Every fall, the same conversation plays out in boardrooms across the country. The CSO or IT lead walks in with a security budget request, and someone across the table asks: "How does this compare to what other companies our size are spending?"
It's a fair question — and one that deserves a real answer. This guide gives you the numbers, the reasoning behind them, and the context you need to build a defensible, right-sized security budget for your organization.
Executive summary
Most mid-market leaders lack a confident answer to a simple board question: how much should we spend on cybersecurity? This guide provides one. For a typical $100M-revenue organization, a defensible security program runs in the neighborhood of 0.5% of revenue — roughly $500K, or about 10% of a standard IT budget — though the right figure depends on your industry, regulatory exposure, and risk appetite. Heavily regulated sectors such as financial services, healthcare, and credit unions should plan 15–35% above that baseline.
The economics are straightforward. A data breach now averages a record $10.22M in the U.S. (and $4.44M globally), so a seven-figure program that prevents even a single incident pays for itself many times over. At this scale, managed services (MDR/MSSP) typically deliver 24/7 coverage that internal hiring can't match until an organization is well past 1,000 employees.
What follows is a category-by-category budget framework, revenue-based scaling guidance, six strategies for securing board approval, and a three-year roadmap you can adapt to your own organization.
The mid-market benchmarks
Mid-market organizations — roughly $50M–$500M in revenue with 200–1,500 employees — occupy an awkward position in the security landscape. They're large enough to be targeted by sophisticated threat actors but often lack the dedicated security teams that enterprise organizations take for granted.
What is our baseline budget expectation? To keep it simple, we'll assume that the overall IT budget for our mid-market professional services firm with annual revenue of $100M is 5% of annual revenue, or $5M. (Source for budget percentage: Gartner Peer Community.)
Industry research consistently puts security spend in the following ranges:
| % of Annual Revenue | % of IT Budget | Avg. Breach Cost (IBM 2025) |
|---|---|---|
| 0.2–1.5% (lean to regulated) |
8–15% of total IT budget | $4.44M global $10.22M US (record high) |
The ROI framing that works in every boardroom.
A $1M annual security budget that prevents a single breach over five years delivers a 5:1+ return — before factoring in regulatory fines, insurance impacts, and reputational damage. Security is risk management, not an IT cost center.
For our cybersecurity budget that comes out to approximately $500,000 (10% of the overall IT budget).
Core budget framework
Regardless of industry, every mid-market security budget should cover seven core categories. The estimates below are calibrated for a $100M-revenue company. These are example budget numbers to help set expectations — actual results will vary depending on what categories apply to you and what products, services, and wages you actually employ.
| Category | % of Budget | What's Included |
|---|---|---|
| People & Staffing | 35–40% | Security lead, analyst, vCSO/MSSP |
| Technology & Tools | 28–35% | EDR/XDR, SIEM/MDR, IAM, email security, vuln scanning |
| Assessments & Testing | 10–14% | Pen tests, vuln assessments, third-party audits |
| Cyber Insurance | 10–13% | Premiums vary by industry, revenue, and claims history |
| Training & Awareness | 6–9% | SAT platform, phishing simulation, tabletop exercises |
| Compliance & GRC | 5–8% | GRC tooling, policy management, third-party risk |
| IR Readiness | 4–6% | IR retainer, plan maintenance, playbooks |
| Total Estimated Budget | 100% | Assumes $100M revenue baseline |
Budget scaling by revenue
Security spend doesn't scale linearly with revenue. Smaller organizations pay proportionally more because the infrastructure baseline is relatively fixed regardless of company size. The examples below are a starting point.
| Revenue Band | Low Estimate | High Estimate | Typical Program Profile |
|---|---|---|---|
| $25–50M | $300–480K | $600–900K | Fully outsourced; managed services dominant |
| $50–100M | $480–750K | $900K–1.35M | Hybrid: 1–2 internal staff + MSSP/MDR partnership |
| $100–250M | $750K–1.2M | $1.35–2.4M | Small internal team; SOC 2/compliance pressure emerging |
| $250–500M | $1.2–2.0M | $2.4–4.5M | Dedicated security team; CSO likely; formal program |
The industry average
Regulatory obligations, threat profiles, and insurance requirements vary by sector, so most organizations spend somewhat above the general mid-market baseline. Averaged across the major verticals — healthcare, financial services, credit unions, manufacturing, retail, professional services, and technology — the typical adjustment looks like this:
| Average Budget Premium | Est. Annual Budget* | Cyber Insurance | Compliance Program |
|---|---|---|---|
| +15–35% over baseline | $750K–$1.8M | $40–105K annually | $60–155K annually |
*All-in security budget per $100M revenue, premium included.
