Security and cybersecurity damages have been increasing every year. In its most recent study, the FBI Internet Crime Report recorded total losses in 2023 in excess of $12 billion. Although these losses are staggering, they are almost certainly the tip of the iceberg. They only reflect losses that are reported to the FBI, and many victims—whether individuals or businesses—choose not to file complaints or report losses. Moreover, the FBI data does not include certain types of losses, such as ransomware payments.
In addition to direct costs, victims also suffer indirect costs. These include loss of revenue, losses due to downtime, reputation or brand damage, and loss of trade secrets or intellectual property. These can easily exceed the level of direct costs.
In light of these growing threats, it is no wonder that organizations in all industries continually rank security as a top priority for new spending. But how much are they spending, and what are they spending it on? To provide metrics to answer these questions, we have now updated our annual report, IT Security, Cybersecurity, and Compliance Spending and Staffing Benchmarks 2024.
As shown in Figure 3 of the full report, organization size has little influence on IT security spending as a percentage of overall IT operational spending. Small organizations allocate 5.4%, while midsize and large organizations allocate 5.2% and 5.3%, respectively. This signifies the importance of IT security across all sizes of organizations given the ever-evolving threat landscape. In other words, on average, a small organization with a $100 million IT budget would be spending over $5 million a year on the security tower.
What is the security tower? It includes all IT security, cybersecurity, and security-related compliance spending. It includes security personnel costs (both internal and external personnel), security hardware, security software, and outside security services. It includes both security spending, plus depreciation of security capital investments in the past. It does not include current-year security capital spending.
Small organizations are defined as those with less than $5 million in IT operational spending, while large organizations spend over $25 million, and midsize organizations fall in the middle.
“It can be difficult to know how much to spend on cybersecurity,” said Frank Scavo, senior partner at Avasant Research, based in Los Angeles. “Although you don’t want to just throw money at the problem, knowing how much your industry peers are spending at least gives you a baseline to start from.”
Our full report addresses this need, providing benchmarks by industry and organization size for IT security, cybersecurity, and related compliance spending and staffing. Benchmarks are calculated across a number of units, including users, organization revenue, IT operational spending, number of network devices, number of network locations, and number of endpoints. Security staffing metrics are calculated as a percentage of the IT staff and per user. Industry benchmarks are provided for business services, IT services and solutions, financial services, critical infrastructure, public sector, healthcare, manufacturing/distribution, and retail. By ranking these industries across multiple security spending and staffing metrics, we are able to provide a relative ranking by major industry sector, from most security intensive to least.
We also include a breakdown of the composite security spending by major category, including identity and access management, security policy and awareness, cybersecurity and incident response, threat and vulnerability management, data privacy and security, and governance, risk, and compliance (GRC). We conclude with guidelines for benchmarking your IT security, cybersecurity, and compliance spending.
This Research Byte is a brief overview of our report on this subject, IT Security, Cybersecurity, and Compliance Spending and Staffing Benchmarks 2024. The full report is available at no charge for subscribers, or it may be purchased by non-clients directly from our website (click for pricing).
Avasant’s research and other publications are based on information from the best available sources and Avasant’s independent assessment and analysis at the time of publication. Avasant takes no responsibility and assumes no liability for any error/omission or the accuracy of information contained in its research publications. Avasant does not endorse any provider, product or service described in its RadarView™ publications or any other research publications that it makes available to its users, and does not advise users to select only those providers recognized in these publications. Avasant disclaims all warranties, expressed or implied, including any warranties of merchantability or fitness for a particular purpose. None of the graphics, descriptions, research, excerpts, samples or any other content provided in the report(s) or any of its research publications may be reprinted, reproduced, redistributed or used for any external commercial purpose without prior permission from Avasant, LLC. All rights are reserved by Avasant, LLC.
Login to get free content each month and build your personal library at Avasant.com
