Investments in IT Security Not a Matter of Dollars and Cents

January, 2019

Companies in all industries need IT security technology, and with threats on the rise, the investment rate is the highest of any category of technology that we track. However, economic experience is not as rosy, indiating that financial benefits are not the motivation when investing in security technology.

As seen in Figure 1 from our full report, IT Security Technology Adoption and Customer Experience, the ROI success rate is relatively low. In other words, among those organizations that have adopted security technology (virtually all organizations), the percentage that are at least breaking even on their investments within a two-year period is low when compared with other technologies in our annual Technology Trends survey.

Fig1 IT Security 1030x687 - Investments in IT Security Not a Matter of Dollars and Cents

The total cost of ownership (TCO) success rate for security technology is moderate compared with other technologies in the study. The TCO success rate is defined as the percentage of adopters coming in at or at less than budget for implementation and ongoing support costs. The results for ROI and TOC show that, when the mandate is to counter threats to the organization, protect corporate intellectual property, and safeguard personal information, direct economic benefits, such as cost-savings, are not the main concern.

However, in analyzing adoption and investment trends in IT security technology, there is a problem: IT security is not just one technology. It includes a wide variety of technologies, from basic security tools, such as firewalls and spam filtering, to more advanced capabilities, such as incident detection, and everything in between. Nevertheless, there is value in understanding the focus for new investments in IT security and how they may change from year to year.

“Financial returns are usually not at the core of decisions to invest in security technology,” said Tom Dunlap, director of research for Computer Economics, based in Irvine, Calif. “It’s more about protecting the organization against loss of data and critical systems. What is the value  of not becoming the next case study in ransomware? Think of it as an insurance policy.”

We define security technology as any technology intended to protect the organization against security threats, detect them, or respond to them. This would include a broad range of technologies from simple firewalls and malware protection to AI and machine-learning-based threat detection. Because there is such a variety of technologies, our survey does not attempt to cover an exhaustive list, but rather a representative sample. The list will change from year to year.

Our full report examines adoption trends for IT security technology of all types, from basic capabilities, such as firewalls and spam filtering, to more advanced technologies, such as incident detection, and everything in between. We analyze the adoption rate, investment rate, and economic experience for security technology overall. We conclude with recommendations for ensuring the success of IT security technology investments. Because IT security technology is most often implemented as a risk mitigation measure, it can be difficult to think of its investments in terms of ROI. Therefore, in assessing the ROI, we asked our respondents simply to consider whether the reduction in risk has been worth the investment. We also evaluate the cost-side of the equation, by measuring the percentage of organizations that exceed budgets for total cost of ownership (TCO).


This Research Byte is a brief overview of our report on this subject, IT Security Technology Adoption and Customer Experience. The full report is available at no charge for Avasant Research subscribers, or it may be purchased by non-subscribers directly from our website (click for pricing).