Businesses spend just 5% of budgets on IT security

Gartner: Comparing your security spend to other firms can be misleading

Businesses are spending on average just over 5% of their overall IT budgets on trying to prevent the latest hacks and security breaches, according to analyst house Gartner.

Despite the growing risk of threats facing organisations, surprisingly, Gartner said that IT security spending ranges from just 1% to 13% of a firm's IT budget, and warns that companies comparing their security spending, even to other firms in the same sector, can be potentially misleading.

Advertisement - Article continues below

"Clients want to know if what they are spending on information security is equivalent to others in their industry, geography and size of business in order to evaluate whether they are practicing due diligence in security and related programmes," explained Gartner's research director, Rob McMillan.

"But general comparisons to generic industry averages don't tell you much about your state of security. You could be spending at the same level as your peer group, but you could be spending on the wrong things and be extremely vulnerable."

He added: "Alternatively, you may be spending appropriately but have a different risk appetite from your peers."

According to Gartner, most companies will continue to misuse average IT security spending figures as a substitute for assessing security posture, at least until 2020. The analyst firm warned that business requirements and risk tolerance need to be considered when evaluating whether or not a business has set its security budget at the right level.

Advertisement - Article continues below
Advertisement - Article continues below

"IT spending statistics alone do not measure IT effectiveness and are not a gauge of successful IT organisations," Gartner explained. "They simply provide an indicative view of average costs, without regard to complexity or demand."

This is because many organisations are unaware of their security budget, and - in most instances - the chief information security officer does not have insight into security spending throughout the enterprise, Gartner said.

"This is partly because few cost accounting systems break out security as a separate line item, and many security-relevant processes are carried out by staff who are not devoted full-time to security, making it impossible to accurately account for security personnel," the firm added.

And deciding what to spend that budget on is a different thing entirely.  Security spending is generally split among hardware, software, services - including outsourcing and consulting - and personnel. 

"To identify the real security budget, there are many places to look, such as networking equipment that has embedded security functions, desktop protection that may be included in the end-user support budget, enterprise applications, outsourced or managed security services, business continuity or privacy programmes, and security training that may be funded by HR," Gartner said. 

Advertisement - Article continues below

Its research suggests secure organisations can sometimes spend less than average on security as a percentage of their IT budgets. The lowest-spending 20% of businesses are composed of two distinctly different types of organisations: Unsecure organisations that underspend, and secure organisations that have implemented best practices for IT operations and security and work toward reducing the number of security vulnerabilities.

Gartner's view is that enterprises should be spending less on security if they have mature governance systems, and higher if they are wide open and at risk.

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now


video conferencing

Zoom 5.0 adds 256-bit encryption to address security concerns

23 Apr 2020

WhatsApp flaw leaves users open to 'shoulder surfing' attacks

21 Apr 2020
cyber security

Microsoft AI can detect security flaws with 99% accuracy

20 Apr 2020

Businesses brace for second 'Fujiwhara effect' of 2020 as Patch Tuesday looms

9 Apr 2020

Most Popular


Nokia breaks 5G record with speeds nearing 5Gbps

20 May 2020
cloud computing

Microsoft launches public cloud service for health care

21 May 2020
video conferencing

House of Commons to ditch Zoom in favour of British alternative

11 May 2020