Gartner Blog Network

IT Security Budgets Rise as Data Breach Fear Spreads

by John A. Wheeler  |  February 28, 2014  |  6 Comments

On the heels of high-profile data breach events such as the Target and Neiman Marcus thefts, there are reports of increasing budgets for corporate IT security departments. This week, a survey released by BAE Systems Applied Intelligence detailed the increases in security budgets across the globe. In the United States, 60 percent of those surveyed said their cyber security budget would increase as a direct result of recent attacks. A similar result can be found in other regions – 49 percent in Britain, 54 percent in Canada and 64 percent in Australia.

However, even before these recent attacks, Gartner observed an increase in IT security budgets in our 2013 Global Risk Management Survey. In fact, 39% of the 2013 survey respondents have been allocated funds totaling more than 7% of the total IT budget. That compares with only 23% of survey respondents receiving a similar amount in 2011 (see figure below).

The big question here is whether companies are using these budget increases in the most effective way or simply reacting to their fears. The only clear way to know is to understand how your current IT security environment matches up with your IT risk profile. To do this, it is imperative to have a highly mature IT risk management program in place. Gartner can help you determine your IT risk management maturity with our ITScore online assessment tool. Click here to learn more about ITScore and how it can help you strengthen your program.


Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: it-risk-management  operational-risk-management  

Tags: data-breach  it-risk  it-risk-management-2  it-security-and-risk  risk-management  

John A. Wheeler
Global Research Leader - Risk Management Technology
9 years at Gartner
30 years IT Industry

John A. Wheeler is global research leader for risk management technology solutions and professional services. His areas of specialty include integrated risk management, executive leadership and corporate governance. Follow him on Twitter @JohnAWheeler Read Full Bio

Thoughts on IT Security Budgets Rise as Data Breach Fear Spreads

  1. […] that organizations allocate to information assurance. According to their October 2013 study ( the majority of organizations allocate between 3-10% of their IT budgets towards information […]

  2. I.T. departments desperately need additional resources, both financially and operationally. The biggest issues I often see in organizations failing to implement a sound security platform are two-fold: (1). Not having comprehensive employee awareness training on many of today’s critical security threats and challenges and (2). Not following security policies and procedures as mandated by the documentation. To be clear, many companies have information security policies and procedures – they are cost-effective to obtain – but they simply purchase them and never practice what they preach. The documentation essentially becomes “shelfware”, and that’s not good.

  3. Budgets for I.T. need to rise, as threats are becoming so incredibly overwhelming. Take the health care industry, where breaches on HIPAA Protected Health Information (PHI) is at an all-time high, and will unfortunately only continue to grow. One of the biggest needs is security awareness training, no question about it and this is where money should be focused on. Breaches of Protected Health Information (PHI) will continue to happen until both Covered Entities and Business Associates get serious about putting in place the necessary controls for ensuring the safety and security of PHI. It means developing comprehensive HIPAA policies and procedures, undertaking annual security awareness training and risk assessments, and many other critical activities. Sure, budgets are tight and margins are thin in today’s competitive business landscape, but what business do you have if PHI is breached and seriously compromised? I think most companies truly want to do all they can in protecting PHI and becoming HIPAA compliant, but it just seems overwhelming at first because of the massive amount of policies, procedures, and processes that need to be in place. My advice; take a deep breath, find an experienced HIPAA consultant, get a hold of some quality HIPAA policy templates and begin the process. You’ll get there!

  4. As a longtime PCI-QSA working in the field of information security and cardholder data compliance, budgets need to increase for a number of obvious reasons, particularly the need for enhanced security awareness training for helping businesses understand global cyber security threats. However, easier said than done as I.T. departments are fighting for every penny that can get. As for using precious dollars most effectively, I advocate education over spending liberally on the next great software or hardware security solution. Awareness is the best defense for any company.

  5. Attractive element of content. I simply stumbled upon your weblog and in accession capital to claim thatI get actually loved account your blog posts.Any way I will be subscribing in your feeds or even I achievement you get right of entry to persistently quickly.

  6. […] that organizations allocate to information assurance. According to their October 2013 study ( the majority of organizations allocate between 3-10% of their IT budgets towards information […]

Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.