Forrester's CISO Budget Planning Guide for 2025: Prioritize API Security

As we head into 2025, planning a robust security budget is more critical than ever. According to Forrester's latest Budget Planning Guide for Security and Risk Leaders, one element stands out as indispensable: API security.

APIs form the backbone of modern digital interactions, connecting services, platforms, and users. However, this growing reliance has also made them a prime target for attackers.

Just in Australia, for example, new research by Thales has found that vulnerable APIs and bot attacks are costing businesses up to AUD 2.95 billion annually. Even more concerning, globally one in five financial organizations has suffered a full-blown API security breach last year. These alarming statistics highlight that API security is not just a tech issue but a significant business risk that requires urgent and strategic financial commitment.

Forrester's report emphasizes that failing to invest adequately in API security could leave businesses vulnerable to severe risks, including data breaches and operational disruptions.

API security is no longer limited to technology companies; it's a universal priority for all industries as they continue to digitize. In this guide, we’ll explore why Forrester is urging companies to prioritize API security in their 2025 budget planning and how to allocate resources effectively to protect this critical aspect of digital infrastructure.

The Growing Importance of API Security

The rise of API usage across industries has led to a phenomenon known as API sprawl, which is quickly becoming a significant threat to enterprise security. For instance, only 10% of organizations fully document their APIs, according to a 2023 report from Enterprise Management Associates (EMA). 

The unchecked proliferation of APIs—particularly "shadow" or "zombie" APIs that are forgotten or poorly maintained—poses a major security risk, as they often lack consistent security controls, making them prime targets for exploitation.

Recent incidents like the 2024 Twilio Authy breach emphasize just how vulnerable APIs can be when not properly secured.

In the Twilio incident, attackers exploited insecure API endpoints to access the two-factor authentication data of thousands of users, highlighting the dangers of improper API authentication mechanisms and the need for rigorous API security testing. Such breaches not only compromise user data but also jeopardize the integrity of services that millions rely on for secure transactions and communication.

In addition to the issue of poorly managed APIs, the sprawl of API secrets is also a significant problem. Escape's State of Secret Sprawl report illustrates this challenge well: as rapid API deployment increases, so does the uncontrolled distribution of secrets like keys, tokens, and other credentials. Just think - 18,000 secrets were exposed in front-ends, including Stripe tokens giving access to financial data. Attackers actively look for such exposed secrets, leveraging them to gain unauthorized access to APIs and, subsequently, to sensitive data.

The report emphasizes how critical it is for organizations to implement strategies to control and manage APIs and their secrets, such through automated secret management tools and stringent access policies.

Key Takeaways from Forrester's 2025 Security Budget Planning

Forrester's 2025 Security Budget Planning Guide provides crucial insights for CISOs and security leaders on how to allocate resources to effectively protect their organizations. The guide highlights:

"The budget increases that CISOs will receive in 2025 should prioritize addressing threats and controls in application security, people, and business-critical infrastructure."

A key theme throughout the report is the rising importance of securing applications and business-critical infrastructure. In particular, Forrester emphasizes the software supply chain and API security as the top priorities for investment:

Below are some of the main takeaways from Forrester's recommendations for budget priorities in 2025:

API Security as The Top Priority

Forrester identifies API security as a critical area requiring substantial investment in 2025. APIs often serve as gateways to sensitive information, making their security essential for maintaining data integrity and service availability. Forrester recommends establishing an API governance with ongoing API discovery and inventory, identifying the purpose and sensitivity of each API, and securing the most critical ones.

Budget planning should extend beyond traditional API gateways to include advanced API security tools that provide automated discovery and testing. Such tools enable organizations to proactively identify vulnerabilities, ensuring the security of all active APIs—not just those on the surface. Escape’s approach to comprehensive API lifecycle security, encompassing automated discovery, vulnerability scanning, and business-critical prioritization, aligns directly with this priority. We're happy to show to you how. This proactive strategy helps organizations minimize risks associated with undocumented or forgotten "shadow" APIs, which pose significant security threats.

