Industry Benchmarks and Standards
Determining the right cybersecurity budget as a percentage of IT spending is one of the most frequently asked questions in security leadership. The answer isn't simple because it depends on industry, organization size, risk profile, and maturity level. However, industry benchmarks provide guidance.
According to recent surveys and reports:
Gartner research: Organizations typically spend 7-14% of their IT budget on cybersecurity. The range reflects the wide variation based on organization size and industry.
Verizon Data Breach Investigations Report: Organizations experiencing breaches wish they had spent more on security before the incident.
SANS Institute: Recommends 8-12% of IT budget for cybersecurity for most organizations, with 12-15% for highly regulated industries or those handling sensitive data.
IDC and other analyst firms: Report average cybersecurity spending at approximately 10-12% of IT budgets, with significant variation by industry and organization size.
CyberSeek salary data: Shows cybersecurity as a growing percentage of IT, suggesting budgets are increasing as organizations recognize threats.
These benchmarks suggest that 10% is a reasonable target for most organizations, though circumstances vary significantly.
Factors Influencing Your Cybersecurity Budget Percentage
Rather than relying solely on industry benchmarks, determine your appropriate budget by considering your specific situation:
Industry and regulatory requirements:
Financial services institutions, healthcare organizations, and government contractors face stricter compliance requirements and face higher regulatory penalties for breaches. These industries typically budget 12-20% of IT spending on cybersecurity.
Technology companies and cloud service providers face continuous threats and data protection demands, typically budgeting 10-15%.
Retail and e-commerce organizations processing payment data must comply with PCI-DSS and face reputational damage from breaches, typically budgeting 8-12%.
Manufacturing and utilities have increasing operational technology (OT) security requirements, typically budgeting 10-15%.
Less regulated industries (professional services, education, non-profits) typically budget 5-10%.
Organizational size:
Large enterprises (>10,000 employees): Often spend 8-12% of IT budget on security due to economies of scale and ability to build internal security teams.
Mid-market organizations (1,000-10,000 employees): Typically spend 10-15% because they can't achieve the same efficiency as large enterprises but have significant security requirements.
Small organizations (<1,000 employees): Often spend 12-20% because they can't leverage internal expertise and must rely on outsourced services, which are relatively expensive.
This seemingly counterintuitive relationship exists because large organizations can build efficient internal teams, while small organizations must buy services at higher per-user costs.
Current threat environment and breach history:
Organizations that have experienced data breaches typically increase security budgets significantly afterward (often to 15%+).
Organizations in actively targeted industries (finance, government, technology) budget more heavily.
Organizations with low-profile risk might justify lower budgets.
Maturity level of security program:
Organizations building security programs from scratch often budget 15-20% initially to rapidly mature capabilities.
Organizations with mature programs might stabilize at 8-10% as foundational controls are in place.
Mature programs still increase budgets due to emerging threats and new technologies.
Sensitivity and scope of data:
Organizations handling personal health information (PHI), payment card data (PCI), or government data often budget 12-20%.
Organizations with limited sensitive data exposure might justify 5-8%.
Complexity of IT environment:
Organizations with complex hybrid cloud, containerized, and distributed systems typically budget more (12-15%+) than those with simpler environments.
Legacy environments still require security spending but might be more predictable.
Regulatory compliance requirements:
Organizations subject to HIPAA, PCI-DSS, SOC 2, ISO 27001, GDPR, or other frameworks must budget for compliance controls.
Budget should include assessments, audits, remediation, and compliance management—not just tools.
Calculating Your Target Cybersecurity Budget
Rather than simply applying an industry percentage, calculate your specific budget needs:
Method 1: Risk-based approach
- Identify your assets and data
- Assess potential loss if compromised (regulatory fines, breach costs, reputational damage)
- Estimate breach probability given your current security posture
- Calculate Expected Annual Loss (EAL) = Asset Value × Breach Probability
- Budget 3-5% of EAL for preventive controls
Example:
- Your organization has $100M in assets/data
- Estimated breach probability: 2% annually
- Expected annual loss: $2M
- Cybersecurity budget: $60K-$100K annually (3-5% of EAL)
This approach links security spending directly to risk.
Method 2: Compliance and control-driven approach
- List all regulatory requirements (HIPAA, PCI, SOC 2, etc.)
- Identify required controls for each requirement
- Estimate cost of implementing each control:
- Tool/technology costs
- Personnel costs (FTEs, contractors)
- Professional services (assessment, audit, remediation)
- Training and awareness
- Sum total costs
This ensures you budget adequately for compliance obligations.
