Businesses spend just 5% of budgets on IT security

Gartner: Comparing your security spend to other firms can be misleading

Businesses are spending on average just over 5% of their overall IT budgets on trying to prevent the latest hacks and security breaches, according to analyst house Gartner.

Despite the growing risk of threats facing organisations, surprisingly, Gartner said that IT security spending ranges from just 1% to 13% of a firm's IT budget, and warns that companies comparing their security spending, even to other firms in the same sector, can be potentially misleading.

Advertisement - Article continues below

"Clients want to know if what they are spending on information security is equivalent to others in their industry, geography and size of business in order to evaluate whether they are practicing due diligence in security and related programmes," explained Gartner's research director, Rob McMillan.

"But general comparisons to generic industry averages don't tell you much about your state of security. You could be spending at the same level as your peer group, but you could be spending on the wrong things and be extremely vulnerable."

He added: "Alternatively, you may be spending appropriately but have a different risk appetite from your peers."

According to Gartner, most companies will continue to misuse average IT security spending figures as a substitute for assessing security posture, at least until 2020. The analyst firm warned that business requirements and risk tolerance need to be considered when evaluating whether or not a business has set its security budget at the right level.

Advertisement - Article continues below
Advertisement - Article continues below

"IT spending statistics alone do not measure IT effectiveness and are not a gauge of successful IT organisations," Gartner explained. "They simply provide an indicative view of average costs, without regard to complexity or demand."

This is because many organisations are unaware of their security budget, and - in most instances - the chief information security officer does not have insight into security spending throughout the enterprise, Gartner said.

"This is partly because few cost accounting systems break out security as a separate line item, and many security-relevant processes are carried out by staff who are not devoted full-time to security, making it impossible to accurately account for security personnel," the firm added.

And deciding what to spend that budget on is a different thing entirely.  Security spending is generally split among hardware, software, services - including outsourcing and consulting - and personnel. 

"To identify the real security budget, there are many places to look, such as networking equipment that has embedded security functions, desktop protection that may be included in the end-user support budget, enterprise applications, outsourced or managed security services, business continuity or privacy programmes, and security training that may be funded by HR," Gartner said. 

Advertisement - Article continues below

Its research suggests secure organisations can sometimes spend less than average on security as a percentage of their IT budgets. The lowest-spending 20% of businesses are composed of two distinctly different types of organisations: Unsecure organisations that underspend, and secure organisations that have implemented best practices for IT operations and security and work toward reducing the number of security vulnerabilities.

Gartner's view is that enterprises should be spending less on security if they have mature governance systems, and higher if they are wide open and at risk.

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now



10 quick tips to identifying phishing emails

16 Mar 2020
mergers and acquisitions

Panda Security to be acquired by WatchGuard

9 Mar 2020

How to enhance your backup strategy

27 Feb 2020
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Most Popular

Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020
video conferencing

Zoom beams iOS user data to Facebook for targeted ads

27 Mar 2020

These are the companies offering free software during the coronavirus crisis

25 Mar 2020
Mobile Phones

Apple lifts iPhone purchase restrictions

23 Mar 2020