Decommissioning Outdated Cybersecurity Solutions

As Forrester highlights, many of the cybersecurity tools currently deployed by organizations have not kept up with the evolving cyber threats.

For instance, traditional Dynamic Application Security Testing (DAST) tools have limitations when it comes to modern API testing. They struggle with the complexities of modern applications, including microservices and GraphQL APIs. For example, they cannot adequately support GraphQL's complex queries and data-fetching capabilities, leaving APIs vulnerable to attacks. According to Escape’s analysis, DAST tools are designed primarily for static web pages and require a lot of configuration to make them work.

Similarly, traffic-based tools that rely solely on monitoring API traffic for security analysis also fall short. These tools can only secure the environment in which they are deeply and manually deployed, which means they may miss emerging threats or fail to identify vulnerabilities in APIs deployed outside of their perimeter. Furthermore, they often require a lengthy deployment process to get accurate visibility, leaving APIs vulnerable during this critical time frame.

To better protect their API infrastructure, Forrester suggests that organizations decommission these outdated solutions in favor of solutions that better address your current and future threat models and control requirements.

Effective solutions for API security should offer automated testing, contextual analysis, and business-critical prioritization while assisting with remediation—core elements central to Escape's approach.

Avoid the Pitfalls of Strategic Outsourcing

While strategic outsourcing can bring down costs and there is a temptation to leverage a vendor that “does it all,” that is a pipe dream and sets you up for mediocrity.

Forrester cautions against over-relying on strategic outsourcing as a method of managing security, particularly in complex areas such as API security. Vendors that claim to offer a comprehensive solution across all aspects of cybersecurity often lack the depth required to address the specific nuances of API threats and vulnerabilities effectively.

When it comes to API security, it is crucial to partner with specialists who have deep expertise in the nuances of API threats and vulnerabilities. Vendors that claim to cover every part of your cybersecurity landscape (like Rapid7, for example - read the Escape vs Rapid7 comparison here) may lack the specific tools and insights necessary to protect APIs comprehensively.

Companies should budget for partnerships with specialized vendors like Escape, who have developed a focused approach to API security through tools, training, and expertise. By aligning with experts in specific domains, organizations can ensure that they receive the highest quality of protection for each segment of their digital environment.

Invest in Security Skills and Training Platforms

Investing in skills and training is another major recommendation from Forrester. You might opt for a specialized training platform, but, of course, we are also happy to help you upskill your team on all things API security:

• Open Source GraphQL Security Academy: Escape contributes significantly to this area with its GraphQL Security Academy, providing open-source training specifically focused on securing GraphQL APIs. This academy addresses the unique challenges associated with GraphQL—a technology growing in popularity but often overlooked when it comes to security training. Escape’s comprehensive resources empower developers and security professionals to better understand and defend against common GraphQL vulnerabilities.
• Blog Articles: Escape also offers a wealth of blog articles that cover various aspects of API security, from foundational best practices to advanced guides for threat mitigation and alignment with compliance requirements. The blog includes topics like securing FastAPI, GraphQL security best practices, and guidance on aligning API security with new regulations such as DORA. These articles are an essential resource for developers and security professionals looking to stay informed about the latest trends and threats in API security.
• Podcast: "The Elephant in AppSec": Additionally, Escape runs a podcast titled "The Elephant in AppSec", which dives into critical discussions in the field of API and application security. The podcast is an excellent platform for learning about the latest application security challenges and strategies in an accessible format.

How Much Should You Allocate To API Security In Your Budget Planning

One of the biggest challenges for CISOs and security leaders during budget planning is determining how much to allocate for cybersecurity, particularly for API security.

While those of us deeply involved in API security understand the critical importance of establishing robust defenses, our counterparts in charge of budget allocation and broader business stakeholders often view security differently. To them, security can appear to be a cost center with little tangible return on investment. How can they justify allocating more budget to security when these funds could potentially be directed towards initiatives for business growth?