Method 3: Comparative analysis approach
- Research comparable organizations (similar size, industry, complexity)
- Determine their security budgets (through surveys, reports, or contacts)
- Adjust for your specific risk factors and requirements
- Set target as reasonable percentage of IT budget
This provides external validation against peers.
Method 4: Maturity-based approach
Security programs typically progress through maturity levels, with increasing budget requirements:
- Level 1 (Ad-hoc): 3-5% of IT budget (minimal, reactive security)
- Level 2 (Repeatable): 7-10% of IT budget (establishing processes and tooling)
- Level 3 (Managed): 10-15% of IT budget (comprehensive program, automation)
- Level 4 (Optimized): 8-12% of IT budget (mature program, efficient operations)
Determine your target maturity level, then budget to reach it.
What the Budget Covers
Cybersecurity budget should include:
Personnel costs (typically 30-50% of budget):
- Chief Information Security Officer (CISO)
- Security engineers and architects
- Analysts (SOC analysts, threat analysts)
- Security operations and incident response
- Contractors and consultants
Technology and tools (typically 30-40% of budget):
- Firewalls, intrusion detection/prevention systems
- Endpoint detection and response (EDR)
- Security information and event management (SIEM)
- Data loss prevention (DLP)
- Identity and access management (IAM)
- Vulnerability scanning and management
- Container and cloud security tools
- Security testing tools
Professional services (typically 10-20% of budget):
- Security assessments and audits
- Penetration testing
- Incident response services
- Compliance support
- Security training and awareness programs
- Consulting
Overhead and compliance (typically 5-15% of budget):
- Audit and compliance costs
- Insurance and cyber liability coverage
- Conference attendance and training
- Internal budget allocation and overhead
Budget Allocation Within Cybersecurity
When allocating your security budget, consider:
Foundation controls (must-haves, 30-40% of budget):
- Identity and access management
- Network security
- Endpoint protection
- Patch management
- Vulnerability management
- Incident response capabilities
These foundational controls provide the most risk reduction per dollar.
Advanced controls (nice-to-haves, 20-30% of budget):
- Advanced threat detection
- Cloud and container security
- AI/ML-based threat detection
- Application security testing
- Security architecture services
These provide additional detection and response capabilities.
Compliance and governance (required, 15-20% of budget):
- Audit and assessment
- Policy development and management
- Training and awareness
- Compliance reporting and management
These are required for regulated organizations.
Operations and team (ongoing, 20-30% of budget):
- Salaries and contractors
- Training for security team
- Tools and system management
- Internal projects
Budget Justification and ROI
When justifying security budgets to executives:
Focus on risk reduction: "Spending X on security prevents Y in potential breach costs"
Compliance requirements: "Regulations require Z controls; not budgeting for them risks fines and penalties"
Comparison to industry: "Our peers spend X% on security; we're spending less"
Cost of breaches: "Recent breaches in similar companies cost $XM; we could prevent that"
Operational efficiency: "Better security reduces incident response costs and downtime"
Talent acquisition: "Competitive security budget helps attract and retain talent"
Customer requirements: "Our customers increasingly require security certifications (SOC 2, ISO 27001) that require investment"
Benchmarking Your Cybersecurity Spending
Understand how you compare to peers:
Industry reports: Gartner, IDC, Forrester publish annual cybersecurity spending reports by industry and size.
Peer surveys: Many industry associations (financial services, healthcare, etc.) conduct peer benchmarking surveys.
Analyst firms: Firms like SANS Institute provide security spending recommendations.
Internal research: Contact peer organizations directly (discreetly) to understand their spending.
Tool vendors: Vendors often know competitive spending ranges for similar organizations.
Increasing Your Cybersecurity Budget
If you've determined you're underfunding security:
Phase 1 (Immediate): Increase budget 25-50% to address most critical gaps.
Phase 2 (1-2 years): Increase another 25-50% to mature security program.
Phase 3 (Ongoing): Budget increases aligned with inflation and emerging threats.
Many organizations increase cybersecurity budgets by 10-15% annually as threats evolve and new technologies emerge.
Conclusion
There's no single "right" cybersecurity budget percentage—it depends on industry, organization size, regulatory requirements, threat environment, and risk tolerance. Industry benchmarks suggest 10% of IT budget is reasonable for most organizations, with ranges from 5-20% depending on circumstances. Calculate your specific needs based on risk, compliance requirements, and maturity goals rather than blindly following benchmarks. Most organizations find that underfunding security is far more expensive than appropriate investment—breach costs dwarf preventive security spending. If your organization is below industry benchmarks for your sector, business case likely exists for budget increases.
