2019 was a tumultuous one for cyber security. We saw the rise and fall of GandCrab ransomware, multiple data breaches for Fortune 500 companies, and GDPR turned one year old. The attackers are getting more resourceful, and according to the Ponemon Institute’s Cost of a Data Breach report 2019, the average cost of a breach globally is almost $4m.
No wonder cyber security spending on products and services is on the rise. According to Gartner’s IT industry key metrics 2019, security spending is forecast to grow from $106.6Bn in 2019 (up 10.7 percent from 2018) to $151.2Bn in 2023, a compound annual growth rate of 9.4 percent. IDC’s worldwide semi-annual security spending guide is projecting a similar annual growth rate over the same period.
It’s safe to say that security analysts and data protection specialists have their hands full.
Now we find ourselves at that all-too-familiar time of year where companies are assessing their spend on cyber security for the road ahead. While taking a look back on the biggest news stories can always help a business anticipate some of the threats they may face, it’s not the only way to evaluate which areas need improvement.
In fact, when it comes to security spending best practices, benchmarking is one of the ways of determining whether you’re spending enough money and in the right areas.
Understand that tracking average benchmarks will not give full picture – whilst advanced organisations may be spending above average on their security, spend levels do not necessarily imply the spend is in the right areas, is effective or is in line with an organisation’s risk appetite or specific industry context. Notwithstanding those caveats, looking at global averages can provide indicators to help guide understanding of whether your current levels are outliers and can provide arguments for adjusting budgets accordingly.
We’ve rounded up three key industry benchmarks from Gartner’s data on IT industry key metrics, which should help your business start thinking about where its security money is best spent in 2020.
1. Companies on average spend 6 percent of their IT budget on security
Here’s an easy one to start off: how much are your peers spending on their cyber security strategies? The data says about 6 percent on average.
Does that mean your business should spend 6 percent and call it a day? Not exactly. Benchmarks are simply a matter of fact; this is what companies spend on average on cyber security. But as we’ve seen, there have still been a number of high-profile data breaches. So, is 6 percent really the right amount?
Well, the average percentage of IT spend on security varies by industry. The below three industries all spend an above average amount of their IT budgets on security and could provide a better idea of how much peer businesses will spend on average in 2020:
- Software publishers and internet services: 8.7 percent
- Banks and financial services: 7.3 percent
- Government services: 6.7 percent
The reasons behind their increased spending range from better data security to increased regulatory scrutiny – and everything in-between. But the figures show that in some markets, the benchmark is simply seen as the stepping stone to the right amount of spend.
Furthermore, not to belabour the point, given these numbers are averages, there is a possibility that some organisations who are “best-in-class” with respect to cyber-security may be spending an awful lot more. That’s not to say that low spenders may just be super-efficient and targeted in their spending or have a perfectly legitimate higher risk appetite. These are all considerations that should be taken into account
Regardless, breaking down that figure even further into the distribution of spending across categories can help an organisation better understand both how much they should spend and where they should spend it. It could be that an organisation is benchmarking well on their overall spend for their particular industry but are overspending in certain categories and under-investing in others. Let’s take a look:
The average company’s breakdown of a cyber security budget is:
- Operational infrastructure security (50 percent): Relates to general Network Security, Identity and Access Management (IAM), Privilege Access Management (PAM), Endpoint Security and all the activities involved in Data Security.
- Vulnerability management and security monitoring (20 percent): Relates to vulnerability assessments, vulnerability scanning, active discovery and remediation of vulnerabilities via ticketing, Security Operations Centre (SOC) performance and Security Information and Event Management (SIEM) costs.
- Governance, Risk and Compliance (GR&C) (16 percent): Relates to the active role involved in securing the company’s data via an approved and certified framework, as well as complying with industry-specific regulations.
- Application security (14 percent): Relates to a combination of penetration testing practices geared towards improving hardware, software and employees from a running list of evolving threats.
As businesses explore security spending best practices for 2020, they’ll also want to do so via a category-based approach. The above four categories are most commonly accounted for in a cyber security strategy because they enable a business to analyse vulnerabilities and threats, protect themselves from attacks and then detect, respond to and recover from them when something inevitably gets through its defences.
2. Security spending per employee averages out to $1,178
Benchmarks on overall budget can be a bit misleading, namely because the size of budgets can differ across industries and based on market size.
