to come, in preparation for what may be the upcoming boom in cybersecurity. More than half (54%) say budget increases will fall between 6%-10%. 

“The data doesn’t just point to steady growth; it signals a potential boom. We’re seeing a major market pivot where cybersecurity is now a fundamental driver of business strategy,” Michael Isensee, Cybersecurity & Tech Risk Leader, KPMG LLP, said in a release. “Leaders are moving beyond reactive defense and are actively investing to build a security posture that can withstand future shocks, especially from AI and other emerging technologies. This isn’t just about spending more; it’s about strategic investment in resilience.” 

That’s an encouraging trend for organizations trying to stay ahead of threats. “Cyber technology is particularly vulnerable to atrophy if it isn’t cared for and fed properly,” says Hank Thomas, co-founder and CEO at Strategic Cyber Ventures.  

“AI-powered threat actors and machine on machine cyber warfare is now a reality. It is of the utmost importance that cyber tactics, techniques, procedures and technology quickly innovate, collaborate with, and if needed, merge with other technologies to fill gaps in our defenses,” he says. “If you wait too long to do this, the value of your security solution could rapidly plummet towards zero.” 

But that money will not necessarily be easy to come by. Just over half also acknowledged they were competing with others for budget dollars. “This signals a need for leaders to focus on managing this spend more strategically—turning to AI, unified security platforms, and Managed Services to create efficiencies, reduce overhead, and ensure every additional dollar strengthens their overall defense posture,” the KPMG report said. 

The security leaders recognize AI is amassing steam as a dual catalyst—38% are challenged by AI-powered attacks in the coming three years, with 70% of organizations currently committing 10% of their budgets to combating such attacks. But they also say AI is their best weapon to proactively identify and stop threats when it comes to fraud prevention (57%), predictive analytics (56%) and enhanced detection (53%). 

But they need the talent to pull it off. And as the boom takes off, 53% just don’t have enough qualified candidates. As a result, 49% are increasing compensation and the same number are bolstering internal training, while 25% are increasingly turning to third parties like MSSPs to fill the skills gap. 

“In some cases, an uncertain economy means reducing lower-value roles. But, generally speaking, there is still so much to do that few CISOs will willingly give up staff,” says Seth Spergel, managing partner at Merlin Ventures.  

“We see the growth opportunity around a hybrid model of talented cybersecurity practitioners being extended by AI capabilities,” Spergel says, explaining, “there are still very sensitive tasks and decisions that organizations cannot fully trust to AI, but we can now bring those human operators much more complete data very quickly with the help of these AI tools. 

Still, “the cybersecurity labor model is being quietly rebalanced. Organizations are not eliminating people, they are reducing reliance on manual analysis in favor of automation that operates at machine speed,” says Ram Varadarajan, CEO at Acalvio. 

Varadarajan contends that in the coming year, “cybersecurity stops being a people-scaling problem and becomes an intelligence-scaling problem. AI-driven attacks force AI-driven defense. Teams stay lean, budgets get smarter, and machines take on the work humans were never meant to do at machine speed.” 

He doesn’t expect the bulk of CISOs “to significantly grow their teams in 2026,” and “not because risk is shrinking, but because headcount no longer scales against the threat.” 

Budget isn’t the issue, he says, speed is. “When attacks unfold at machine pace, adding more humans doesn’t materially change outcomes. Teams will stay relatively flat while the nature of the work shifts,” Varadarajan says. 

The analysts at KPMG see the investments as being strategic beyond IT because cybersecurity dollars are increasingly going to the controls that safeguard access and boost trust across an organization. Just over two in five leaders are prioritizing identity and access management, and data security and privacy and cloud security are not far behind. That supports a trend toward creating a stronger identity for the government and putting more effort into creating greater resilience.