There is a primary question we should answer first: what budget percentage should an organisation allocate to IT? Only with this information can we understand the investment needed for cybersecurity.
Indeed, IT budget is a crucial point when talking about cybersecurity budget, because the first layer of cybersecurity is the IT hygiene. This means that the IT department must have tools, but also IT employees with enough skills, experience, and time to properly manage, maintain, and improve the information system of the organisation.
We can take the example of a person's health: it is not because you have a big medical budget that you will necessarily be in good shape, but first and foremost because you have a healthy lifestyle (when it comes to diet, stress levels, exercise, etc.). The same happens with IT security: if you have a poor IT hygiene, you can spend millions of euros in the best cybersecurity products of the market and you will still be highly vulnerable.
Regarding the IT budget that should be allocated, it will vary according to the type of organisation: the more the IT is in the heart of the business, the higher the budget should be. We can take the examples of two business extremes (excluding IT service providers, like Alter Solutions): banks and hospitals.
- Banks: Nowadays, banks are extremely dependent on IT services due to the (almost) complete digitalisation of their business - their thousands of critical daily operations rely on IT services. That is why the budget allocation for IT has been growing over the years and can reach up to 25% of an organisation's overall budget (for example, BNP Paribas's IT costs represented 22% of the group's overall costs in 2022, according to their operational performance report).
- Hospitals: they are, as all organisations, moving towards a digital world, going from the digitalisation of patients' records to the connection between medical devices. Despite the fact that these operations are related to human lives, hospitals' IT area is less of a priority when compared to other components, such as health devices and employees, when budget is allocated. This leads to a poor and insufficient IT budget.
According to an interview to the president of the French Association for the Security of Health Information Systems (APSSIS), Vincent Trely, the French hospitals allocate 1.5% of their overall budget to IT. That is not enough to manage hospitals properly and it makes them highly vulnerable to threats. This poor IT budget is directly linked to multiple breaches in French hospitals, in the last few years (there were 10 hospitals victims of cyberattacks in 2022, in France). Health IT professionals claim that a minimum of 4% of the overall budget should be allocated to IT - with less than this, it seems complicated to secure the information system.
The IT budget of an organisation should be between 4% and 25% of the overall costs (except if you are IT service provider). Once the IT budget is properly defined, it is possible to allocate a cybersecurity budget, which can vary between 10% to 15% of the overall IT budget.