2019 was a tumultuous one for cyber security. We saw the rise and fall of GandCrab ransomware, multiple data breaches for Fortune 500 companies, and GDPR turned one year old. The attackers are getting more resourceful, and according to the Ponemon Institute’s Cost of a Data Breach report 2019, the average cost of a breach globally is almost $4m.
No wonder cyber security spending on products and services is on the rise. According to Gartner’s IT industry key metrics 2019, security spending is forecast to grow from $106.6Bn in 2019 (up 10.7 percent from 2018) to $151.2Bn in 2023, a compound annual growth rate of 9.4 percent. IDC’s worldwide semi-annual security spending guide is projecting a similar annual growth rate over the same period.
It’s safe to say that security analysts and data protection specialists have their hands full.
Now we find ourselves at that all-too-familiar time of year where companies are assessing their spend on cyber security for the road ahead. While taking a look back on the biggest news stories can always help a business anticipate some of the threats they may face, it’s not the only way to evaluate which areas need improvement.
When it comes to security spending best practices, benchmarking is one of the ways of determining whether you’re spending enough money and in the right areas.
Understand that tracking average benchmarks will not give a full picture – whilst advanced organisations may be spending above average on their security, spend levels do not necessarily imply the spend is in the right areas, is effective or is in line with an organisation’s risk appetite or specific industry context. Notwithstanding those caveats, looking at global averages can provide indicators to help guide understanding of whether your current levels are outliers and can provide arguments for adjusting budgets accordingly.
We’ve rounded up three key industry benchmarks from Gartner’s data on IT industry key metrics, which should help your business start thinking about where its security money is best spent in 2020.
Here’s an easy one to start off: how much are your peers spending on their cyber security strategies? The data says about 6 percent on average.
Does that mean your business should spend 6 percent and call it a day? Not exactly. Benchmarks are simply a matter of fact; this is what companies spend on average on cyber security. But as we’ve seen, there have still been a number of high-profile data breaches. So, is 6 percent really the right amount?
Well, the average percentage of IT spend on security varies by industry. The below three industries all spend an above average amount of their IT budgets on security and could provide a better idea of how much peer businesses will spend on average in 2020:
The reasons behind their increased spending range from better data security to increased regulatory scrutiny – and everything in-between. But the figures show that in some markets, the benchmark is simply seen as the stepping stone to the right amount of spend.
Furthermore, not to labour the point, given these numbers are averages, there is a possibility that some organisations who are “best-in-class” with respect to cyber-security may be spending an awful lot more. That’s not to say that low spenders may just be super-efficient and targeted in their spending or have a perfectly legitimate higher risk appetite. These are all considerations that should be taken into account
Regardless, breaking down that figure even further into the distribution of spending across categories can help an organisation better understand both how much they should spend and where they should spend it. It could be that an organisation is benchmarking well on their overall spend for their particular industry but are overspending in certain categories and under-investing in others. Let’s take a look:
The average company’s breakdown of a cyber security budget is:
As businesses explore security spending best practices for 2020, they’ll also want to do so via a category-based approach. The above four categories are most commonly accounted for in a cyber security strategy because they enable a business to analyse vulnerabilities and threats, protect themselves from attacks and then detect, respond to and recover from them when something inevitably gets through its defences.
Benchmarks on overall budget can be a bit misleading, namely because the size of budgets can differ across industries and based on market size.
Another good indicator of how much your business should be spending on security can also come from how much it allocates per employee. While the company shouldn’t limit itself to spending a specific amount on each employee in practice, it provides a baseline to derive the figure that the average organisation spends as a whole to protect against common cyberthreats.
The average amount that companies spend on annual IT security per employee is $1,178. This again takes the form of operational security infrastructure, vulnerability management and security monitoring, GR&C and application security.
Of course, similar to security spending as a percentage of the IT budget, this figure differs quite significantly depending on the industry a company is in. Unsurprisingly, a familiar crowd is in the top four of spending when broken down by industry:
Businesses in the aforementioned industries will want to understand not only that their peers are spending more than the average, but why they’re spending more than the average.
One of the reasons could be the growing need for next-generation detection capabilities. Cybercriminals are increasingly targeting large networks with emerging and evolving techniques, tactics and procedures, allowing them to go undetected against traditional systems.
Industries with a significant amount of access to sensitive data are spending more on automation and orchestration, better threat intelligence, real-time threat monitoring and the ability to leverage machine learning and artificial intelligence as ways to respond and recover in the event of security incidents taking place. This also highlights why average spending can be deceptive – a high level of spending can relate to over-reliance on inefficient manual processes. Targeted investment in Security Orchestration, Automation and Response (SOAR) can actually result in reduced spending whilst improving overall security posture.
Incidents can carry a financial high toll for a range of reasons – non-compliance and remediation among them – so getting out in front of the costs via investments into security infrastructure is often the most prudent tactic.
Another way that companies can use benchmarks to set security spending best practices for 2020 is through the lens of revenue.
On average, companies spend roughly $2.84 per every $1,000 in revenue – or, put another way, security spending is around 0.3 percent of revenue. Of course, as the trend would have it, this varies hugely by on industry.
Here are the top three spending industries per $1,000 in revenue:
One reason there’s higher spending in the aforementioned industries based on revenue is because of the potential impact that a security incident could have on revenue. A single security incident could cripple a company’s operations, shine an unnecessary light from regulators and crush the business’ reputation with the public.
At the end of the day, security spending best practices are an exercise in risk management. In effect, businesses need to ask themselves this: do we want low risk at a high cost, or high risk at a lower cost and are we making best use of the available budget?
Interested in learning how your business can get the most out of its 2020 cyber security budget? Contact us or speak to your account manager today.
Report referenced:
Gartner “IT Key Metrics Data 2019: Key IT Security Measures: by Industry,” Eric Stegman, et al, 17 December 2018.