Budgeting Cybersecurity 2022

Published On: October 29, 2021

This post was contributed by Chad Boeckmann, CEO of TrustMAPP

When it comes to cybersecurity spending and deciding, “How much is enough?” is the typical approach. But does your business simply meet compliance, or does your plan include a strategy to succeed?

Too often, companies look at cybersecurity as an insurance package and too often, view budgeting for cybersecurity as coupon shoppers would when stepping into a retail store on Black Friday. This approach, sometimes driven by CFO’s or CIO’s, unnecessarily leaves their businesses exposed or their cybersecurity staff without the proper people or tools to fight the battle.

As an example, ransomware recovery costs reach nearly $2M, more than doubling in a year according to Sophos. It is important to distinguish between recovery costs and all costs related to ransomware. If we look at IBM’s findings, the total average cost of ransomware from identification, containment to recovery was $4.62M, higher than an average data breach event. If your business has cyber insurance to transfer the direct financial risk, a successful attack can still lead to major reputational damage, lost customers/revenue, and legal fees that your insurance likely does not cover including impact to future revenues.

Take your complimentary Ransomware Readiness Assessment and determine if you are prepared.

If we look at other types of data breaches, not just Ransomware related, according to IBM’s study they show average data breach costs rose from $3.86M to $4.24M over the past 12 months reflecting a 10% increase year over year.

Ask yourself, “Is your cybersecurity performance improving more than 10% per year?”

How many of these loss events can your company afford in a given budget cycle? With regard to potential loss, an ounce of prevention is truly worth a pound of cure.

Plan Your Work and Work Your Plan

In our current socio-economic environment, managing cybersecurity to a budget is a recipe for failure. Let’s say your cybersecurity spend was a total of $1 million in 2020 this does not mean your budget should be 5-7% higher this year following the traditional budget approval process. We, as collective leaders, need to think more strategically about how the business will be meaningfully protected against future loss and align the dollars and project priorities appropriately. This begins by understanding the company’s cybersecurity performance based on a chosen set of controls to guide the organization and associated objectives the business has to succeed in the marketplace. Alignment of cybersecurity performance and business objectives is truly the intersection to understand and answer the question “How much is enough?” with regards to cybersecurity budget.

How much is enough 

Let’s take a look at the Computer Economics IT Spending and Staffing Benchmarks 2021/2022. In summary, they breakdown IT Budgets for small, medium, and large companies which are categorized based on the size of their IT operational budgets:

  • Small organizations are defined as those having IT operational budgets of less than $5 million
  • Midsize organizations are defined as those having IT operational budgets of $5 million to less than $20 million
  • Large organizations are defined as those having IT operational budgets of more than $20 million

With that piece of knowledge and context, we can then look at A Gartner Report that says companies they’ve researched spend an average of 5.6% of their overall IT budget on cybersecurity, with a range of 1% to 13%. This is also what we have seen on average with customers from varying industries. There are no one-size-fits-all budget guidelines, even within the same industry. Most financial institutions, for example, will spend on average 10% of their IT operational budget on cybersecurity according to a study from Deloitte.

Armed with the data and using the average of 5.6% of the IT operational budget on cybersecurity let’s look at what your company might be budgeting for cybersecurity using industry averages:

  • Small organizations with IT operational budgets of $5 million or less and using 5.6% of the budget for cybersecurity will likely invest between $280,000 on the high-end and $56,000 on the low-end.
  • Midsize organizations with IT operational budgets of at least $5 million but less than $20 million and use 5.6% of the budget for cybersecurity will likely invest between $1.12 million on the high-end and $280,000 on the low-end.
  • Large organizations with IT operational budgets of at least $20 million and for bookend purposes, let’s use $100M on the top end of their budget. Again we use the average of 5.6% of the IT budget for cybersecurity and this indicates these companies will likely invest between $5.6 million on the high-end and $1.12 million on the low-end.

Now ask yourself, “Is this average budgeting really going to meet the business objectives of the company while maintaining a healthy cybersecurity performance?” To learn more about benchmarking, prioritizing, and budgeting cybersecurity visit: https://trustmapp.com pioneers in cybersecurity performance management since 2015.


Browse These Topics


boost the protection of your data bridge the gap in your information security challenges build a cyber safe firm business decisions around security Challenges Facing Chief Information Security Officers CISO program efficacy CISO program management cyber security cyber security goals Cybersecurity management Cyber Security Mistakes cybersecurity performance management cyber security platform cyber security team Effective Data Security Measures effectively communicate with board members regarding cyber issues or threats elevate your security confidence elevating information security elevating your information security levels Identify Potential Security Weaknesses Implementing a Comprehensive Cyber Security Plan Implementing Strong Cyber Security Protocols Implementing strong security software protocols improve cyber security protocols Information Security Programs information security protection agency information security risk management information security solutions information security trends managing your information security effectively maturity of your information security and privacy programs measure security levels measure your security proprietary software can help you to protect your company Protect Against Costly Security Breach Protect Customer Data Protect Cyber Network risk management advisor risks of a data breach roadmap to better information security robust security monitoring service successful information security technology advancement top notch security software for your company traveling to high risk countries