Security Spending – How Much of IT Budget

There is an article on The Register web site claiming security spending has soared to 20% of the IT budget.  This is based on a poll of 1070 organizations.

It is a shame the article doesn’t provide more detail.  It would be nice to know the industries surveyed, size of the organizations, and all of the categories assessed.  Does this review include staffing, business continuity, disaster recovery, Application security, etc.?

My experience shows that most organizations can’t account for the actual security dollars spent.  When evaluating IT security within an organization, excluding physical security and business continuity, most organizations I review are in the 1% to 5% range of the IT budget with the exception of the major financial firms and a few others.  These numbers are also pretty much in line with the CSI/FBI annual surveys conducted.

  • What is your experience? 
  • Can you account for your total security budget? 
  • What does that budget include?

Unfortunately this area of security is still lacking in the amount of free information available to the public and many of the assessments are limited to less than 1000 respondents.  I would be happy to post some links on this site if anyone has some good free resources or whitepapers.



  1. I’m in the Federal IT space and I can say that for the most part INFOSEC continues to be an “after thought” as a reaction to OMG we just lost 40,000 PII records and now we have to go before a congressional committee explaining why we lost Senator “X” PII.

    The key problem isn’t the lack of laws, technology, or even smart IT Security folks to make it work. The problem is that the stupid people out number the smart people on a grossly, and frightening, scale.

    To compound that problem the people who control the money are not the smart people but the stupid people in the accounting offices. Most of whom are, you guessed it, accountants who do not understand the fuzzy logic of IT Security.

    My mother is a CPA, and god bless her I love her very much, but if even so much as a cent is out of place she goes nuts finding it and find it she does. That is her job and what she understands.

    When I try and help her with IT issues the same binary thought process kicks in. She will complain that “my computer is slow” and the response is to buy a new one because binary logic says that if the computer is slow it is because the computer is old and should be replaced.

    To an IT Security person we would look at the system from a holistic perspective and not from the single variable. The main reason her laptop, which was only 1 year old, was slow is that she loaded it with junk programs and the operating system did what it always did and filled up with Cr@p. So over time the system kept tracking down a death spiral until it started blue screening.

    In that there lies the other problem we face to get budget needed to meet the objectives outlined by the stupid people. The level of complexity of information security issues can’t be solved by buying a new shinny widget (laptop). The business must be understood and the impact to the business must be made clear if the IT assets supporting the business are negatively affected in any way.

    Yet the stupid people, who control the money, don’t understand that this level of detail isn’t a nice thing to have it should be a required thing. But seriously look at who is really running your show (business) and ask yourself “would they know how to get to grep?” or “do they understand what happens when they ask to run a network scan at 2 pm on Thursday before payroll gets sent out the next day?” or, and my personal favorite “I need an exception to Proxy rules for one person…. to which I say why? and the response is “because” and I say this will mod the Proxy for the entire agency… and the response is “So?”

    Just remember who we are all dealing with. I’m not saying these people are bad or even malcious in their intentent. It’s just that dumb and dumber are running the show and those of us who have a clue are out in the cold wondering how we got locked out of the warm cabin again.

    Proving to the dumb and dumbers that money spent on IT Security is worth while will never be an easy chore because we will always be a cost center.
    What do CFOs love to do most and most often? Seek and Destroy cost centers! It is there mission in life and forget trying to explain that not upgrading an network intrusion sensor will leave them vulnerable because the requirement states they have to have NIDs in place.

    It falls back to the CPA that says I have NIDS so I am good to go. When in reality the NIDS in place are worthless beacuse the are end of life and can’t upgrade to cover the lattest IDS signatures.

    But the CPA that lives in every CFO and manager says I’m covered so why worry?

    Cheers, Halon73

    1. Dude, I work for the fed too and I totally agree. I got here a few months ago after spending several years as a consultant. Holy Cow this is waaayyyy backwards, I have been trying to write cost justifications but can’t even get a budget that covers more than salary. We should talk.

  2. You can certainly see your skills within the
    article you write. The sector hopes for even more passionate writers such as
    you who are not afraid to say how they believe.
    Always go after your heart.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s