How Much Do We Really Spend on IT Security?

I’m always interested to read what the young scribblers in those expensive analyst organisations are claiming about our security spending habits. I’ve spent a good deal of time measuring and comparing levels of security spending with other companies from various industry sectors. And it’s always been very different from that suggested by the analysts. Years ago, when many of them were telling us that typical spending was around 3-5% of IT budget, I was measuring and benchmarking it as nearer to 1% of IT budget.

So I was fascinated to read the recent projection from Forrester Research that this year most companies will spend between 7.5% and 9% of their IT budgets on security regardless of their size, geography or industry. Now I’ve noted an increase in spend over the last few years. But in my experience it’s a long, long way from these heady levels. And I’ve also noted a tightening of the belt in many organisations, making it more difficult to increase headcount and budget.

Of course we might all be interpreting the phrase “security spending” in different ways with different scopes. Indeed this is likely to be a major factor in our different perspectives, though my experience has been that most organizations have a reasonably consistent view of what it covers.

If the claimed figures are correct then we should expect to see large organizations employing several hundred full-time professionals. And we should also expect security technology sales to be substantially higher than they are today. I don’t see any of this happening. Perhaps I’m missing something? I’d be interesting to hear what others think. Because it’s an important measure that underpins the business case for our security capability.