IT Security: How Much Should You Spend?

Just how much should you be spending on IT Security? It’s a vexing question to answer for many reasons as each situation has their unique circumstances and factors. But here are some insights garnered over the last decade in cybersecurity.

First off, what constitutes security spending? Dedicated security hardware, software, personnel, and services for sure, but security spending is often embedded in other areas in hidden ways. It can vary by industry, geography, and corporate culture. IT security spend will be higher in regulated environments with stringent compliance requirements and can also increase if a new threat is acknowledged, or in the aftermath of a breach.

Who spends the least on security? Two kinds of organizations - those that are ignoring the problem and underspending, and those that have a mature IT program. The process discipline and safeguards established by mature IT programs minimize unexpected incidents and thus reduce unforeseen costs.

Spending on technologies such as firewalls remains constant because of continually changing threats. Older threats will be addressed more efficiently, but new technologies and an ever-changing threat landscape bring new threats that necessitate a spending increase. Spending for "letting the good guys in" such as multi-factor authentication and access management is often discretionary, but often required for strategic business initiatives such as home banking or regulatory compliance. Such projects that get funded and implemented as part of larger IT projects are usually not part of the information security budget.

On average, a security spending level of 3 - 6 percent of total IT budget is considered the norm. If you add in compliance spending as part of security, that's another 3 - 6 percent of the IT budget. If you include business continuity spending, that's another 2 percent bringing it to 10 -14 percent of the total IT budget. If you spend much less than the norm, be advised to revisit your security assumptions and posture given today’s advanced threats.

IT Security pie chart

Make your security dollars go farther and respond quickly to new threats by co-sourcing IT security functions, such as security monitoring, vulnerability management, endpoint protection, and SOC-as-a-Service (SOCaaS). For a small to mid-sized organization, the added benefit in such a managed services plan helps solve the IT security talent shortage.

Learn more about how EventTracker SOCaaS advances protection without breaking the bank.

  • How to Justify EDR with Three Top Business Cases

    April 03, 2019

    Increasing complexity and frequency of attacks have escalated the need for detection of attacks and incident response. Endpoints are the new battleground as they are a) more pervasive across the network, b) more commonly used by non-IT personnel, and c) less well-defended by IT teams who first move to secure the data center. Endpoint detection and response (EDR) solutions meet the need to rapidly investigate large numbers of systems for evidence of malicious activity, quickly uncover, and then remediate attacks and incidents.

    Read More
  • SIEMpocalypse?

    March 20, 2019

    Did you know that Microsoft is a security vendor? No, it’s true. For years, the company was hammered by negative public perception and the butt of jokes around the 2002 "trustworthy computing" memo. The company has steadily invested in developing a security mindset and the product results are now more visible to the public.

    Read More
  • What is EDR and Why It is Critical to SMB Security?

    February 25, 2019

    Over 7 billion global devices in an always on and continuously connected world create a soft target for today’s attacker. Whether working to monetize data or make a political statement, adversaries are well funded and staffed in the battle for endpoint access and control.

    Read More
  • Five Takeaways from the 2019 SIEM Study

    January 31, 2019

    We recently released the findings of the Security Information and Event Management (SIEM) study conducted by Cybersecurity Insights. The study surveyed over 345 IT and Security executives and practitioners, with 45% of them small and mid-sized firms with 999 or fewer employees and the balance comprised of enterprise organizations with 1,000 or more employees.

    Read More