How much should an organization spend on security? The simple answer: It depends.Factors such as the sort of business the company is in, the types of personal or sensitive data or intellectual property it handles, the regulatory requirements it faces, the complexity of its IT infrastructure, the likelihood of it being a target for attacks, and other elements come into play.The more important question might be: \u201cHow should an organization go about determining how much to spend on security?\u201d The process enterprises go through to figure out their proper level of spending on security can be critical to effectively safeguarding systems and data.Many factors drive security spendRecent research reports provide some context in terms of how much organizations are spending on security. CIO\u2019s 2019 State of the CIO survey conducted in November 2018 asked 683 IT executives worldwide what percentage of their company\u2019s total IT budget was represented by IT security. The mean response was 15%. Nearly one quarter of the organizations (23%) are devoting 20% or more of their IT budget to security.Company size does not appear to be a significant factor, with small businesses, on average, spending a similar share of the IT budget on security as the largest enterprises. As for industries, those sectors devoting the highest shares of the budget to security are professional services, financial services and high technology.When asked to identify which business initiatives will be most significant in driving IT investments at their organization in 2019, 40% of the IT executives cited the need to increase cybersecurity protections. That was tied with increased operational efficiency for the most common response, and finished ahead of improve customer experience, growing the business, transforming existing business processes, and improving profitability.Another study, based on an IDG Communications survey of 664 security-focused professionals worldwide, shows that nearly two-thirds of enterprises (60%) plan to increase security budgets in the next year, by an average of 13%.Among the factors that determined priority of security spending are best practices (74%), compliance mandates (69%), responding to a security incident that happened to the organization (35%), mandates from the board of directors (33%), and responding to a security incident that happened to another organization (29%).As a rule of thumb, an organization should spend between 7% and 10% of its IT budget on security, says Frank Dickson, program vice president, cybersecurity products, at International Data Corp. (IDC).\u201cHowever, you can spend 15% of your IT budget on security and still not achieve the level of assuredness that you desire if your architecture is sufficiently complex or the assets being protected are especially valuable,\u201d Dickson says.\u00a0\u201cLikewise, a spend of 5% may be appropriate.\u201dHow a security company determines its security spendAt HITRUST, a company that provides risk management and security services, the security budget has remained stable over the years, says Jason Taule,\u00a0vice president of standards and CISO. \u201cThis reflects a continued commitment on the part of our leadership team to treat security and privacy seriously and maintain a program of sufficient rigor\u201d to address the company\u2019s own risk exposures and those of its partners and the customers who entrust HITRUST with their data, Taule says.Improving operational efficiencies keeps security spend stableThe fact that spending has remained flat is somewhat misleading, Taule says. \u201cLike most organizations, we have a continuing need to cover a broader and wider range of threats and risk exposures, but at the same time are realizing increased operational efficiencies,\u201d he says. So, things net out to remain budget neutral. Were it not for improved efficiencies, spending would be up year over year, he says.Controls framework defines policies and needsTo help determine how much the company should spend on security, HITRUST has adopted a controls framework to define the technical, administrative and physical policies, procedures and point products it needs to implement.\u201cWe also do what we advise customers to do relative to continuous monitoring and have implemented measures and metrics to manage our [security] program,\u201d Taule says.\u00a0\u201cThis goes to governance, as any decision to spend on security must be accompanied by feedback that enables the organization to validate that it is realizing the intended benefits or make a course correction as needed.\u201dIdentify the point of diminishing returnsTo figure out the appropriate level of spending, companies need to identify the point where additional expenditures yield a marginal return with respect to risk reduction. \u201cThis is the point at which organizations can demonstrate their due diligence, because this level is carefully reasoned and defensible,\u201d Taule says.Some security spend is mandatedThat said, few organizations have the luxury of deciding what to spend entirely on their own, Taule notes.\u00a0Most companies face regulatory requirements, customer expectations, or partner demands that dictate an additional level of spending.\u201cIn some cases, at least initially, business may be able to reflect some of this expense in their pricing,\u201d Taule says. \u201cBut eventually, all but the most rigorous demands will become things customers expect organizations to do as a cost of business.\u201dSome organizations might put a higher value on security and privacy than others, perhaps even choosing this as a strategy of differentiation from competitors, Taule says. As a result, they might choose to spend more on security.Perform recurring risk assessmentAt a basic level, HITRUST answers the question of how much to spend on security based on routine, regular, and recurring risk assessment.\u00a0\u201cIf risk doesn\u2019t change, then we need not adjust spending,\u201d Taule says.\u00a0\u201cIf we conclude that we are exposed to higher levels than we\u2019ve deemed acceptable, then we need to do something about it. What\u2019s important is to emphasize is that the answer is not static.\u201dHow Colorado justifies security spend increasesThe state of Colorado is spending $21.5 million (or about 6% of overall IT spending) on security this year, up from $12.7 million (about 4% of overall IT spending) in 2018. It\u2019s the largest security budget increase ever for the state government, according to Deborah Blyth, CISO for the Colorado governor's office.Create a framework to measure security maturity\u201cIt is very difficult to determine how much money is enough, and what the right level of expenditure should be,\u201d Blyth says. The state has\u00a0adopted a framework, the 20 Critical Security Controls, and it measures security maturity against that framework.\u201cThis ongoing maturity assessment is then used to justify additional funding as needed, to implement additional controls and sub-controls,\u201d Blythe says. \u201cIf funding is preventing us from fully implementing the sub-controls, we might add that to our budget request. Other factors such as evolving agency needs and current threats also factor into our budgetary requests.\u201dJustify spend needs due to current threatsFor instance, a security incident the Colorado Department of Transportation experienced in February 2018 factored heavily into the budget request that resulted in this year\u2019s budget. \u201cLack of adequate funding was delaying the implementation of necessary security improvements that would have prevented or lessened the impact of the security incident, even though these efforts had been underway for several years,\u201d Blyth says. \u201cWe were successful in building the business case and increasing our level of funding in an effort to complete the identified security improvements this year.\u201dCompare spend to peer organizationsThe state also uses a study by the National Association of State Chief Information Officers (NASCIO), published every other year, to see how its security investment compares with other states. That study is showing states investing between 6% and 10% of their IT budgets on security, Blyth says.