Blog post

IT Security Budgets Rise as Data Breach Fear Spreads

By John A. Wheeler | February 28, 2014 | 4 Comments

Tech and Service ProvidersSecurity and Risk Management LeadersSecurityOperational risk managementIT risk managementIRMintegrated risk managementCyber securityAudit and Risk

On the heels of high-profile data breach events such as the Target and Neiman Marcus thefts, there are reports of increasing budgets for corporate IT security departments. This week, a survey released by BAE Systems Applied Intelligence detailed the increases in security budgets across the globe. In the United States, 60 percent of those surveyed said their cyber security budget would increase as a direct result of recent attacks. A similar result can be found in other regions – 49 percent in Britain, 54 percent in Canada and 64 percent in Australia.

However, even before these recent attacks, Gartner observed an increase in IT security budgets in our 2013 Global Risk Management Survey. In fact, 39% of the 2013 survey respondents have been allocated funds totaling more than 7% of the total IT budget. That compares with only 23% of survey respondents receiving a similar amount in 2011 (see figure below).

The big question here is whether companies are using these budget increases in the most effective way or simply reacting to their fears. The only clear way to know is to understand how your current IT security environment matches up with your IT risk profile. To do this, it is imperative to have a highly mature IT risk management program in place. Gartner can help you determine your IT risk management maturity with our ITScore online assessment tool. Click here to learn more about ITScore and how it can help you strengthen your program.


The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • I.T. departments desperately need additional resources, both financially and operationally. The biggest issues I often see in organizations failing to implement a sound security platform are two-fold: (1). Not having comprehensive employee awareness training on many of today’s critical security threats and challenges and (2). Not following security policies and procedures as mandated by the documentation. To be clear, many companies have information security policies and procedures – they are cost-effective to obtain – but they simply purchase them and never practice what they preach. The documentation essentially becomes “shelfware”, and that’s not good.

  • Budgets for I.T. need to rise, as threats are becoming so incredibly overwhelming. Take the health care industry, where breaches on HIPAA Protected Health Information (PHI) is at an all-time high, and will unfortunately only continue to grow. One of the biggest needs is security awareness training, no question about it and this is where money should be focused on. Breaches of Protected Health Information (PHI) will continue to happen until both Covered Entities and Business Associates get serious about putting in place the necessary controls for ensuring the safety and security of PHI. It means developing comprehensive HIPAA policies and procedures, undertaking annual security awareness training and risk assessments, and many other critical activities. Sure, budgets are tight and margins are thin in today’s competitive business landscape, but what business do you have if PHI is breached and seriously compromised? I think most companies truly want to do all they can in protecting PHI and becoming HIPAA compliant, but it just seems overwhelming at first because of the massive amount of policies, procedures, and processes that need to be in place. My advice; take a deep breath, find an experienced HIPAA consultant, get a hold of some quality HIPAA policy templates and begin the process. You’ll get there!

  • As a longtime PCI-QSA working in the field of information security and cardholder data compliance, budgets need to increase for a number of obvious reasons, particularly the need for enhanced security awareness training for helping businesses understand global cyber security threats. However, easier said than done as I.T. departments are fighting for every penny that can get. As for using precious dollars most effectively, I advocate education over spending liberally on the next great software or hardware security solution. Awareness is the best defense for any company.

  • Attractive element of content. I simply stumbled upon your weblog and in accession capital to claim thatI get actually loved account your blog posts.Any way I will be subscribing in your feeds or even I achievement you get right of entry to persistently quickly.