When it comes to justifying more investment in cybersecurity, the focus should be on how easy the solutions are to use, the number of attacks we're facing, the size of our attack surface, and identifying our main risks. - Security Manager at the large broadcasting services 

This is where an ROI calculator for API security, like the one developed by Escape, can play a pivotal role in guiding budget decisions.

Here’s how you can leverage this tool to determine your budget:

1. Demonstrate why API Discovery & Security tool and why now - quantify the potential risk

To effectively plan your budget, it's crucial to understand the potential costs of leaving API vulnerabilities unchecked.

API Attacks are estimated to surge 996% by 2030 — with the cost per breach rising from IBM’s estimation used for ROI of $4.45 million to $14.5 million. To persuade your stakeholders, show relevant reports on the state of API security, demonstrate the magnitude and impact of the recent data breaches, or highlight the issue of API sprawl or API secret sprawl.

Escape ROI Calculator applies a simplified understanding of risk, quantifying risk reduction savings as the theoretical financial benefits an improved security posture will have in reducing the likelihood an organization will experience an API-related data breach.

To assess risk impact, the Escape ROI Calculator applies third-party source information to derive the cost of a data breach while adjusting the magnitude of the potential breach by a number of the organization’s web services (not the total number of API endpoints) and its industry risk level. According to IBM’s 2023 “Cost of a Data Breach” report, the average cost of a data breach in 2023 is estimated to be $4,450,000 USD.

2. Avoided business disruption benefits

API-related incidents can lead to significant downtime, which affects not only service availability but also customer trust and brand reputation. In this context, cost savings are calculated based on the time employees will regain by having fewer API-related issues and by reducing the time the development team spends on addressing vulnerabilities instead of focusing on other strategic projects.

Specifically, the calculator considers a two-day window per year and assumes that 10% of the staff's time is lost. Additionally, it factors in the annual salaries of these developers. According to Statista, the average salary for a full-stack developer in 2023 is $140,000 and may go up to $165,000 for a back end developer. For the ROI calculation, we use an estimated salary of approximately $150,000. Depending on your country and organization, this estimation can be adjusted accordingly.

3. Estimating costs and demonstrating ROI

The biggest benefit of Escape’s ROI calculator is its ability to help CISOs articulate the value of API security investments to other executives in financial terms. With the ROI calculator, you can compare the costs of investing in API security tools versus the savings from reducing risk.

The costs of Escape’s platform are based on your organization's number of web services. Escape’s license for your team comes with a full list of functionalities of the platform, including automated API discovery, API security, and remediation code snippets.

Onboarding coordination, ongoing support, and administration are included by default and provided at no extra cost to your organization.

Ultimately, these calculations are best interpreted as educated estimates based on several informational inputs, including documented benefits realized by existing Escape customers.

There are likely additional costs and benefits —both tangible and intangible —not incorporated into these ROI findings due to a lack of specific understanding of your unique environment, team structure, and strategic priorities.

Conclusion

In short, API security is crucial for protecting your organization's data and infrastructure in 2025 and beyond.

Forrester’s recommendations make it clear that targeted investment in API security, modern tools, and skills training is key to making sure that your organization stays protected against breaches.

By using practical resources like Escape's ROI calculator, CISOs can effectively demonstrate the value of these investments, making it easier to secure the necessary budget for 2025.

Ultimately, prioritizing API security isn't just about preventing attacks—it's about securing the foundation of your business! You can do it with Escape.

💡Want to learn more? Discover the following articles:

• The challenges and opportunities of API governance in 2024
• AppSec vendors and CISOs: a love-hate relationship? ⎜Olivia Rose (former CISO at Amplitude and Mailchimp and currently the founder of the Rose CISO Group)
• Reinventing API security: Why Escape is better than traditional traffic-based tools