How much money do companies spend on security?

Cybersecurity has become a top priority for companies of all sizes. As cyber attacks become more sophisticated and costly, organizations are dedicating larger portions of their IT budgets to security solutions. But how much are they really spending? Let’s take a closer look at some key statistics on corporate security spending.

What percentage of an organization’s IT budget goes to security?

According to various surveys and studies, companies today spend an average of 10-15% of their total IT budget on cybersecurity. However, this figure varies considerably based on company size and industry.

For example, a 2021 survey by IDC found that large enterprises with over 1000 employees allocated about 15% of their IT spending to security. Medium businesses (100-999 employees) spent around 12%, while small businesses (less than 100 employees) averaged around 8%.

When looking at specific industries, banking and financial services invested the most in security at about 15% of their total IT budget. Retail and hospitality allocated around 12%, while media, education and manufacturing companies spent less than 10% on average.

How much do companies spend on security in dollar amounts?

When converted to actual dollar figures, security spending differs significantly based on the size of the organization:

  • Large enterprises – $9-15 million per year
  • Mid-size companies – $1-3 million per year
  • Small businesses – Less than $500,000 per year

According to Gartner, global security spending reached $150 billion in 2020. They forecast this spending to grow to over $170 billion in 2022 as threats become more complex.

What are the largest security expenses?

Within their security budgets, companies prioritize spending in several key areas:

  • Cloud security – Securing infrastructure, applications and data stored in the cloud
  • Network security – Firewalls, intrusion prevention, secure gateways
  • Application security – Protecting software and APIs from threats
  • Endpoint security – Securing devices like laptops, mobile phones, tablets, etc.
  • Data security – Encryption, tokenization, database security, data loss prevention
  • Identity and access management – Managing user identities, access controls, permissions

Research shows that cloud security, network security and endpoint security make up close to 50% of most security budgets today.

What are some examples of security spending?

To put security costs into perspective, here are some real-world examples of what large and mid-size companies pay for various security solutions and services:

Security Expense Annual Cost Range
Endpoint detection and response platform $30,000 – $100,000+
SIEM software $25,000 – $250,000+
DDoS mitigation service $5,000 – $50,000
Web application firewall $5,000 – $30,000
Antivirus/anti-malware software $10,000 – $100,000
Annual security audits $50,000 – $500,000+
Managed security services $100,000 – $1,000,000+

These examples illustrate that both software solutions and professional security services carry significant costs, even for mid-sized organizations.

How is security spending changing over time?

As new threats emerge and regulations tighten, security spending has risen sharply over the past decade. Some key trends include:

  • Overall enterprise security budgets have grown by 12% per year since 2017
  • Cloud security spending has increased by over 50% between 2018-2020
  • Demand for managed security service providers has risen 15% year-over-year
  • Data security tools and encryption saw 10% budget increases from 2020 to 2021

Analysts predict cybersecurity spending will continue growing approximately 10% annually over the next 5 years. Key drivers include digital transformation initiatives, complex compliance needs, and the shift to remote workforce models.

What impacts the level of security spending?

Many factors influence how much a company chooses to invest in cybersecurity. The most important determinants include:

  • Industry – Heavily regulated sectors like finance and healthcare spend more.
  • Geographies – Countries with stricter data protection laws drive higher spending.
  • Company size – Large firms with more data, IP and infrastructure have bigger budgets.
  • Security postures – Proactive security stances warrant more investment.
  • Previous breaches – Being breached leads to increased security funding.
  • Board pressure – Involvement from senior leadership pushes budgets up.
  • Revenue trends – Growing top lines allow more security investment.

These factors help explain why security spending varies so much across different industry verticals and organizational sizes.

What are some challenges with security budgets?

Despite steady increases in security spending, many organizations still face challenges in this area. Some of the most common budgeting issues include:

  • Underestimating the threats and not budgeting enough.
  • Allocating funds unevenly across too many tools.
  • Lacking executive sponsorship and buy-in.
  • Focusing spending on detection rather than prevention.
  • Prioritizing compliance over building robust defenses.
  • Not budgeting enough for training, audits and talent.

Experts recommend taking a risk-based approach to determine the right level of security investment. Performing exercises like threat modeling, risk assessments and loss forecasting can provide data-driven spending targets across mitigation areas.

What steps can companies take to optimize security budgets?

Organizations looking to refine their cybersecurity budgets should consider actions like:

  • Establishing a dedicated cybersecurity headcount and budget.
  • Basing budgets on risk analysis rather than arbitrary percentages.
  • Investing more in automated defenses than manual monitoring.
  • Consolidating tools to reduce duplicative spending.
  • Building business cases to show ROI on key security projects.
  • Shifting budgets to emerging threats like cloud risks, IoT, etc.
  • Funding strategic initiatives like security training and culture.

Taking these steps, along with right-sizing budgets to risks and revenue, allows companies to optimize their security spending. It enables them to have the resources and capabilities required to defend against modern cyber attacks.


Cybersecurity represents a significant and growing expense for enterprises today. While security budgets have climbed steadily in recent years, most organizations allocate 10-15% of their total IT spending to security. For large firms, this equates to security budgets in the millions annually.

These budgets focus on priority areas like cloud security, network defenses, endpoint protection, and data security. However, many companies still face challenges in optimizing their cybersecurity investments and struggle to quantify the right spending levels based on risks. As threats become more frequent and sophisticated, organizations must take proactive steps to identify and fund the security controls and talent needed to protect their assets.