Businesses spend just 5% of budgets on IT security

Gartner: Comparing your security spend to other firms can be misleading

Businesses are spending on average just over 5% of their overall IT budgets on trying to prevent the latest hacks and security breaches, according to analyst house Gartner.

Despite the growing risk of threats facing organisations, surprisingly, Gartner said that IT security spending ranges from just 1% to 13% of a firm's IT budget, and warns that companies comparing their security spending, even to other firms in the same sector, can be potentially misleading.

"Clients want to know if what they are spending on information security is equivalent to others in their industry, geography and size of business in order to evaluate whether they are practicing due diligence in security and related programmes," explained Gartner's research director, Rob McMillan.

"But general comparisons to generic industry averages don't tell you much about your state of security. You could be spending at the same level as your peer group, but you could be spending on the wrong things and be extremely vulnerable."

Advertisement - Article continues below

He added: "Alternatively, you may be spending appropriately but have a different risk appetite from your peers."

According to Gartner, most companies will continue to misuse average IT security spending figures as a substitute for assessing security posture, at least until 2020. The analyst firm warned that business requirements and risk tolerance need to be considered when evaluating whether or not a business has set its security budget at the right level.

"IT spending statistics alone do not measure IT effectiveness and are not a gauge of successful IT organisations," Gartner explained. "They simply provide an indicative view of average costs, without regard to complexity or demand."

This is because many organisations are unaware of their security budget, and - in most instances - the chief information security officer does not have insight into security spending throughout the enterprise, Gartner said.

"This is partly because few cost accounting systems break out security as a separate line item, and many security-relevant processes are carried out by staff who are not devoted full-time to security, making it impossible to accurately account for security personnel," the firm added.

And deciding what to spend that budget on is a different thing entirely.  Security spending is generally split among hardware, software, services - including outsourcing and consulting - and personnel. 

"To identify the real security budget, there are many places to look, such as networking equipment that has embedded security functions, desktop protection that may be included in the end-user support budget, enterprise applications, outsourced or managed security services, business continuity or privacy programmes, and security training that may be funded by HR," Gartner said. 

Its research suggests secure organisations can sometimes spend less than average on security as a percentage of their IT budgets. The lowest-spending 20% of businesses are composed of two distinctly different types of organisations: Unsecure organisations that underspend, and secure organisations that have implemented best practices for IT operations and security and work toward reducing the number of security vulnerabilities.

Gartner's view is that enterprises should be spending less on security if they have mature governance systems, and higher if they are wide open and at risk.

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now



Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

How can you protect your business from crypto-ransomware?

4 Nov 2019

How to enhance your backup strategy

10 Oct 2019
data recovery

Data recovery: Why is it so important?

9 Oct 2019

Most Popular

identity and access management (IAM)

44 million Microsoft customers found using compromised passwords

6 Dec 2019
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019

Five signs that it’s time to retire IT kit

29 Nov 2019

Where modernisation and sustainability meet: A tale of two benefits

25 Nov 2019