How much should an organization spend on security? The simple answer: It depends.

Factors such as the sort of business the company is in, the types of personal or sensitive data or intellectual property it handles, the regulatory requirements it faces, the complexity of its IT infrastructure, the likelihood of it being a target for attacks, and other elements come into play.

The more important question might be: “How should an organization go about determining how much to spend on security?” The process enterprises go through to figure out their proper level of spending on security can be critical to effectively safeguarding systems and data.

Many factors drive security spend

Recent research reports provide some context in terms of how much organizations are spending on security. CIO’s 2019 State of the CIO survey conducted in November 2018 asked 683 IT executives worldwide what percentage of their company’s total IT budget was represented by IT security. The mean response was 15%. Nearly one quarter of the organizations (23%) are devoting 20% or more of their IT budget to security.