In 2021, over 500 CISOs and CSOs participated in our Compensation and Budget Study. This annual survey, developed in partnership with executive cyber recruiters at Artico Search,
provides security and business leaders with a cross-industry examination of security budgets.
In exchange for their time, participants in the survey received a series of benchmarking reports that featured detailed data sets and expert insights on security budgets,
CISO compensation, job satisfaction, along with key security staff compensation and other organizational factors.
This piece highlights cross-industry findings in security budget expenditures from our benchmarking study, and also provides visibility into key factors that influenced changes in security budgets.
Information Security Budget Benchmarks
1. Security budgets represented 10% of IT budgets, but varied widely
It’s common in most companies for the security budget to be part of the overall IT budget. In 2021 survey respondents reported the average annual security budget was 10% of the IT budget. This benchmark was consistent with what our cyber recruiters
at Artico Search typically heard from business and security leaders.
Budgets differed by industry sector and company size
Clear differences in budgeting become apparent when we took industry and company size into account.
Technology firms’ budgets were larger with 13.3% of the IT budget going to security. For most tech companies, particularly, those that are SaaS-based, product security is paramount. Data protection and product security are the lifeblood of many
tech businesses, from fintech to health tech and cyber vendors. As a result, security in this sector accounted for a large portion of the IT budget.
Program maturity impacted budgets
While most organizations have a formal security program with a baseline budget, the maturity of those programs can vary. Companies at different stages in their cybersecurity journeys had significant budget variances.
For companies just getting security programs started, a smaller portion of the IT budget was spent on security, because resourcing had not yet hit its peak.
Between 20% and 23% of the companies in the survey reported security budgets either 15% greater or 5% less of the IT budget. The wide range in budgeting reflected the reality of situational differences within organizations.
2. Smaller firms spent more on security
Firms with less than $1 billion in annual revenue spent a greater share of their IT budget on security than firms with more than $1 billion in annual revenue.
At the smallest firms—those with annual proceeds less than $100 million— the portion of the IT budget allocated to security was highest at 17.2%, double that of very large firms (see Figure 1).
Steve Martano, partner in Artico Search, explains these disparities across companies of different sizes: “At a certain point, budget increases have diminishing marginal returns. Regardless of size, organizations need to spend a baseline amount on
information security. For small firms, that share is higher than it is for large firms. Once the baseline is met, the required budget is more proportional to company size.”
3. Spending increased for security staff and software
What are the common security budget categories that spending falls into?
Staff and compensation were by far the largest category of spend and in 2021 claimed 38% of the security budget.
Software spending represented the next two categories in size and totaled 28% of the security budget, with slightly more on off-premises software than on-premises solutions. Hardware, by comparison, was a much smaller component, and averaged 7% of the
security budget (see Figure 2).
What drives training and development spending?
We found staff training and development, a small category, doubled from 2% to 4% of the security budget from 2020 to 2021. Will this trend continue following the analysis of our 2022 survey data?
Amid the high demand for cyber talent and a continued shortage of qualified candidates in the market, companies remain challenged by this gap. In some cases, this can translate to hiring of individuals who are less-than-qualified to adequately perform
in their role. Such raw talent requires additional training and development.
Budget allocation on cloud
Another trend we are monitoring is that of off-premises spend. That category saw the biggest increase from 14% of the security budget in 2020 to 16% on average in 2021.
This data reflected the cloud transformational shift, as companies relied more on managed services and cloud-based software to provide the capabilities they cannot provide in-house.
Given the long-term trend to embrace SaaS and public cloud services, this budgetary trend could continue in 2022 as companies continue to rely on external software and services.
Budget allocations vary by company type
A closer look into the budget breakdown by company size and type—public versus private—revealed the following differences:
- Smaller public firms spent more on cloud solutions than others – Smaller firms spend in this category was up to three percentage points greater than the average. For large firms of $50.1 billion or more, we saw the opposite: less spending than the
overall average on cloud-based computing solutions.
- Larger firms had larger on-premises software budget allocations - Super-large and mega-cap firms spent more than 15% of their security budget on on-premises solutions. That was more than three percentage points above the 11.8% overall average.
- Mega-cap firms spent a bigger budget share on hardware – Mega-cap firms with more than $100 billion in market capitalization outspent others on hardware, averaging 11.6% of their security budget, more than four percentage points above average.
4. Markets drive year-over-year budget and staff increases
Security budgets averaged a 16% Increase universally
Irrespective of the industries or company type, two-thirds of CISOs reported an increase in their security budgets over the previous year. Budgets stayed flat for 25% of respondents. Only 10% of respondents said their budgets decreased (see Figure 3).
Across all firms in the sample, the average budget increase is 16%. Singling out those CISOs who reported an increase, the average increase jumped to 26%. On the flip side, if we look at just the CISOs who said their budgets decreased, the average decline
was 13%.
Two-thirds of CISOs say their budget increased year-over-year and are satisfied with this increase.
5. Reasons behind security budget changes
Some of the primary reasons for changes in the security budgets included the following:
- CISOs and potential CISO candidates push hard on budgeting. Incoming CISOs wanted to ensure they are positioned for success and have the proper resourcing to meet organizational security goals. For 41%, the primary reason for a budget increase was a typical
annual change.
- In most cases, other factors were also at play, including macroeconomic changes, cited by 33% of CISOs, and major industry disruptions such as the SolarWinds breach, indicated by 22% of CISOs.
- Company repositioning due to a merger or acquisition was cited by 19%.
The biggest budget increases stemmed from company repositioning
For CISOs who indicated a typical annual budget change as the only reason for their budget increase, the average budget increase was 9%. All other reasons resulted in bigger increases. The largest increases were the result of company repositioning, added
an average 39% to the security budget. Incidents, breaches and similar industry disruptions drove up security budgets by 29% and 27%, respectively.
Take the 2022 CISO Compensation and Budget Survey
2022 Security Budget Data
Will a larger percentage of security budgets be allocated to staff training? How will the current macroeconomic climate factor into the 2022 security budgeting season? Will CISOs be satisfied with their annual security budgets? Join hundreds of your fellow
CISOs across the U.S. and Canada and take this year’s CISO Compensation & Budget Survey.
Survey respondents will receive a series of in-depth reports featuring new takeaways, uncover a wealth of insights and find valuable leadership guidance to fine-tune your current security budget and department, as well as your role and career path.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.