Compliance & Risk

What Should You Actually Spend on Cybersecurity?

A CSO's practical budget planning guide for mid-market organizations — with benchmarks, a category framework, and a three-year roadmap.

W. Scott Montgomery & Richard Maloley

What Should You Actually Spend on Cybersecurity?
What Should You Actually Spend on Cybersecurity?

Every fall, the same conversation plays out in boardrooms across the country. The CSO or IT lead walks in with a security budget request, and someone across the table asks: "How does this compare to what other companies our size are spending?"

It's a fair question — and one that deserves a real answer. This guide gives you the numbers, the reasoning behind them, and the context you need to build a defensible, right-sized security budget for your organization.

Executive summary

Most mid-market leaders lack a confident answer to a simple board question: how much should we spend on cybersecurity? This guide provides one. For a typical $100M-revenue organization, a defensible security program runs in the neighborhood of 0.5% of revenue — roughly $500K, or about 10% of a standard IT budget — though the right figure depends on your industry, regulatory exposure, and risk appetite. Heavily regulated sectors such as financial services, healthcare, and credit unions should plan 15–35% above that baseline.

The economics are straightforward. A data breach now averages a record $10.22M in the U.S. (and $4.44M globally), so a seven-figure program that prevents even a single incident pays for itself many times over. At this scale, managed services (MDR/MSSP) typically deliver 24/7 coverage that internal hiring can't match until an organization is well past 1,000 employees.

What follows is a category-by-category budget framework, revenue-based scaling guidance, six strategies for securing board approval, and a three-year roadmap you can adapt to your own organization.

The mid-market benchmarks

Mid-market organizations — roughly $50M–$500M in revenue with 200–1,500 employees — occupy an awkward position in the security landscape. They're large enough to be targeted by sophisticated threat actors but often lack the dedicated security teams that enterprise organizations take for granted.

What is our baseline budget expectation? To keep it simple, we'll assume that the overall IT budget for our mid-market professional services firm with annual revenue of $100M is 5% of annual revenue, or $5M. (Source for budget percentage: Gartner Peer Community.)

Industry research consistently puts security spend in the following ranges:

% of Annual Revenue % of IT Budget Avg. Breach Cost (IBM 2025)
0.2–1.5%
(lean to regulated)
8–15% of total IT budget $4.44M global
$10.22M US (record high)

The ROI framing that works in every boardroom.

A $1M annual security budget that prevents a single breach over five years delivers a 5:1+ return — before factoring in regulatory fines, insurance impacts, and reputational damage. Security is risk management, not an IT cost center.

For our cybersecurity budget that comes out to approximately $500,000 (10% of the overall IT budget).

Core budget framework

Regardless of industry, every mid-market security budget should cover seven core categories. The estimates below are calibrated for a $100M-revenue company. These are example budget numbers to help set expectations — actual results will vary depending on what categories apply to you and what products, services, and wages you actually employ.

Category % of Budget What's Included
People & Staffing 35–40% Security lead, analyst, vCSO/MSSP
Technology & Tools 28–35% EDR/XDR, SIEM/MDR, IAM, email security, vuln scanning
Assessments & Testing 10–14% Pen tests, vuln assessments, third-party audits
Cyber Insurance 10–13% Premiums vary by industry, revenue, and claims history
Training & Awareness 6–9% SAT platform, phishing simulation, tabletop exercises
Compliance & GRC 5–8% GRC tooling, policy management, third-party risk
IR Readiness 4–6% IR retainer, plan maintenance, playbooks
Total Estimated Budget 100% Assumes $100M revenue baseline

Budget scaling by revenue

Security spend doesn't scale linearly with revenue. Smaller organizations pay proportionally more because the infrastructure baseline is relatively fixed regardless of company size. The examples below are a starting point.

