Powered by 
This is the third in my series of blogs on The State of IT Spend in 2024, based on data gathered in the Spiceworks Ziff Davis State of IT 2024 report. Like the others, it features Aberdeen’s analysis of IT spending using a standards-based taxonomy of 84 specific areas across eight high-level categories:
- In The State of IT Spend in 2024: How Does Your Organization Compare?, we shared the ranges (from 5th percentile to 95th percentile) and medians (50th percentile) for each of the eight high-level IT spending categories. A simple, interactive assessment tool can help you see how your organization’s choices and tradeoffs across these categories compare with those of others.
- In The State of IT Spend in 2024: Computing Infrastructure and Technical Staffing, we looked at an illustrative example of how resource allocation decisions for 2024 are reflecting current IT strategies — by comparing the percentage of annual Total IT Spend allocated to “In-House” (Hardware, Software, Facilities and IT Labor) and “Outsourced” (Hosted / Cloud-based Services and Managed Services) spending categories. Among the many interesting insights, Over 95% of organizations are investing in a blended approach, with the median ratio of outsourced to in-house spending across all respondents at about 40%.
Here, we focus on a second illustrative example of how an organization’s strategic initiatives are being reflected in its resource allocation decisions and in an area of growing importance where quantitative insights are sorely needed — spending on cybersecurity as a percentage of spending on computing infrastructure (whether in-house or outsourced).
For most technical professionals and senior leaders, the key questions are simple: How much should we invest in cybersecurity? How does our organization compare with others?
The age-old challenge, of course, is that there’s no “one right amount.” Cybersecurity is a technical issue, but the answer to these questions is business decisions based on how much security-related risk the organization is willing to accept. Two organizations might have the same technical characteristics. Still, one may prefer to accept a lower level of security-related risk — and correspondingly, it invests more in cybersecurity than the other.
In the same spirit of “how does your organization compare” from the first blog, this is where Aberdeen’s analysis of the percentile curves (which show both the median and the range) can at least provide some useful insight. As a percentage of annual Total IT Spend on computing infrastructure (hardware, software, facilities) — including both in-house and outsourced — analysis found that the amount allocated to cybersecurity ranged from 1% to 25.1% (median: 11.1%).
See More: IT Spending in 2024: Three Key Trends
So, for example, If your organization spends $1M per year on its computing infrastructure, the benchmark for how much others spend annually on cybersecurity ranges from $10K to $251K (median: $111K).
Looking at this another way, If your organization’s annual investment in cybersecurity is 10% of its annual total spend on computing infrastructure, that would put you at about the 46th percentile — just below the median. See Figure 1, below.
Figure 1: How Does Your Organization’s Cybersecurity Spending Compare?
Source: Adapted from the Spiceworks Ziff Davis State of IT 2024 report; Aberdeen, January 2024.
To help you see how your organization’s cybersecurity risk-based choices and tradeoffs compare with those of others, Aberdeen has developed a simple, interactive assessment tool. Just enter the value for your annual cybersecurity investments as a percentage of the annual Total IT Spend on your computing infrastructure and see where you fall on the percentile curve derived from the State of IT 2024 dataset. (You could also just eyeball it, based on Figure 1.)
With respect to the other key question, however — how much should we be investing in cybersecurity? — it’s important to recognize that the insight this percentile curve provides is more about “affordability” than risk. By analogy, home mortgage underwriters typically follow a rule that says no more than 28% of your gross monthly income should be spent on housing — but this is a benchmark of affordability, not a measure of “how much house” you should have. You may want and need “more house,” but this may be more than you can afford.
To that question, the analogy of life insurance is more on point: How much life insurance coverage should you have to provide for the future needs of your partner and dependents if you (and your income) were suddenly out of the picture? Suppose your analysis leads you to conclude that a $2M policy would address the financial risk to your loved ones — and now the issue of affordability comes back into focus because you may or may not be able to afford the annual premiums necessary for that level of coverage.
In an academic paper out of the University of Maryland published in 2002, the authors did some fancy math to estimate the optimal amount to invest in reducing the risk of a data breach — which turned out to be 1/e (about 37%) of the value of the information at risk. But here again, even when we do figure out and master reasonable ways to quantify our security-related risks — and make our decisions about how much is acceptable — we may or may not be able to afford the investments in cybersecurity needed to reduce those risks to an acceptable level.
And so, like always, we’re back to making choices and tradeoffs. Key capabilities we need to help us — risk quantification and making better-informed business decisions about security-related risks — will be our topics for the next blog!
How does your organization navigate the delicate balance between cybersecurity investment and computing infrastructure spending? Join us for an insightful discussion on The State of IT Spend in 2024: Managing Choices and Tradeoffs in a webinar. We’d love to hear from you!
Image Source: Shutterstock
MORE ON COMPUTING INFRASTRUCTURE & CYBERSECURITY
Wanda Parisien is a computing expert who navigates the vast landscape of hardware and software. With a focus on computer technology, software development, and industry trends, Wanda delivers informative content, tutorials, and analyses to keep readers updated on the latest in the world of computing.
