Cybersecurity Budgets: By the Numbers

Since no two cybersecurity budgets are the same, we conducted research across the industry to better understand typical budgets. There are a number of reputable studies that shine some light on recent budget trends.

WILL BUDGETS INCREASE OR DECREASE?
K logix conducted a study with over 200 CISOs across all verticals and the results showed us that 42% said their budget increases 5-10% per year, 48% said it remains around the same and 10% said it is expected to decrease.

We are able to dive deeper into our data to reveal results for specific verticals. For example, when we polled CISOs at financial services organizations, almost 50% said their budget increases at least 5% per year. Manufacturing was similar, with 48% saying their budgets increase 5% per year.

ISACA’s State of Cybersecurity 2019 report (State of Cybersecurity 2019; ISACA Cybersecurity Nexus) states that 12% of survey respondents said their budgets are expected to decrease, 34% said it will stay the same and 55% said it would increase. These results track with those collected by K logix, and we anticipate moving into 2021, budgets will continue to increase for over 50% of organizations.

ESG recently published its annual IT spending intentions research for 2020 (2020 Technology Spending Intentions Survey; Enterprise Strategy Group Research) and found 55% of organizations planned to increase overall IT spending in 2020. At least half of organizations in the health care, technology, retail/wholesale, manufacturing, and business services industries will increase IT spending in 2020.

The 2021 CIO Pandemic Business Impact study (Spring 2021: State of the CIO; CIO from IDG) states that to drive business forward, 50% of IT decision-makers anticipate that their tech budgets will increase over the next 12 months, 42% anticipate their budgets will remain the same, and only 8% expect a budget decrease – which is in line with the 7% in December 2019 prior to the pandemic.

From these surveys and the ample amount of available research on the topic, it is clear that over 40% of security programs anticipate increased budgets in the next 12 months. The amount of increase does differ company to company, and it is often driven by variables such as corporate plans for growth, compliance requirements, etc.

Organizations are investing more in their cybersecurity programs because they see the importance of protecting valuable assets that impact both employees and customers. By continuing to invest in cybersecurity, there is an opportunity to protect company-wide innovation and growth.

WHAT % OF THE IT BUDGET IS SPENT ON CYBER?
According to a study released by Deloitte (FS-ISAC/Deloitte Cyber & Strategic Risk Services CISO Survey Reports; 2019 and 2020; Deloitte Center for Financial Services analysis) the average company will spend somewhere between 6% and 14% of their annual IT budget on cybersecurity.

They found that on average, most companies spent around 10% of their IT budget.
In the study results, the average spend per year per employee is:
Financial Utility: $4375 per year per employee
Service Providers: $3266 per year per employee
Banking: $2688 per year per employee
Consumer/Financial (nonbanking): $2348 per year per employee
Insurance: $1984 per year per employee

The Deloitte study, among others we found all point to companies continuing to spend more on cybersecurity.

Based on an IDG survey (2019 Security Priorities Study; IDG Communications) of 664 security-focused professionals worldwide, nearly two-thirds of enterprises (60%) plan to increase security budgets in the next year, by an average of 13%. This number is on the high-end of the research we found, but exemplifies the investment organizations are willing to make in order to increase maturity and overall protection.

CIO’s 2019 State of the CIO survey (2019 State of the CIO; CIO from IDG) revealed that on average, 15% of a company’s total IT budget was dedicated to IT security. This is slightly higher than the other studies, but still tracks within the 1-15% range.

CONCLUSION
The majority of organizations (almost 50%) say their budgets increase on a yearly basis. While there are a number of determining factors for this, we found the most common responses to why their budget increases to include:
- Stronger alignment between security leaders and the business
- Rising threats including an uptick in ransomware
- Protecting innovation and growth initiatives
- Increased awareness of cybersecurity across an organization
- Compliance and regulatory mandates

From our research, the average organization spends 10% of their IT budget on cybersecurity. The variables that impact this percentage include company size, industry, among many other factors.

We have found most business leaders are keenly aware of the value of investing in security programs. They see direct correlation between protecting the organization and the positive results by doing so. Strong security programs that are continually reducing risk and increasing maturity ensure the on-going protection of customers and employees.

Only some CISOs we speak with struggle to demonstrate the ROI or competitive advantage of security programs; the majority of CISOs are in a mature place where they can measure and demonstrate progress. Those who are able to show progress and justification for budgetary spend typically receive increased budgets year-over-year.

Overall, we believe security is becoming ingrained in organization culture through stronger communication and transparency with business leaders.