Heavily regulated sectors — financial services, healthcare, and credit unions — consistently land at the top of these ranges, driven by examination requirements, mandated testing, and higher breach costs. Lightly regulated sectors such as retail and professional services typically land at the bottom. If your organization operates under a formal regulatory framework, plan toward the high end.
Making the case to the board
Getting a security budget approved is both a numbers exercise and a communication challenge. Six framing strategies will consistently move these conversations forward with executive teams and board members.
1. Anchor to breach cost. A U.S. data breach now averages a record $10.22M, with the global average at $4.44M (IBM 2025). A $1M security budget that prevents even one breach over five years delivers a 5:1+ ROI — a number any CFO can evaluate on its merits.
2. Lead with regulatory exposure. For regulated industries, fines and enforcement actions are quantifiable risks. Present the regulatory cost of under-investment alongside the program cost. The comparison usually closes the conversation.
3. Make the managed services case. A $120K/year MDR service provides 24/7 coverage equivalent to 2–3 full-time analysts at $300–450K fully loaded. This build-vs-buy math is compelling and typically ends internal headcount debates.
4. Stage the investment. Boards respond better to a phased roadmap than a large one-time ask. Year 1: foundational controls. Year 2: maturity improvements. Year 3: optimization. Show milestones, not just spend lines.
5. Tie security to insurance. Carriers are increasingly tiering premiums based on controls in place. MFA, EDR, and a tested IR plan can reduce premiums 15–30%. Frame security investment as insurance premium management.
6. Use peer benchmarks. Board members respond to peer comparisons. Underspending relative to sector peers is a governance risk. Pull Gartner or industry association data to show where your organization currently stands.
A three-year budget roadmap
For organizations building or maturing a security program, a phased approach consistently outperforms a large single-year investment. The model below assumes a $100M-revenue baseline. Apply the industry average adjustment (+15–35%) for a calibrated plan.
| Category | Year 1 — Foundation | Year 2 — Maturity | Year 3 — Optimization |
|---|---|---|---|
| Focus | Core controls, gap closure, MDR engagement | Compliance programs, pen testing cadence | Automation, threat intel, advanced monitoring |
| People | $180–220K | $220–280K | $260–350K |
| Technology | $140–180K | $200–260K | $240–320K |
| Assessments | $50–70K | $80–120K | $100–150K |
| Insurance | $20–40K | $40–80K | $40–80K |
| Training | $25–35K | $30–45K | $35–55K |
| Compliance / GRC | $20–30K | $40–70K | $50–80K |
| IR Readiness | $15–25K | $25–40K | $35–55K |
| Total (approx.) | $450–600K | $635–895K | $760K–1.09M |
Planning note: Year-over-year increases reflect program maturation, additional tooling, and typically one additional managed service expansion or staff role. Apply the industry average adjustment to these baselines for a board-ready investment plan.
In conclusion
There's no universal standard amount for a cybersecurity budget. There is a defensible range for every organization based on its size, industry, and overall risk appetite. The frameworks and estimates in this guide are designed to give you that starting point — whether you're building a program from scratch or making the case for increased investment.
The question isn't whether your organization can afford to invest in security. Given the cost of a breach, the weight of regulatory enforcement, and the expectations of cyber insurance carriers, the better question is whether you can afford not to.
Want a customized budget analysis?
Digital Elevation IT Security Services can produce a current-state assessment and a prioritized investment roadmap calibrated to your organization.
Start the conversation arrow_forwardW. Scott Montgomery is Director of Security at Digital Elevation. With over 40 years of IT experience, Scott leads security engagements spanning penetration testing, compliance documentation, vCSO services, and security program development for mid-market and regulated-industry clients. Richard Maloley is a Senior Security Consultant at Digital Elevation and Springthrough.