How much should you spend on security?

How much should an organization spend on security? The simple answer: It depends.

Factors such as the sort of business the company is in, the types of personal or sensitive data or intellectual property it handles, the regulatory requirements it faces, the complexity of its IT infrastructure, the likelihood of it being a target for attacks, and other elements come into play.

The more important question might be: “How should an organization go about determining how much to spend on security?” The process enterprises go through to figure out their proper level of spending on security can be critical to effectively safeguarding systems and data.

Many factors drive security spend

Recent research reports provide some context in terms of how much organizations are spending on security. CIO’s 2019 State of the CIO survey conducted in November 2018 asked 683 IT executives worldwide what percentage of their company’s total IT budget was represented by IT security. The mean response was 15%. Nearly one quarter of the organizations (23%) are devoting 20% or more of their IT budget to security.

Company size does not appear to be a significant factor, with small businesses, on average, spending a similar share of the IT budget on security as the largest enterprises. As for industries, those sectors devoting the highest shares of the budget to security are professional services, financial services and high technology.

When asked to identify which business initiatives will be most significant in driving IT investments at their organization in 2019, 40% of the IT executives cited the need to increase cybersecurity protections. That was tied with increased operational efficiency for the most common response, and finished ahead of improve customer experience, growing the business, transforming existing business processes, and improving profitability.

Another study, based on an IDG Communications survey of 664 security-focused professionals worldwide, shows that nearly two-thirds of enterprises (60%) plan to increase security budgets in the next year, by an average of 13%.

Among the factors that determined priority of security spending are best practices (74%), compliance mandates (69%), responding to a security incident that happened to the organization (35%), mandates from the board of directors (33%), and responding to a security incident that happened to another organization (29%).

As a rule of thumb, an organization should spend between 7% and 10% of its IT budget on security, says Frank Dickson, program vice president, cybersecurity products, at International Data Corp. (IDC).

“However, you can spend 15% of your IT budget on security and still not achieve the level of assuredness that you desire if your architecture is sufficiently complex or the assets being protected are especially valuable,” Dickson says. “Likewise, a spend of 5% may be appropriate.”

How a security company determines its security spend

At HITRUST, a company that provides risk management and security services, the security budget has remained stable over the years, says Jason Taule, vice president of standards and CISO. “This reflects a continued commitment on the part of our leadership team to treat security and privacy seriously and maintain a program of sufficient rigor” to address the company’s own risk exposures and those of its partners and the customers who entrust HITRUST with their data, Taule says.

Improving operational efficiencies keeps security spend stable

The fact that spending has remained flat is somewhat misleading, Taule says. “Like most organizations, we have a continuing need to cover a broader and wider range of threats and risk exposures, but at the same time are realizing increased operational efficiencies,” he says. So, things net out to remain budget neutral. Were it not for improved efficiencies, spending would be up year over year, he says.

Controls framework defines policies and needs

To help determine how much the company should spend on security, HITRUST has adopted a controls framework to define the technical, administrative and physical policies, procedures and point products it needs to implement.

“We also do what we advise customers to do relative to continuous monitoring and have implemented measures and metrics to manage our [security] program,” Taule says. “This goes to governance, as any decision to spend on security must be accompanied by feedback that enables the organization to validate that it is realizing the intended benefits or make a course correction as needed.”

Identify the point of diminishing returns

To figure out the appropriate level of spending, companies need to identify the point where additional expenditures yield a marginal return with respect to risk reduction. “This is the point at which organizations can demonstrate their due diligence, because this level is carefully reasoned and defensible,” Taule says.

Some security spend is mandated

That said, few organizations have the luxury of deciding what to spend entirely on their own, Taule notes. Most companies face regulatory requirements, customer expectations, or partner demands that dictate an additional level of spending.

“In some cases, at least initially, business may be able to reflect some of this expense in their pricing,” Taule says. “But eventually, all but the most rigorous demands will become things customers expect organizations to do as a cost of business.”

Some organizations might put a higher value on security and privacy than others, perhaps even choosing this as a strategy of differentiation from competitors, Taule says. As a result, they might choose to spend more on security.

Perform recurring risk assessment

At a basic level, HITRUST answers the question of how much to spend on security based on routine, regular, and recurring risk assessment. “If risk doesn’t change, then we need not adjust spending,” Taule says. “If we conclude that we are exposed to higher levels than we’ve deemed acceptable, then we need to do something about it. What’s important is to emphasize is that the answer is not static.”

How Colorado justifies security spend increases

The state of Colorado is spending $21.5 million (or about 6% of overall IT spending) on security this year, up from $12.7 million (about 4% of overall IT spending) in 2018. It’s the largest security budget increase ever for the state government, according to Deborah Blyth, CISO for the Colorado governor’s office.

Create a framework to measure security maturity

“It is very difficult to determine how much money is enough, and what the right level of expenditure should be,” Blyth says. The state has adopted a framework, the 20 Critical Security Controls, and it measures security maturity against that framework.

“This ongoing maturity assessment is then used to justify additional funding as needed, to implement additional controls and sub-controls,” Blythe says. “If funding is preventing us from fully implementing the sub-controls, we might add that to our budget request. Other factors such as evolving agency needs and current threats also factor into our budgetary requests.”

Justify spend needs due to current threats

For instance, a security incident the Colorado Department of Transportation experienced in February 2018 factored heavily into the budget request that resulted in this year’s budget. “Lack of adequate funding was delaying the implementation of necessary security improvements that would have prevented or lessened the impact of the security incident, even though these efforts had been underway for several years,” Blyth says. “We were successful in building the business case and increasing our level of funding in an effort to complete the identified security improvements this year.”

Compare spend to peer organizations

The state also uses a study by the National Association of State Chief Information Officers (NASCIO), published every other year, to see how its security investment compares with other states. That study is showing states investing between 6% and 10% of their IT budgets on security, Blyth says.