Global cybersecurity spending is projected to reach $240 billion in 2026, up 12.5% from $213 billion in 2025, driven by AI-powered security tools, cloud security expansion, and regulatory compliance requirements. The IANS/Artico benchmark report found that security budget growth slowed to 4% in 2025, with security spending declining from 11.9% to 10.9% of IT budgets as overall IT spending rebounded faster than security allocations. [src1, src2]
Data vintage: Based on Q3-Q4 2025 data from IANS Research (550+ CISOs), Gartner enterprise forecasts, and industry surveys.
Key shift: AI and cloud investments drove IT budget growth that outpaced security spending, compressing security's share of IT budget despite absolute dollar increases.
Definition: Total information security spend (personnel, software, hardware, outsourced services, training) divided by annual company revenue. Excludes physical security and general IT infrastructure unless security-dedicated.
| Company Revenue | Median | 25th Pct | 75th Pct | Top Decile |
|---|---|---|---|---|
| Under $50M | 2.1% | 1.2% | 3.5% | 5.0%+ |
| $50M-$500M | 1.1% | 0.7% | 1.8% | 2.5% |
| $500M-$1B | 0.8% | 0.5% | 1.2% | 1.8% |
| $1B-$10B | 0.69% | 0.4% | 0.9% | 1.3% |
| Over $10B | 0.6% | 0.35% | 0.8% | 1.1% |
Trend: Up from 0.50% average in 2020 to 0.69% in 2025 for large enterprises, but growth rate decelerating.
Red flag threshold: Below 0.3% of revenue for any company handling sensitive data signals underinvestment.
Definition: Total security spend divided by total IT spend (including security). Most commonly cited benchmark by CISOs for internal budget discussions.
| Company Revenue | Median | 25th Pct | 75th Pct |
|---|---|---|---|
| Under $50M | 26.1% | 18% | 35% |
| $50M-$500M | 16.5% | 12% | 22% |
| $500M-$1B | 11.6% | 8% | 15% |
| $1B-$10B | 10.9% | 8% | 14% |
| Over $10B | 9.5% | 7% | 13% |
Trend: Declined from 11.9% to 10.9% in 2025, breaking a five-year upward trend.
Red flag threshold: Below 8% of IT budget for mid-to-large enterprises indicates potential underfunding.
Definition: Security allocation as percentage of total IT budget, segmented by primary industry vertical.
| Industry | Median % of IT Budget | Recommended Range | Key Compliance Driver |
|---|---|---|---|
| Financial Services | 13.5% | 10-15% | SOX, PCI-DSS, GLBA, DORA |
| Healthcare | 13.3% | 10-15% | HIPAA, HITECH |
| Government | 12.8% | 10-16% | FISMA, CMMC, FedRAMP |
| Technology | 11.2% | 9-14% | SOC 2, ISO 27001 |
| Retail/E-commerce | 9.8% | 8-12% | PCI-DSS |
| Manufacturing | 8.5% | 7-12% | NIST CSF, ICS/OT |
| Education | 7.2% | 6-10% | FERPA |
Trend: Healthcare and financial services budgets growing fastest due to regulatory pressure and ransomware targeting.
Red flag threshold: Any regulated industry below 8% of IT budget warrants immediate gap assessment.
Definition: How the total cybersecurity budget is distributed across functional categories.
| Category | Median Allocation | Range | Trend |
|---|---|---|---|
| Software & platforms | 36% | 30-40% | Up |
| Personnel & compensation | 30% | 25-39% | Stable |
| Outsourced/managed services | 15% | 10-20% | Up |
| Hardware & infrastructure | 10% | 8-15% | Down |
| Training & awareness | 5% | 3-8% | Stable |
| Compliance & governance | 4% | 2-7% | Up |
Trend: Software share grew from 30% to 36% over three years as cloud-native security tools replaced on-premises appliances.
Red flag threshold: Training below 3% signals risk — human error remains the #1 breach vector.
Definition: Total cybersecurity budget divided by total headcount.
| Company Size | Median | 25th Pct | 75th Pct |
|---|---|---|---|
| 1-99 employees | $2,700 | $1,500 | $4,200 |
| 100-499 employees | $1,800 | $1,000 | $2,800 |
| 500-999 employees | $1,400 | $900 | $2,200 |
| 1,000-4,999 employees | $1,100 | $700 | $1,800 |
| 5,000+ employees | $850 | $550 | $1,400 |
Trend: Per-employee costs declining for large enterprises due to economies of scale, rising for SMBs as baseline requirements increase.
Red flag threshold: Below $500/employee for any company processing customer data suggests critical gaps.
| Rule | Formula / Threshold | Interpretation |
|---|---|---|
| Revenue-based floor | Security spend >= 0.5% of revenue | Minimum viable security investment for any data-handling business |
| IT-budget target | Security = 10-15% of IT budget | Standard range; below 8% = underinvestment |
| Per-employee minimum | >= $1,000/employee for <1,000 headcount | Floor for companies handling PII or financial data |
| Growth parity rule | Security growth >= IT budget growth | If IT grows faster, security share erodes — leading risk indicator |
| Compliance cost ratio | Compliance <= 15% of security budget | Above 15% signals compliance-driven rather than risk-driven team |
| Segment | Definition | Typical Characteristics |
|---|---|---|
| Small Business | Revenue under $50M, <100 employees | No dedicated CISO; security owned by IT manager; 4-10% of IT budget |
| Mid-Market | Revenue $50M-$500M, 100-1,000 employees | First dedicated CISO hire; mix of in-house and outsourced |
| Upper Mid-Market | Revenue $500M-$1B, 1,000-5,000 employees | Full security team; dedicated SOC or MSSP |
| Large Enterprise | Revenue $1B-$10B, 5,000+ employees | Mature security org; multiple specialized teams |
| Mega Enterprise | Revenue over $10B | Global security operations; regulatory-driven spending floors |
| Metric | 2024 | 2025 | 2026 (Proj.) | Direction |
|---|---|---|---|---|
| Global security spending | $188B | $213B | $240B | Up 12.5% |
| Security as % of IT budget | 11.9% | 10.9% | ~11.2% | Recovering |
| Budget growth rate | 8% | 4% | 6-8% | Recovering |
| Security as % of revenue | 0.65% | 0.69% | 0.72% | Up ~4% |
| Software share of budget | 34% | 36% | 38% | Up steadily |
Fetch when a user is building a cybersecurity budget, benchmarking security spend against peers, preparing a board-level security investment case, or assessing whether a company's security spending is adequate for its risk profile.