- The average IT security budget shrunk to $692,132 in 2019, falling from an average of $769,760 in 2018, according to Kaspersky's IT Security Calculator based on data from almost 3,800 respondents. The survey's business representatives were from companies with up to 4,999 employees internationally.
- More than half, 56%, of respondents experienced viruses and malware and 46% suffered a data breach in the last 12 months, according to a survey of almost 4,500 business representatives from Kaspersky. The cost of a single cybersecurity incident is about $308,300.
- Among the more than 4,500 respondents, the majority, 87%, had endpoint security, but only 2% had embedded systems security. One-fifth of respondents had security solutions for software as a service (SaaS), infrastructure as a service (IaaS) and cloud.
When boards and the C-suite sink money into cybersecurity, they expect a return on investment. Before they are willing to invest, boards need to understand the value of protection and CISOs can struggle to articulate the cost of risk.
"Make sure your believe you can defend your argument, and your assumptions and your calculations," according to Tom Scholtz, distinguished VP analyst at Gartner, while speaking at the Gartner IT Symposium/Xpo in Orlando, Florida in October.
CISOs can justify their spending by answering basic questions:
What is cybersecurity costing the business?
Where is the money going?
Who is paying for it?
What are the funding models?
How does the infosec department articulate the value of the investment?
On average, security budgets make up a 6% of overall IT budgets, but they range between 2% and 14%, according to Scholtz. The budget usually represents about 3% of every $1,000 of revenue.
The "money grabs" of security budgets are hardware, software and personnel, said Scholtz. The "fluffy stuff" is governance, and risk and compliance management.
These are costs companies can plan on.
Intangible costs are unplanned expenses used to answer for those incidents. The majority of CIOs and CISOs, 94%, already have practices that compromise protection. A lack of visibility into endpoints contributes to this uncertainty.