What you should spend on security

#79 Many CIOs and chief information security officers (CISOs) are uncertain what constitutes a "normal" level of security spending in terms of a percentage of the overall IT budget. Unfortunately, security spending is often difficult to pin down because of the many aspects of security across the organization. Security costs include dedicated security hardware, software, personnel and services, but security spending is often embedded in other areas in hidden ways. For this and other reasons, it can be difficult to obtain reliable statistical information on enterprise security spending.

On 9th March, Gartner released a Strategic Analysis Report represents their best effort to assemble the most-reliable information they had on the topic of information security spending. It's their conclusion that, as a general rule, a security spending level of 3 percent to 6 percent of total IT budget should be the norm. However, there are many variables, outlined in the report, which can affect this spending range. There can be significant variances by industry. Also organizations with mature IT systems will often spend less on security; highly regulated or high-risk-visibility companies will usually spend more.Although spending levels are no real indicator of security levels, such comparisons can be used as a preliminary test to see if security is underfunded or inefficient. Anything significantly higher or lower should be subject to investigation. The summary can be found here . If you have access privileges, please sign-in to see the full report.If you do not have access, you will be able to purchase the report.

My company conducts a security assessment (The CxO Security Assessment) whereby we benchmark over 130 security best practices accross people, organisation, processes and technology. We have completed over 50 of these globally to date and the spending benchmark average we have found from this sample is 4%, with a low of 2% and a high of 6%, which seems to concur with the Gartner findings.