It may be difficult for enterprises to figure out how much they should spend on IT security, but research analyst Gartner has statistics on how much their peers are spending.
Security is a trade-off between risk and cost, and enterprises in different industries may spend more or less depending on their situation, said Ian Reeves, a managing vice president for Gartner Consulting.
A survey of 1,500 or so companies worldwide found businesses spend an average of 5% of their total IT budget on security, according to Gartner's IT Key Metrics Data for 2010. Gartner also broke it down to security spending per employee, which averaged around $525 annually in 2009, compared to $636 in 2008 and $510 in 2007.
Of the total IT security budget, 37% is spent on personnel, 25% on software, 20% on hardware, 10% on outsourcing and 9% on consulting.
Companies should not necessarily worry if spending is higher or lower than the average, Reeves said. A more important question is why the spend is at a certain level and whether that is good or bad, Reeves said.
It's possible to spend a fortune on security, but if it's done poorly, it doesn't help a business, said David Lello, a director at Gartner Consulting.
The general drivers for security spending include targeted malicious software attacks, cybercrime, regulation, remote access and new delivery models for services, such as cloud computing and software-as-a-service.
Companies ranked intrusion detection and prevention as the top security priority, followed by patch management, data loss prevention, identity management and antivirus.
Professional services is the sector that has the highest number of employees dedicated to IT security, followed by government, banking and financial services, utilities, education, manufacturing, health care, insurance and finally transportation.