State of cybercrime 2018: Security spending up, but so are the risks

IT and security management use more technology to defend against sophisticated hacker attacks, but still lag on security training.


In the past year, security teams have seen both large and small organizations hit by high-profile breaches. They’ve also witnessed the cost, not just monetary, but in loss of reputation for both the affected organizations and security leaders. Layered on top of that are new privacy and security regulations that redefine many aspects of how security organizations do their jobs.

These trends and events are driving companies to take IT security more seriously, according to a new survey from CSO. Its results provide insight into not only the nature and scope of the threats that U.S. businesses face, but exactly how those businesses are responding.

stateofcybercrimeprimary CSO

Register to download some of the key findings from the 2018 State of Cybercrime study.

The 2018 U.S. State of Cybercrime survey is conducted annually by CSO in partnership with the US Secret Service and CERT at the Software Engineering Institute at Carnegie Mellon University. The survey covers the time period of June 2017 to May 2018.

Of the 515 respondents, 34 percent identified themselves as IT management, 20 percent said they were in security management, 14 percent said they were business management, and the remainder said they were staff or other. The average company size was 10,874 people, and 51 percent of respondents said they worked for small-to medium-sized companies while 49 percent worked at enterprise-level organizations.

Security spending is on the rise

One notable change from last year’s survey is in the average IT security budget. It increased to $15 million, up from $11 million. That’s nearly a 27 percent rise, and it is another indicator that security is top-of-mind among business leaders. The $15 million does not include physical security, which respondents said they spent an average of $13 million on in 2018.

Fifteen percent of respondents said their IT security budget was more than $10 million. Interestingly, 37 percent said their IT security budget was less than $250,000. That suggests that some companies represented in the survey spend significantly more than $10 million given the average spend of $15 million.

Changing reporting lines for CISOs

To continue reading this article register now

The 10 most powerful cybersecurity companies