How much is general percentage of security spend in an organization?

How much is general percentage of security spend in an organization? Any reports, data points would be useful..(question posted on behalf of a CISO member)

Views: 156

Reply to This

Replies to This Discussion

10% of Total IT budget as per a survey report.

Depends...The expenditure is considerable higher if the organisation is breached and wants to maximize the damage control. Proactive planning by Info/Cyber Security teams can lead to a reasonable spending on tools, controls and policies.

However, the budget depends on organisations' business DNA...its higher in BFSI but lower in other verticals

It depends on industry to industry and management focus specifically if there is regulatory requirement.The organizations become little concerned only when there is some security incident takes place in organization. Small organizations and faster growing organizations are least bothered about IT security

The below reply is based on CISO Platform closed group discussion:

(private CISO member of  large IT company): "it varies from industry to industry basis size and vertical sectors.

  • Banking and financial sector is by large the max at about 18-25%.
  • Telecoms about 15 - 20%...Manufacturing being the lowest to about 5-7%

This is basis the various surveys and reports I have read may be early 2018.

The below reply is based on CISO Platform closed group discussion:

(private CISO member): What are the elements of Security spend...There are 4 elements to it-i) Appraisal costs like VA-PT, Internal audits, BCP & DR Testing, 24 X 7 SOC, BMS (24X 7 Camera surveillance) ..These are the various testing that you would do to check status of your security ii) Prevention costs like designing the ISMS (developing and implementing various policies & procedures), Developing Risk assessment and Risk mitigation (Risk & Control), Infosec Training. It will cover stuff such as costs involved in AV, Patch iii) Cost of Internal failures-, These are the aspects that you encounter within the facility like Tailgating, Identity theft, System down due to security threats) iv) Cost of external failures-...I build on the quality model & will be sharing a paper soon

The below reply is based on CISO Platform closed group discussion:

(private CISO member of Bank):

The security budget depends on the in-house capabilities and resources available and how much is outsourced.. In big banks, majority of the work gets done in-house.. e.g. VA/PT, BCP/DR testing, Patch management (with help from facility management), training etc. Internal audit is always in-house and no expenses need be budgeted for this. Thus, for big banks the components are primarily new solutions - software/hardware, AMC of acquired solutions, plus whatever is outsourced (existing and planned for the year).. the percentage is normally 6-8% of IT budget.

The below reply is based on CISO Platform closed group discussion:

(private CISO member): There is not industry standard what constitutes security Budget. For example for many organization network security like firewall,IPS, NAC are part of IT budget. So along with percentage it's important to understand what constitutes their Security budget.

The below reply is based on CISO Platform closed group discussion:

(private CISO member of Bank): Yes varies from company to company. For captive SOC, the expenditure for SIEM licences, manpower etc. have to be budgeted.. if not in-house, the total cost of MSS will come instead. IT normally bears the cost / AMC renewal charges for all infrastructure including security gadgets.

It may be 15-20% in BFSI and around 10% in other verticals

RSS

© 2019   Created by CISO Platform.   Powered by

Badges  |  Report an Issue  |  Privacy Policy  |  Terms of Service