• Kevin Thomas

How Much Money is Enough to Spend on Cyber Security?


Typically, companies will spend around 2.5% of their IT budget on very basic defenses


When we talk to Boards of Directors and Audit Committee chairs, this is the most frequent question we hear. Money spent in preventing a cyber security breach is hard to justify. After all, you don’t want to spend more than necessary on something that is not going to help your business grow and prosper.


Typically, companies will spend around 2.5% of their IT budget on very basic defenses. Smarter companies will realize that detection (during or after the attack) is just as important. And sophisticated companies will spend the same again on reaction preparedness. So 7.5% of the IT budget is considered to be best practice.


How much should you spend on your cyber protection?

What is your Value At Risk?


But the real criterion should be “Value at Risk” (VAR). This is a well-established measure that businesses use in mitigating conventional business risks, such as physical security (locks, fences, safes, guards) or fire security (sensors, sprinklers). For digital assets, some companies have a small VAR (e.g. businesses in the services sector) and some have very significant VAR (banking, energy). So a bank or an Oil & Gas company might spend over 10% of their IT budget on digital security. VAR has jumped recently because of the increase in attacks that paralyze your company’s servers and demand a ransom to release the compromise. This sort of blackmail can bring an entire company to a halt, and you can imagine the cost of losing a day’s productivity, or (worse still) having important data deleted forever. In one recent case, the ransom demanded was $200 million.


Furthermore, companies that are low on the maturity curve and have to invest in catching up, will experience a peak that can be double these typical numbers. Establishing your position on the Capability Maturity Model Index (CMMI) is an important step. A CMMI of 1 represents a company with many gaps in their defenses, and a CMMI of 5 represents a company with extremely low vulnerability (for example, maybe they encrypt all their data).


“Attacks that paralyze your company’s servers and demand a ransom to release the compromise.”

The Equation


So one way of answering the question “How much is enough” is the equation:


  • Digital security annual spend = VAR / CMMI


An average company may have a VAR of $30 million and a CMMI of 3, so they should be spending $10 million annually on digital security. Please don’t take the formula too literally, because of course, things are nowhere near as scientific as this in the real world, but the principles are sound.



Ask the Experts


As independent security experts, let us help you determine what are the best options to protect your business. Contacts us