The average organization spends an average of 5.6% of the IT budget on security and risk management, according to new data from Gartner Inc.
But Gartner also found organizations tend to equate higher IT security spending with stronger security, without evaluating other key factors like business requirements, risk tolerance and satisfaction levels.
The research firm suggests most enterprises should spend between 4% and 7% of their IT budgets on IT security, but stresses that the amount truly depends on the organization and its risk factors.
The bottom line? The amount of money spent on security is potentially a misleading indicator of program success, Gartner said.
"General comparisons to generic industry averages don't tell you much about your state of security," said Rob McMillan, research director at Gartner, in an announcement. "You could be spending at the same level as your peer group, but you could be spending on the wrong things and be extremely vulnerable. Alternatively, you may be spending appropriately but have a different risk appetite from your peers."
That means more often than not the more important factor for an organization is not the amount spent, but instead an organization's approach to security. A secure ecosystem is far mor important than frivolous spending, which can give companies a false sense of security.