A while back I asked the Gartner analysts who cover insurance for an estimate on what percentage of business revenues are typically spent on insurance. They came back with the range of .14% to .23% of revenue. Then I went to the Gartner analysts who cover overall IT spending and asked them what percentage of revenue the average business spent on IT, and they came back with 2.4%. Then I went to the Gartner analysts who cover major league baseball, and asked what Cal Ripken’s career batting average was and they came back with .276. Gartner has a lot of analysts.
I then looked at our data that showed the typical business spends 5-7% of the IT budget on information security, not counting spending on business continuity/disaster recovery. If you throw BC/DR in, the average is more like 11-12% of IT. If you combine all the those averages together, you find that the average business is already spending as much on information security as they are on insurance – more if you count BC/DR.
That’s not to say this is an apples-to-apples comparison – no fire insurance policy every stopped a fire. In fact, to obtain fire insurance businesses have to spend a lot on fire prevention. So, insurance and prevention are really intertwined, not substitutable. But it does point out that the overall level of spending on information security is not low by any means – or does it?
Another comparison is looking at retail shrinkage – loss due to shoplifting and employee theft. This tends to average about 1.5% of sales, and retail businesses spend something like 1.5% of sales to keep shrinkage down to 1.5% of sales – that means 3% of retail revenue is lost due to shrinkage and that is seen as an acceptable cost of doing business. So, if information security spending were to reach that level, it would have to increase by a factor of 10 and consume more than 50% of the IT budget.
Of course, that’s not apples to apples either, since we are not counting physical security costs in our estimates of information security. But it does give us another data point on the other end of the spectrum.
I think the likely right answer is closer to where we are now. A lot of information security spending is way too high on dealing with older threats and way too light on dealing with new challenges. But many are able to reduce their spending on the former to feed spending on the latter – maintaining good enough security while consuming a relatively constant percentage of the company’s income. There are certainly many, many examples of under-funded security programs but there seem to be just as many security incidents at companies that are spending way above the industry average.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.