Connect with us
Finance Digest is a leading online platform for finance and business news, providing insights on banking, finance, technology, investing,trading, insurance, fintech, and more. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.



By Brian Martin, Head of Product, Strategy and Innovation, Integrity360


As cyberattacks continue to ramp up across all industry sectors, determining how much of the IT budget to allocate to cyber security is a calculation no finance organisation can afford to get wrong. Many businesses are upping their spend on security tools, technologies and services: research firm Gartner forecasts that global spending on information security will jump to $170.4 billion this year, an increase from $150.4bn in 2021. According to PwC’s 2022 Global Digital Trust Insights report, a quarter (26%) of executives foresee spending rises of 10% or more, three times the percentage from last year.


Increasing the cyber security budget is absolutely no guarantee that a business will be any better protected against threats to corporate systems and critical data, however. Allocating too little money or too much money, or spending it in the wrong areas, can all lead to the security budget becoming a cyber-threat in itself. This is because insufficient funding, wasted spend and off-target investment will ultimately undermine the security strategy, and the company’s ability to keep pace with threat actors’ tactics and regulators’ demands. 


Of course, the ‘right’ amount to spend will depend on a number of variables – including the risk appetite of the organisation, the industry the company is in, the specific threats and risks it faces, how much sensitive data it processes, and the regulatory scrutiny it comes under. However, benchmarking can be a very useful approach to gauging whether enough money is being spent, and in the correct areas.


Benchmark 1: What your peers are spending on cyber security.

Deloitte’s most recent data on cyber security investment in financial services institutions shows that firms spent on average 10.9% of their overall IT budget on cyber security in 2020, up from 10.1% the previous year. Looking at organisations of a similar size to yours can also provide helpful context. 


These numbers are averages, of course – and spending can vary enormously between organisations. Some may well be spending considerably more, while those who spend less could simply be super-efficient and targeted in their spending, or have a perfectly legitimate higher risk appetite. These are all considerations that should be taken into account.


Benchmark 2: How budget is broken down across categories.

Examining how you allocate your budget will determine whether you get the most from your investment, and are able to effectively protect your organisation. Looking at the distribution of spend across categories can help a business better understand where they should assign it. According to Gartner’s data, the average company’s breakdown of a cyber security budget is:


These categories form the core of most cyber security strategies because they enable a business to analyse vulnerabilities and threats, protect themselves from attacks, and then detect, respond to and recover from any data breach or loss. While benchmarking provides a useful guide, the proportion of spend will vary from one business or another. Conducting a gap analysis, to assess your organisation’s cyber security maturity and identify specific potential threats, will help to identify the specific areas that will produce the maximum impact for data security.


Benchmark 3: The amount of spend allocated per employee.

Another indicator of how much your business should be spending on security can come from how much it allocates per employee. This accounts for the specific size of the business, providing a good baseline from which to derive what the overall budget should be. 


According to Deloitte’s research, the average annual security spending per employee across all categories increased from $2,337 in 2019 to $2,691 in 2020.


Benchmark 4: How much is spent as a percentage of revenue

Another way that companies can use benchmarks to set security spending best practices is through the lens of revenue. Deloitte’s study found that on average financial services companies spent 0.48% of their total revenue on cyber security in 2020, compared with 0.34% the previous year.


While looking at average benchmarks provides valuable insight this will, of course, not give the full picture. A business can overspend and still have gaps, or it could spend well below the industry average and have solid protection against the latest threats. Ultimately, expanding or downsizing budgets while figuring out where they’re most effectively spent is a balancing act – and one which is unique to each individual company. Each organisation must carry out its own assessment to determine how much it ought to be spending, and shift investment around to target the priority areas identified.


This assessment should take into account the up-and-coming threats and major emerging trends that are expected to impact the business and the sector. You also need to understand your risk profile and appetite, and factor that into the thought process. 


To focus spend in the optimal areas and eliminate waste, it’s well worth carrying out an audit of existing security technologies and capabilities, to establish what you already have that may be under-utilised. Perhaps an existing tool can satisfy a new requirement without needing to lay out on an entirely new solution. Check how much of your current spend is in support of manual processes, too, and investigate whether introducing automation – for example, Security Orchestration, Automation and Response (SOAR) – could reduce costs while improving overall security.


Tracking your spend against the average benchmarks for your industry – and beyond – will provide valuable indicators as to whether or not your current cyber security budget and strategy will provide sufficient return on investment. Looking at your peers’ spend in terms of IT budget, employee headcount, company revenue and categories won’t give you an exhaustive understanding of the best direction to take, but it may well tell a story that warrants further analysis. 

Continue Reading

Why pay for news and opinions when you can get them for free?

       Subscribe for free now!

By submitting this form, you are consenting to receive marketing emails from: . You can revoke your consent to receive emails at any time by using the SafeUnsubscribe® link, found at the bottom of every email. Emails are serviced by Constant Contact

Recent Posts