Resources
vSEC applies decades of security experience to create, assess and improve security programs for large, medium and small organizations. We provide guidance to boards, senior executives and security officers, using our business and security knowledge to help them identify and better manage their organization’s security priorities.
vSEC Security Briefing
How Much Should You Spend on Cyber Security?
According to recent surveys, most US companies spend between 7% to 15% of their IT budget on security. Security is more than a technology issue, but IT spending reflects systems and data complexity for many organizations, so can serve as a reference to plan a reasonable security budget.
In 2020 Statista reported that companies averaged security spending of around 10% of their IT budgets over the prior five years. Perhaps reflecting more mature companies, a CIO Magazine 2019 survey reported an average of 15% of IT budgets spent on security, while International Data Corp reported average security spending of 7% to 10%. Non-profit organizations also have security obligations, and a 2018 Deloitte-NASCIO report showed US states spent an average of 6% to 10% of their IT budgets on security.
As a benchmark, plan on spending 10% of your IT budget on security
One insight from these surveys is that security spending, as an average percentage of IT budget, does not depend on company size, rather is more closely linked to a company’s industry. As examples, financial services (10% to 15%), professional services and technology companies invest more in security, with manufacturing firms spending less (averaging 2% to 4%). For the financial industry in particular, security controls have been driven by regulatory standards. As states and countries adopt stricter data protection and privacy laws, firms in many other industries will need to formalize and strengthen their security efforts.
Companies should invest in security to appropriately protect their key systems and confidential data. “Appropriate” can be subjective, but spending levels can indicate how seriously a company takes security, which is why security budget questions often are asked in audits and vendor security reviews. When a security incident does occur, one protection for executives against lawsuits, regulatory punishments, accusations of negligence and investor backlash is demonstrating that reasonable protections were implemented, including having a security strategy and budget consistent with common professional practices.
Sources include: Wall Street Journal, Statista, CIO Magazine, IDC (International Data Corporation), NASCIO (National Association of State Chief Information Officers).
vSEC, LLC is a cyber security consulting firm. We help clients develop and implement security strategies to support their business goals. We help with security budget advice too. To learn more email info@vsecllc.com
For More Information & Query make a Call
What Does a CISO or Virtual CISO Cost?
Many firms need a Chief Information Security Officer to lead their cyber security program. Choices include hiring a full-time Chief Information Security Officer (CISO) or retaining a part-time ‘virtual CISO’. This paper looks at the costs of hiring either a full-time or virtual CISO with 10+ years of experience and a masters degree.
A company’s cyber security requirements depend on its business and regulatory environment as well as the complexity, confidentiality and value of its systems and data. This analysis assumes that an executive with 10+ years of cyber security experience and a masters degree is appropriate, who will be able to develop a security strategy aligned with business goals, plan and lead an implementation roadmap, and then support the monitoring and review of an effective security program. Make sure you get the skills you need; naming someone CISO does not magically give them the experience required to lead a company-wide security program.
CISO Costs
Per Salary.com, a Chief Information Security Officer in Chicago with 10 to 14 years experience and a masters degree averages $286,000 in salary and bonus. The lowest 10% averages $192k, and the upper 10% almost $400k in annual salary + bonus.
Including Salary, Bonus and Benefits, median total compensation for a Chicago
based CISO with 10 to 14 years experience and a masters degree is $370,954.
Follow Us on Social Media
Virtual CISO Costs (and Benefits)
A virtual CISO can be thought of as a ‘fractional CISO’, where clients get a steady part of a security executive’s time over a long term relationship. Some cyber security consulting firms advertise the cost savings of virtual CISOs, and while you will pay less, we recommend viewing this as paying for the amount of security leadership you need rather than getting a cheaper expert.
Virtual CISO advisory services usually are provided under long term contracts, six to twelve months duration, and these relationships often last for many years. Services usually are charged on a retainer basis to cover an average or maximum number of hours per week or month.
For vSEC, monthly virtual CISO pricing usually ranges from $6,000 to $15,000, reflecting an average of one person-day a week to half-time services.
Other virtual CISO firms quote wider price ranges, e.g., $4500 to $12,500 a month, and some a flat $10,000. For those offering comparable security expertise, these monthly rates all broadly reflect the fractional price of a similarly experienced full time CISO. The cost ‘savings’ versus a full time CISO primarily is that you get to select the amount of security leadership and support you need to protect your business.
There are advantages to hiring a virtual CISO beyond lower monthly expense. For vCISOs working as part of a consulting firm or team, clients have access to a wider range of security expertise if they need it, e.g., we work closely with an expert in Privacy controls. Firms such as vSEC also have an established set of security documents, practices and tools that can be modified to more quickly meet clients’ needs. The virtual CISO role also offers management benefits of planned and predictable deliverables, providing an independent source of leadership and guidance.
Conclusion
For many companies, hiring a virtual CISO is an increasingly common alternative to a full-time Chief Information Security Officer. Among the advantages, a virtual CISO can provide more flexibility with access to a wider range of security resources at a price proportional to the support and experience required. Feel free to contact us at info@vsecllc.com if you’d like to learn more about how a virtual CISO relationship might meet your company’s needs for cyber security expertise and leadership.
