Bugdeting for IT and Cybersecurity in 2025

Budget season is here, but there’s no reason to worry. In this blog, we’re sharing our top tips for budgeting for IT and cybersecurity in 2025. Our team is sharing insight into what tech you need, where you can save costs, and how to insulate your business from economic uncertainty.

Should I budget separately for IT and cybersecurity?

Yes! You can include them in the same overall bucket, but breaking them out separately helps ensure that nothing is missed or neglected. It’s easy to overspend in one area and borrow from another if you don’t separate them initially. They’re equally important, so we suggest breaking them out.

What needs to go in my Cybersecurity budget?

Great question! We get this one a lot, and we have a few non-negotiable suggestions. These should be considered the highest priority for your organization, regardless of size or industry.

Security engagements

  1. An annual Security Risk Assessment (SRA). This extremely advanced service is one of the best things you can do to help protect your organization. Because of how rigorous it is and how many hours it takes, it’s one of the more expensive components of your cybersecurity strategy. A properly done SRA should be led by humans, not automatically generated using tools and AI. Those techniques lower the cost, but provide less useful, less reliable results.
  2. Security Awareness Training. An annual requirement – but more frequent is better. This training should be on-demand so you can quickly get new hires up to speed and ensure that no one misses out. You need one that’s regularly updated, and that offers immediate learning opportunities. There’s no point in a training that doesn’t point out what to look for in the future. A big component of Security Awareness Training is phishing campaigns. These should be customized to your organization for the most realistic experience, and you should have access to the results so you can benchmark your team against the training. Security Awareness Training is often a compliance and insurance requirement too.
  3. Internal and External Penetration Tests. These targeted tests let you see how well your environment stands up to cybersecurity professionals mimicking threat actors. In a safe, controlled manner, a credentialed expert will attempt to infiltrate your systems using the same techniques that threat actors do, so you can mitigate the risk and fortify your defenses. We highly recommend these services and offer them through our partner Cyber74.

Managed cybersecurity services

  1. Managed Detection and Response (MDR) for email. This is a great add-on to your existing toolset. We offer MDR specifically for Microsoft 365, which helps defend against business email compromise (BEC) – one of the major threats organizations face. This service helps detect threats before they become a security risk, so you can focus on your business.
  2. Managed Detection and Response for endpoints (EDR or MDR). Specifically for your endpoints, this can quarantine threats before they spread to the rest of your system. EDR can stop a threat in its tracks and allow you to roll your systems back to a pre-infected state, which is especially helpful in terms of cyberattacks like ransomware.
  3. A managed SIEM solution. Depending on your business, this might go to the top of the priority list. A SIEM solution offers comprehensive security tools, as well as audit logs and other compliance necessities.

What managed IT should I budget for?

Managed IT is such a large category at this point, your budget will completely depend on your business. The main pieces we see are co-managed or fully managed IT. If you have an internal IT team, co-managed may be enough support for you. If you’re looking to enlist professional help for all your IT operations, fully managed might be the way to go.

  • Co-managed IT. This typically offers an IT partnership, supplementing your own in-house efforts to maintain your environment and troubleshoot issues. Often co-managed IT may be in the form of a help desk, resolving common issues for users so your internal staff can focus on the bigger picture. The opposite could also be true – an IT partner could help with more complex, niche skills and projects while your team handles the day to day IT needs.
  • Fully managed IT. Exactly what it sounds like, this premium service ensures that you don’t have to worry about IT for your organization. From projects to security and a team of experts that act as an extension of your own, your IT is taken care of.

Plan for projects

Don’t forget the long-term goals and projects you may need to tackle this year. Take a step back and think about things like:

  • Aging hardware: Do you have anything that’s reaching the end of its life? This could be physical devices like servers, or even laptops for your team. Plan to start moving off of aging technologies that are going to become costlier and less efficient in the next year.
  • Custom application development: What business challenges are you facing, and can a custom solution help solve them?
  • Large implementations or migrations you’re considering: If you want to move to the cloud, or implement a new system, now is the time to set aside funding and start planning – before you make investments in anything that doesn’t align to the larger goal.
  • Renewals: Annual renewals of existing hardware and software are often overlooked. If these aren’t tracked diligently there can be huge line-item surprises at the time of renewal. This process should be provided and or co-authored with you and your IT provider going into budget season.

The key here is planning. This helps ensure your IT roadmap is as efficient as possible, saving you money and time.

How much room does AI need in my budget?

That depends – do you need AI? This is one of the biggest questions going into 2025. Sure, it’s a trending technology, but if you’re not planning to use it intentionally you may want to skip it unless you have an unlimited budget. When adding a new tool, you’ll also need to evaluate the additional cost to secure that technology. It adds up quickly if you’re not prepared.

If you are looking to leverage it, we suggest adding Copilot licensing to your Microsoft 365 subscription. This is a great way to incorporate the technology into tools you’re already using. Copilot is also one of the more reputable options out there, which is important when considering data governance. You don’t want to add technology you can’t roll out responsibly to your organization.

Plan with your IT partner

We’re always happy to be part of the budgeting process for clients. This helps us plan too – if we know you’re looking for something, we’re able to make the best recommendation from a cost and time perspective. We might suggest lining up projects that can be tackled at one time, saving money – or even holding off on something because another project would eliminate the need for it. ADNET also tracks client renewals along with our managed services, so there are no surprises when they come up. Your IT partner should offer to be part of the budget discussion, or at least provide guidance on what they think your priorities should be for IT and cybersecurity.

There’s a saying, “you don’t know what you don’t know.” That’s especially true when it comes to budgeting and planning. If you need help budgeting for IT and cybersecurity in 2025, reach out to us. We’d love to hear about what you’re thinking and see how we can help!