How Much Should You Spend on Cybersecurity?

Short Answer

Industry benchmarks put cybersecurity at roughly 13% of IT budget and 0.7% of revenue on average, with 8–12% of IT budget typical for most enterprises and 10–15% for regulated or high-threat industries. But benchmarks answer "what do others spend," not "what should we spend." The right number for your organization is the point where an additional dollar of security spend stops reducing your modeled annual loss by more than a dollar — and finding that point requires quantifying your risk in dollars first. Method below.

Every CISO eventually faces some version of this question from a CFO or board, and the standard answer — a peer benchmark — survives because it's defensible, not because it's right. This guide gives you the benchmarks, because they're useful context and you came for them. Then it shows why they can't actually answer the question, and what does.

The benchmarks, since you came for them

Benchmark	Typical figure (2026)	Notes
% of IT budget	~13% average; 8–12% typical	The most-cited yardstick (IANS puts the average at 13.2%). Sensitive to how "IT budget" is defined — cloud, OT, and shadow IT often sit outside it.
% of IT budget, regulated/high-threat	10–15%+	Financial services, healthcare, defense. Regulatory floors push the range up.
% of revenue	~0.7% average	Useful for board context because the denominator is harder to game.
Per employee	~$1,200–$2,700/yr	Wide range across surveys; scales poorly between a software firm and a manufacturer with the same headcount.
Global market context	~$240B in 2026, +12.5% YoY	Spending is growing faster than IT budgets overall — the average is a moving target.

What benchmarks can't tell you

Four structural problems make peer spending a weak guide to your own:

The peer average doesn't carry your exposure. Two $50M companies — one holding regulated health data with thin margins, one selling industrial fasteners — face wildly different loss distributions. Matching their spend percentage matches their accounting, not their risk.
The denominators are inconsistent. "Percent of IT budget" varies with what's counted as IT. Organizations that moved security spend into product or operations budgets look underinvested on paper; ones that count compliance overhead look gold-plated.
Spending more isn't the same as being more secure. Benchmark logic implies a dollar spent is a unit of protection. It isn't — allocation quality dominates. An organization at 8% with disciplined fundamentals routinely carries less risk than one at 14% with shelfware.
Benchmarks are survivorship-flavored. They report what organizations spend, not whether it worked. The company that spent the median and got breached anyway is in the dataset, indistinguishable from the ones that didn't.

None of this makes benchmarks useless — they're a sanity check and a board-communication device, and we'll come back to that. It makes them an answer to a different question.

The question your board is actually asking

"How much should we spend on cybersecurity?" is rarely a budgeting question. Unpacked, it's: "Are we spending the right amount — too little and exposed, or too much and wasteful?" That's a risk question, and it has a structure benchmarks can't see: it's asking where your organization sits on a curve.

The spend-risk curve

Each additional dollar of security spend buys less risk reduction than the last. The optimal investment point is where the marginal dollar of spend stops returning more than a dollar of reduced expected loss — past it, you're buying comfort, not protection.

Security investment has steeply diminishing returns, and that shape creates three distinct regions:

Below the Cyber Poverty Line. Under-invested relative to your threat environment, where basic controls are missing and each dollar of spend buys large reductions in expected loss. Every enterprise has a minimum viable security posture — we've written the full essay on where that floor sits. If you're below it, the spending question is easy: more, starting with fundamentals.
The Goldilocks Zone. The region around the optimal investment point, where spend is calibrated to exposure. Marginal dollars still buy meaningful risk reduction, but the steep payoff is captured. This is where "the right amount" lives — and it's a property of your loss curve, not your peer group's average.
Diminishing returns. Past the optimal point, additional spend buys progressively less protection. Organizations end up here through accumulation — tools bought for last year's audit finding, renewals nobody re-justifies — and the excess rarely shows up in any benchmark, because the percentage still looks normal.

The optimal point isn't where risk reaches zero — it never does. It's where the marginal dollar of spend stops returning more than a dollar of reduced expected loss. Spend left of it and you're carrying risk that's cheaper to eliminate than to hold; spend right of it and you're buying comfort, not protection.

Total spend is the headline. Allocation is the money.

Here's the limit of the curve — and of every benchmark conversation: it treats security spend as one number. In practice, two organizations at an identical 13% of IT budget can carry completely different risk, because the money lands differently. One has five vendors stacked on identity while detection starves. The other is mirror-imaged. Same percentage, same "benchmark-aligned" posture, different exposures entirely.

When you quantify at the portfolio level — mapping every dollar of spend to the controls it funds, and every control to the loss scenarios it mitigates — three patterns surface that aggregate numbers structurally cannot show:

Overlap. Multiple vendors covering the same control surface. Each purchase was individually rational; collectively they're paying three times for one layer of protection.
Gaps. Domains where threat pressure is real and spend is near zero — usually because no audit finding ever forced the line item into existence.
Misalignment. Heavy mitigation where adversaries aren't pushing. A fortress in the wrong field: the controls work perfectly against attacks that aren't coming.

