The State of Human Risk: Budgets and the Business of Security 

Human risk is no longer a side conversation. In 2025, it's the core issue shaping how security leaders think about risk, resources, and resilience.

Each year, Mimecast surveys over 1,000 security and IT decision-makers across industries and continents. This year’s report, The State of Human Risk 2025, confirms what many of us have been seeing firsthand: the conversation has shifted. The real threat isn’t just outside the firewall, it’s within the organization.

This is the fifth blog in the series, and it focuses on one of the most important levers security leaders have: the budget.

Budgets are up, but so are expectations

According to the report, 85% of organizations increased their cybersecurity budgets last year. That’s a good sign. But when only 3% of leaders say their current budget is enough, it’s clear that funding alone isn’t solving the problem.

It’s not just about how much money is being spent. It’s about how that money is being used.

Security leaders report needing more support across three key areas: people, tools to secure collaboration platforms, and email security. But many still struggle to get the buy-in they need from the board.

Boards today want clear justification for every dollar spent. They want to see measurable business outcomes, improved continuity, lower risk, better preparedness. Security teams need to tell that story more effectively, and in the language the board understands.

Efficiency over expansion

More money doesn’t always mean more tools. In fact, tool sprawl can become a liability.

Disconnected tools add layers of complexity. They create duplicate alerts, fragment visibility, and slow down response times. The result? Security teams end up spending more time managing systems than managing threats.

What’s needed is consolidation. Integrated platforms that can surface the right signal at the right time. Less noise. More clarity.

A strong human risk management strategy gives leaders that clarity. It allows teams to see across behaviors, correlate events, and zero in on what matters most.

Turning insight into action

Security teams deal with a flood of data every day. A login from an unusual location, a suspicious email click, a source code download — on their own, each one is a red flag. Together, they’re a siren.

But if those events sit in separate dashboards, the pattern gets missed. That’s the real danger of disjointed tools.

The more efficiently teams can connect the dots, the faster they can act. That’s what boards care about. That’s what builds trust.

A final thought

Cybersecurity will always need more budget. But what really earns more budget is showing impact.

As human risk becomes the defining challenge of the next era in cybersecurity, the way we think about tools, budgets, and communication must evolve.

The teams that win will be the ones who do more with what they have, who use integrated intelligence to move faster, and who can clearly demonstrate the value of every decision.

You can read the full report here: The State of Human Risk 2025.