How Much Should You Spend on Cybersecurity?

Budgeting for cybersecurity requires IT decision makers to analyze their needs, prioritize cost-effective solutions, and consider recent security trends.

Andrew Johnson - Product Marketing Manager
Mauricio Pegoraro - CISO
Rachel Kempf - Editor-in-Chief
How Much Should You Spend on Cybersecurity?

With the costs of a cyberattack skyrocketing, it’s crucial that businesses make security a priority when planning their spending this year. But how much is enough, especially for businesses facing tight budget constraints? Understanding and prioritizing cybersecurity costs is crucial for IT decision makers to not only understand how much to spend, but ensure that their investment in security pays off. This blog post will help guide security spending decisions by reviewing how much companies spend on cybersecurity on average, which factors can drive up spending, and how to control security costs without compromising your security effectiveness.

Average Cost of Cybersecurity

The 2021 State of the CIO Survey reported the average security spending amounted to 15.5% of businesses’ annual technology budget. Another survey from IDG, the 2021 Security Priorities Study, reported that the average spending for enterprise participants amounted to $123 million, whereas small to midsize business respondents reported spending $11 million on average. However, the same report stated that in the next year, 44% of all organizations surveyed were planning to increase their security budgets, and half of all small and medium business respondents were planning to double their spending in 2022. This comes after a 12.4% increase in overall cybersecurity spending this year, when spending is predicted to hit $150 billion.

So what’s behind the increase? For starters, many changes businesses made to adjust to the pandemic, such as an expansion of online services, accelerated digital transformation, and remote work, have continued into this year and show no signs of slowing down, requiring companies to replace legacy security solutions with modern solutions that enable zero trust.

Along with the sustained increase in online activity, attacks have also risen, increasing risk to businesses as DDoS and ransomware become more frequent and spread to new business segments like education, small business, and critical infrastructure. These and other trends are also driving up the cost of a cyberattack to businesses, which have skyrocketed over the past year, with IBM’s Cost of a Data Breach Report citing a $4.24 million global average for the total cost of a data breach in 2021.

Factors Driving Cybersecurity Costs

When confronted with the question of how much to spend on cybersecurity, many budget experts will simply answer “it depends.” The higher the risk of an attack is—and the more money a business is likely to lose in the event of a cybersecurity incident—the more important it is for companies to invest in cybersecurity. Businesses that are likely to face steeper consequences for a data breach or downtime incident should be particularly concerned about minimizing these risks. However, this doesn’t mean that cybersecurity is only necessary for companies that handle sensitive data or have mission-critical services. Anyone with a web presence should invest in cybersecurity to avoid the reputation damage and resulting losses of an attack. However, some of the factors that can drive up security costs include:

  • industry and company size
  • the sensitivity and volume of personal data it handles
  • compliance and regulation mandates
  • the value of the intellectual property it protects
  • the complexity of its IT infrastructure
  • how likely it is to be targeted for attacks
  • requests from company stakeholders or customers

Businesses like financial institutions, e-commerce, and healthcare companies, which handle more sensitive data, must also purchase certain security products, like web application firewalls, and services like third-party audits in order to comply with data privacy laws. Industry standards, like PCI-DSS, which applies to all companies that handle credit card data, are stricter for businesses that process more transactions, meaning that larger companies are subject to more auditing, documentation, and security assessments, like pen tests and vulnerability scanning, which can increase compliance costs.

Other factors, such as whether a business uses on-premise, cloud, or edge infrastructure, can also impact spending. For on-premise security solutions, companies must not only purchase hardware upfront, but consider the ongoing costs of operating, managing, and maintaining it, as well as replacement costs when the hardware reaches the end of its life. With cloud and edge security, technology is always as up-to-date as possible, with no additional costs to replace or fix hardware. And since cloud solutions scale on demand, customers only pay for the infrastructure they use, plus the service or software license. Serverless edge computing, which enables highly granular automatic scaling that requires no provisioning ahead of time, reduces management tasks and lowers resource consumption and upfront costs even further.

How to Control Costs

With cyberattacks growing more frequent and costly, investing in security has never been more important. But not all security solutions deliver the same return on investment. In fact, a recent Forbes article stated that nearly 30% of security tools are underutilized or not used at all. In addition, as organizations continue to accelerate their digital transformation, solutions that do not easily scale or run the risk of vendor lock-in can result in spending waste. Waste is not limited to spending on tools and software. In fact, security operations centers (SOCs) spend 25% of their time on average chasing false positives and often lack the data needed to efficiently stop threats, according to Ponemon’s 2019 State of the SOC Report.

So which security strategies have the biggest impact? A 2021 Cisco report states that the two security practices that most strongly correlated with successful outcomes were a “proactive, best-in-breed tech refresh strategy” and having a well-integrated security stack. IBM’s Cost of a Data Breach Report noted that costs were significantly lower for companies that employed modern security practices, like zero trust and automation.

Another way to control costs is to take a risk-based approach to security, rather than a maturity-based approach. Maturity-based security focuses on building out all capabilities to get to an arbitrarily high level and tends to grow out (to excess) organically, resulting in a lack of oversight and implementation gridlock. A risk-based approach reduces spending by focusing on the themes that pose the biggest risk to an organization’s security, shifting from a position of monitoring everything to building tailored controls to address critical threats based on prioritization. A 2019 study from McKinsey and company estimated that a risk-based approach could cut overall costs by more than half while still providing effective protection for key assets.

Accurate data on security incidents can help decision-makers determine which security efforts will provide the most value to their company. Analytics tools that integrate with your security solutions can help you understand attack patterns, anticipate threats, and identify vulnerabilities and gaps in your current system. They can also provide SOCs with additional data for more efficient and accurate threat detection.

How Azion Can Improve Your Security Effectiveness

Good cybersecurity is worth its weight in gold—but companies do not need to overspend to obtain best-in-class security. Azion’s integrated security stack uses edge computing to enable programmable security at the edge, close to end users, and scales automatically on infrastructure managed by Azion. Our edge platform also simplifies compliance by enabling companies to process data locally, minimizing the need to keep sensitive data on-premises, where infrastructure is more difficult and expensive to purchase, operate, scale, and maintain. And with an open, extensible platform that uses standardized tools, security teams can avoid the risk of vendor lock-in that is often associated with cloud providers’ solutions.

As a result, businesses can simplify how they implement and manage security by eliminating the need to manage infrastructure, enabling automated workflows, and minimizing resource waste. Azion’s modern approach to security leverages a globally distributed network that covers some of the largest global enterprises and is frequently updated to minimize risk from emerging threats. In addition, our network and products are optimized for large-scale and global enterprises, providing businesses with an affordable and leading security solution that will take care of them for decades to come.

To find out more about Azion’s security products and services, contact our experts today.

Subscribe to our Newsletter