This is where benchmarks and CRQ platforms both stop. Benchmarks compare your total to a peer average. CRQ platforms — the good ones — quantify your exposure and stop there. Mapping your actual spend against that exposure, vendor by vendor and domain by domain, with reclaim dollars attached to each verdict: that analysis doesn’t come out of a benchmark report or a risk score. It’s what Foundations was built to produce. Here’s what it looks like when it lands — illustrative findings, in the form the platform delivers them:

Identity & Access Over-armored

5 overlapping vendors (~$2.65M) providing what 3-vendor coverage delivers. Consolidate; reclaim $1.1–1.4M without measurable change in modeled loss.

Recovery Fortress in the wrong field

98% mitigated in a domain where adversaries aren't pushing. Rebalance toward detection, where threat pressure is concentrated and coverage is thin.

Detection & Response Blind spot

Highest modeled threat pressure, lowest funded coverage — the gap no benchmark percentage will ever surface. Redirect reclaimed identity spend here: risk reduction without a budget increase.

Notice what happened across those three findings: the organization's total didn't change. The over-armored domain funded the blind spot. That's the answer benchmark logic can never produce — "you're spending roughly the right amount, in measurably wrong places" — and it's frequently worth more than the how-much answer, because reallocation doesn't require new budget approval.

Where each approach stops

The question	Benchmarks	Typical CRQ tools	Foundations
What do peers spend?	Yes	Sometimes	Yes, as context
What's our exposure in dollars?	No	Yes	Yes — ALE and Revenue at Risk
How much should we spend?	No — only what others do	Implied, rarely derived	Yes — the optimal investment point
Where does our spend overlap?	No	No	Yes — vendor-level, dollars attached
Where are we armored against attacks that aren't coming?	No	No	Yes — mitigation vs. threat pressure, by domain
Which dollars do we reclaim, and where do they go?	No	No	Yes — the reallocation plan itself

The first three rows are increasingly table stakes — exposure quantification is what the CRQ category sells. The last three are the rows that change budget meetings, and they require something the category doesn't build: a live map from every spend line to every control to every loss scenario, so that overlap, misalignment, and blind spots fall out as findings instead of hunches. That map is the platform.

How to find your number

Locating your position on the curve takes four steps. They're work, but they're tractable work — and far more tractable with modern tooling than the spreadsheet-and-workshop era that gave quantification its reputation for difficulty.

Quantify your exposure in dollars. Model your plausible loss scenarios — breach, ransomware, business interruption, regulatory action — as an Annual Loss Expectancy and, more usefully, a loss distribution. The business-legible version of this is Revenue at Risk: how much of what the company earns is exposed to cyber events, and with what likelihood.
Model what your controls actually buy. Map every dollar of current spend — and each proposed control — to the loss scenarios it mitigates. This is also where overlap, gaps, and misalignment become visible: the portfolio view above falls out of the same mapping. This is where most exercises stall manually and where AI-assisted analysis changes the economics — the mapping is information processing, not judgment.
Find the inflection. Rank candidate investments by marginal risk reduction per dollar. Fund down the list until the ratio crosses one-to-one (or your risk appetite's threshold). The stopping point is your optimal investment level — a number derived from your exposure, defensible in front of a CFO precisely because it isn't a peer average.
Re-run it when reality moves. The curve shifts with your architecture, your revenue mix, and the threat environment. A quantification you did once in 2024 is a photograph; the decision needs a feed.

What this looks like in practice

A $50M services firm models its annual loss expectancy at $2.1M across its top scenarios. A proposed control portfolio costing $400K/year reduces modeled ALE to $900K — $1.2M of risk reduction for $400K, comfortably worth funding. The next $300K of candidate spend models out at only $80K of additional reduction: past the optimal point. The firm's defensible answer to "how much should we spend?" is ~$400K — which happens to be 0.8% of revenue, near the benchmark. The difference is that now they know why, and they know what the next dollar buys.

Where benchmarks still earn their keep

Used correctly, benchmarks are a calibration device, not an answer. If your quantified optimal lands at triple the peer percentage, interrogate the model — your loss estimates may be inflated, or your industry may genuinely under-spend (it happens; ask anyone who watched ransomware reprice manufacturing risk). If it lands far below, check what scenarios you've omitted. And in board materials, presenting your derived number alongside the peer range answers the inevitable "how do we compare?" without letting the comparison drive the decision.

That's the inversion that matters: benchmarks as a check on your number, not a substitute for having one.

Benchmark figures reflect 2026 industry survey data (IANS Research security budget benchmarks, Gartner spending forecasts, and published per-employee ranges) and are presented as planning context; survey methodologies and denominators vary. The worked example is illustrative. Figures current as of June 2026.