Revenue Band Low Estimate High Estimate Typical Program Profile
$25–50M $300–480K $600–900K Fully outsourced; managed services dominant
$50–100M $480–750K $900K–1.35M Hybrid: 1–2 internal staff + MSSP/MDR partnership
$100–250M $750K–1.2M $1.35–2.4M Small internal team; SOC 2/compliance pressure emerging
$250–500M $1.2–2.0M $2.4–4.5M Dedicated security team; CSO likely; formal program

The industry average

Regulatory obligations, threat profiles, and insurance requirements vary by sector, so most organizations spend somewhat above the general mid-market baseline. Averaged across the major verticals — healthcare, financial services, credit unions, manufacturing, retail, professional services, and technology — the typical adjustment looks like this:

Average Budget Premium Est. Annual Budget* Cyber Insurance Compliance Program
+15–35% over baseline $750K–$1.8M $40–105K annually $60–155K annually

*All-in security budget per $100M revenue, premium included.

Heavily regulated sectors — financial services, healthcare, and credit unions — consistently land at the top of these ranges, driven by examination requirements, mandated testing, and higher breach costs. Lightly regulated sectors such as retail and professional services typically land at the bottom. If your organization operates under a formal regulatory framework, plan toward the high end.

Making the case to the board

Getting a security budget approved is both a numbers exercise and a communication challenge. Six framing strategies will consistently move these conversations forward with executive teams and board members.

1. Anchor to breach cost. A U.S. data breach now averages a record $10.22M, with the global average at $4.44M (IBM 2025). A $1M security budget that prevents even one breach over five years delivers a 5:1+ ROI — a number any CFO can evaluate on its merits.

2. Lead with regulatory exposure. For regulated industries, fines and enforcement actions are quantifiable risks. Present the regulatory cost of under-investment alongside the program cost. The comparison usually closes the conversation.

3. Make the managed services case. A $120K/year MDR service provides 24/7 coverage equivalent to 2–3 full-time analysts at $300–450K fully loaded. This build-vs-buy math is compelling and typically ends internal headcount debates.

4. Stage the investment. Boards respond better to a phased roadmap than a large one-time ask. Year 1: foundational controls. Year 2: maturity improvements. Year 3: optimization. Show milestones, not just spend lines.

5. Tie security to insurance. Carriers are increasingly tiering premiums based on controls in place. MFA, EDR, and a tested IR plan can reduce premiums 15–30%. Frame security investment as insurance premium management.

6. Use peer benchmarks. Board members respond to peer comparisons. Underspending relative to sector peers is a governance risk. Pull Gartner or industry association data to show where your organization currently stands.

A three-year budget roadmap

For organizations building or maturing a security program, a phased approach consistently outperforms a large single-year investment. The model below assumes a $100M-revenue baseline. Apply the industry average adjustment (+15–35%) for a calibrated plan.

Category Year 1 — Foundation Year 2 — Maturity Year 3 — Optimization
Focus Core controls, gap closure, MDR engagement Compliance programs, pen testing cadence Automation, threat intel, advanced monitoring
People $180–220K $220–280K $260–350K
Technology $140–180K $200–260K $240–320K
Assessments $50–70K $80–120K $100–150K
Insurance $20–40K $40–80K $40–80K
Training $25–35K $30–45K $35–55K
Compliance / GRC $20–30K $40–70K $50–80K
IR Readiness $15–25K $25–40K $35–55K
Total (approx.) $450–600K $635–895K $760K–1.09M

Planning note: Year-over-year increases reflect program maturation, additional tooling, and typically one additional managed service expansion or staff role. Apply the industry average adjustment to these baselines for a board-ready investment plan.

In conclusion

There's no universal standard amount for a cybersecurity budget. There is a defensible range for every organization based on its size, industry, and overall risk appetite. The frameworks and estimates in this guide are designed to give you that starting point — whether you're building a program from scratch or making the case for increased investment.

The question isn't whether your organization can afford to invest in security. Given the cost of a breach, the weight of regulatory enforcement, and the expectations of cyber insurance carriers, the better question is whether you can afford not to.

Want a customized budget analysis?

Digital Elevation IT Security Services can produce a current-state assessment and a prioritized investment roadmap calibrated to your organization.

Start the conversation arrow_forward

W. Scott Montgomery is Director of Security at Digital Elevation. With over 40 years of IT experience, Scott leads security engagements spanning penetration testing, compliance documentation, vCSO services, and security program development for mid-market and regulated-industry clients. Richard Maloley is a Senior Security Consultant at Digital Elevation and Springthrough.

Share this post