IT Security and Cybersecurity Spending Benchmarks

Security and cybersecurity incidents are costly, with losses increasing every year. For example, in 2020 the FBI Internet Crime Report showed losses in excess of $4 billion due to internet crime, up from $3.5 billion in 2019. Although these losses are staggering, they are almost certainly the tip of the iceberg. They only reflect losses that are reported to the FBI, and many victims—whether individuals or businesses—choose not to file complaints or report losses. Moreover, the FBI data does not include certain types of losses, such as ransomware payments.

In addition to direct costs, victims often suffer indirect costs, such as revenue losses due to downtime, reputation or brand damage, and loss of trade secrets or intellectual property. These can easily exceed the level of direct costs.

In light of these growing threats, it is no wonder that organizations in all industries continually rank security as a top priority for new spending. But how much are they spending? To answer this question, we have released our new report, IT Security, Cybersecurity, and Compliance Spending Benchmarks.

Download free sample pages or buy the full report from the Avasant website.

What Are the Costs Included in the Security Tower?

The security spending tower includes all IT security, cybersecurity, and security-related compliance spending. It includes:

  • Security personnel costs (both internal and external personnel)
  • Security hardware
  • Security software
  • Outside security services. It includes both security spending, plus depreciation of security capital investments in the past.
  • It does not include current-year security capital spending.

The full report provides business and IT leaders with guidance for how much they should be spending on security as well as insights on where security and cybersecurity spending should be allocated. We provide benchmarks by industry and organization size for IT security, cybersecurity, and related compliance spending and staffing.

What Are the Security and Cybersecurity Spending and Staffing Metrics?

Security spending benchmarks are calculated across a number of units, including:

  • Number of users
  • Organization revenue
  • IT operational spending
  • Number of network devices
  • Number of network locations
  • Number of endpoints

Security staffing metrics are calculated as a percentage of the IT staff and also per user. Industry benchmarks are provided for business services, financial services, critical infrastructure, public sector, healthcare, manufacturing/distribution, and retail.

We also include a breakdown of security and cybersecurity spending by major category, including

  • Identity and access management
  • Security policy and awareness
  • Cybersecurity and incident response
  • Threat and vulnerability management
  • Data privacy and security
  • Governance, risk, and compliance (GRC).

We conclude with guidelines for benchmarking your IT security, cybersecurity, and compliance spending.

Download sample pages or purchase the full report from the Avasant website.



Avasant’s research and other publications are based on information from the best available sources and Avasant’s independent assessment and analysis at the time of publication. Avasant takes no responsibility and assumes no liability for any error/omission or the accuracy of information contained in its research publications. Avasant does not endorse any provider, product or service described in its RadarView™ publications or any other research publications that it makes available to its users, and does not advise users to select only those providers recognized in these publications. Avasant disclaims all warranties, expressed or implied, including any warranties of merchantability or fitness for a particular purpose. None of the graphics, descriptions, research, excerpts, samples or any other content provided in the report(s) or any of its research publications may be reprinted, reproduced, redistributed or used for any external commercial purpose without prior permission from Avasant, LLC. All rights are reserved by Avasant, LLC.