Why 5% of IT Spend Isn’t Enough for Peace of Mind:  Top Three Tips to Establishing the Right Security Budget for Your Organization

By Mike Gentile 

During the past 12 months, the news has been reporting security breach after security breach. When they happen, much of the discussion focuses on the impact to the people whose personal information was compromised, the size of the breach, as well as how many of these attacks are originating from outside the United States via government sponsored efforts. Newsworthy stuff for sure, but I think there is another side to the story that will be far more dramatic and will shape the face of business over the next 2-3 years. Essentially, this side has two components to it. The first piece is just how profound, exhaustive and expensive it will be for organizations to adequately secure themselves. The second piece, which is just as important, is how different the expectation is of organizations, even today, with how much they believe they need to invest in security. This article will explore this situation, as well as present three tips for organizations to address it.

Just how expensive will it be for organizations to truly address security?

I firmly believe that you will see organizations spending more than 25% of their IT budget total on addressing security over the next couple of years. And I know that it may seem weird to say “more than” for a budget estimate, but this is also part of the problem. It is very hard to adequately forecast security
spend in organizations because security touches every aspect of the business and many organizations lack the ability to adequately measure all of these areas. As a result, they lack the ability to establish the right spend for them.

My background for the last 15 years has been leading teams in developing information security programs for organizations. Essentially, an effective security program can do 4 things:

  1. Aids in the establishment of a benchmark to measure security
  2. Establishes processes to measure an environment against that benchmark
  3. Enables the ability to organize the results from these measurements and present them to management on a regular basis so they can make informed decisions.
  4. Ability to support the business in implementing the decisions of management once they have been made.

After implementing these systems over the years, I have been able to witness first hand true measurements for what organizations really need to fix, as well as what it will cost for organizations to adequately fix these things. The suggested spend in all of these instances has always been more than 25% of IT spend for years. What has changed is that for the first time it is becoming more expensive for organizations to do nothing than it is to actually fix the issues through an appropriate spend.

In the past, our teams would present this information to management who would then, after reviewing what needed to be fixed, allocate up to 5-10% of their IT budget for remediation, the established standard for organizations at that time. This approach did not sufficiently reduce risk, but this was alright at the time because you did not have the active security attacks and threats that you have today. Therefore organizations could complete a small subset of what they should be doing, which would still demonstrate due diligence by aligning to industry benchmarks for spend, then not pay the price for this lack of risk reduction. They would not pay the price because though they were insecure, attacks and the associated ramifications and costs to these attacks were few and far between.

Today, things are much different. Organizations are getting attacked daily with environments that are still woefully configured to protect against these attacks. But while the need for increased spend has been accelerating, the expectation on what they need to spend has not caught up. Not even close.

So what are organizations expecting to spend on security?

When I talk with executive teams or boards about security, I always ask them two questions:

  • What information are you receiving about security today to aid you in making decisions? Typical answer is “not much.”
  • If you are receiving data about security, is it organized in a manner that enables you to actually use it to make informed decisions? Typical answer is “no.”

The reason for this is that most organizations still do not have healthy security programs in place to adequately measure their environments and then present this information to management to support them in making informed decisions. Therefore leadership in organizations around the world are literally blind to what they should be doing. This coupled with the fact that even in the rare situations when management is getting the right data, organizational leadership with years of experience were trained to fix up to 5-10% benchmarks of the suggested spend.


As a result, I think it’s inevitable that organizations will be forced to make the large spends that have been required for years. If they don’t, they will go out of business. Really it’s that simple.  Now what?

Top three tips for moving forward

For organization to move past the old mentality of addressing security, these three tips will help:

  1. Reset management expectations – Start informing leadership on what is required to solve the security riddle. This can be accomplished by starting conversations now and supporting those conversations with data acquired to set appropriate benchmarks to begin to mature a security program.


  1. Establish an effective security program – Remember that the definition for success here is not that you fix every security problem, but instead that you can get relevant information to management on a regular basis to support the ability to make informed decisions; even if that decision in the end is to actively do nothing.


  1. Understand the power of time in the risk equation– The longer it takes you to do one and two above, the more time it will take to reduce security risk from your environment. The longer security issues remain in your environment, the more likely they are to be exploited. You really are in a race against the clock.


Please send me your comments and feedback, I grow and learn from them every time. Twitter: @AUXOMike