Just how much should you be spending on IT Security? It’s a vexing question to answer for many reasons as each situation has their unique circumstances and factors. But here are some insights garnered over the last decade in cybersecurity.
First off, what constitutes security spending? Dedicated security hardware, software, personnel, and services for sure, but security spending is often embedded in other areas in hidden ways. It can vary by industry, geography, and corporate culture. IT security spend will be higher in regulated environments with stringent compliance requirements and can also increase if a new threat is acknowledged, or in the aftermath of a breach.
Who spends the least on security? Two kinds of organizations - those that are ignoring the problem and underspending, and those that have a mature IT program. The process discipline and safeguards established by mature IT programs minimize unexpected incidents and thus reduce unforeseen costs.
Spending on technologies such as firewalls remains constant because of continually changing threats. Older threats will be addressed more efficiently, but new technologies and an ever-changing threat landscape bring new threats that necessitate a spending increase. Spending for "letting the good guys in" such as multi-factor authentication and access management is often discretionary, but often required for strategic business initiatives such as home banking or regulatory compliance. Such projects that get funded and implemented as part of larger IT projects are usually not part of the information security budget.
On average, a security spending level of 3 - 6 percent of total IT budget is considered the norm. If you add in compliance spending as part of security, that's another 3 - 6 percent of the IT budget. If you include business continuity spending, that's another 2 percent bringing it to 10 -14 percent of the total IT budget. If you spend much less than the norm, be advised to revisit your security assumptions and posture given today’s advanced threats.
Make your security dollars go farther and respond quickly to new threats by co-sourcing IT security functions, such as security monitoring, vulnerability management, endpoint protection, and SOC-as-a-Service (SOCaaS). For a small to mid-sized organization, the added benefit in such a managed services plan helps solve the IT security talent shortage.
Learn more about how EventTracker SOCaaS advances protection without breaking the bank.