Another good indicator of how much your business should be spending on security can also come from how much it allocates per employee. While the company shouldn’t limit itself to spending a specific amount on each employee in practice, it provides a baseline to derive the figure that the average organisation spends as a whole to protect against common cyberthreats.
The average amount that companies spend on annual IT security per employee is $1,178. This again takes the form of operational security infrastructure, vulnerability management and security monitoring, GR&C and application security.
Of course, similar to security spending as a percentage of the IT budget, this figure differs quite significantly depending on the industry a company is in. Unsurprisingly, a familiar crowd is in the top four of spending when broken down by industry:
- Software publishing and internet services: $2,387
- Banking and financial services: $2,162
- Insurance: $2,014
- Government services: $1,482
Businesses in the aforementioned industries will want to understand not only that their peers are spending more than the average, but why they’re spending more than the average.
One of the reasons could be the growing need for next-generation detection capabilities. Cybercriminals are increasingly targeting large networks with emerging and evolving techniques, tactics and procedures, allowing them to go undetected against traditional systems.
Industries with a significant amount of access to sensitive data are spending more on automation and orchestration, better threat intelligence, real-time threat monitoring and the ability to leverage machine learning and artificial intelligence as ways to respond and recover in the event of security incidents taking place. This also highlights why average spending can be deceptive – a high level of spending can relate to over-reliance on inefficient manual processes. Targeted investment in Security Orchestration, Automation and Response (SOAR) can actually result in reduced spending whilst improving overall security posture.
Incidents can carry a financial high toll for a range of reasons – non-compliance and remediation among them – so getting out in front of the costs via investments into security infrastructure is often the most prudent tactic.
3. Companies spend $2.84 per every $1,000 in revenue
Another way that companies can use benchmarks to set security spending best practices for 2020 is through the lens of revenue.
On average, companies spend roughly $2.84 per every $1,000 in revenue – or, put another way, security spending is around 0.3 percent of revenue. Of course, as the trend would have it, this varies hugely by on industry.
Here are the top three spending industries per $1,000 in revenue:
- Software publishing and internet services: $7.14
- Banking and financial services: $5.60
- Government services: $4.76
One reason there’s higher spending in the aforementioned industries based on revenue is because of the potential impact that a security incident could have on revenue. A single security incident could cripple a company’s operations, shine an unnecessary light from regulators and crush the business’ reputation with the public.
Tips when considering your security budget
- By all means, look at the benchmarks for your industry across the main spending categories to understand how your security spending tracks against the industry average. This will provide some context for typical spend levels. Look at the spend as a percentage of IT spend, company revenue and employee headcount. This may tell you a story that warrants further analysis.
- Don’t take averages as gospel. They ignore some of the important factors below.
- Understand your risk appetite and factor that into the budgetary thought process. Make sure to document and socialise assumptions so they don’t get conveniently forgotten later when that shared agreement to take higher risk has consequences.
- Make sure you have an inventory of assets, so you know what you already have. Document under-utilised or un-activated capabilities. Perhaps an existing application or appliance can satisfy a new requirement rather than integrating an entirely new solution. The array of potential security solutions out there is bewildering, so take some advice to make sense of it if you need to.
- Make sure if you budget for new infrastructure that you also factor in the capacity to operate and manage it. If the skills or capacity is not available in-house, then consider outsourcing to a managed services provider and provide for it in the budget.
- The business landscape is littered with wasted or failed investments. Conduct proof-of-concept to iron out the wrinkles before widespread deployment.
- Align your plans with a best-practice security framework, such as NIST, CIS Top 20 Controls or ISO 270001. Get external support if you don’t know where to start, as targeted prioritisation will help significantly improve your risk profile and eliminate ineffectual or wasted investment.
- Check how much of your current spend is in support of manual processes and investigate if automation will deliver an earlier return on investment whist also improve overall security.
At the end of the day, security spending best practices are an exercise in risk management. In effect, businesses need to ask themselves this: do we want low risk at a high cost, or high risk at a lower cost and are we making best use of the available budget?
Interested in learning how your business can get the most out of its 2020 cyber security budget? Contact us or speak to your account manager today.
Gartner “IT Key Metrics Data 2019: Key IT Security Measures: by Industry,” Eric Stegman, et al, 17 December 2018.