Security Budget Planner: how it works and what it delivers
Is your organisation spending enough on cybersecurity? Or perhaps too much on the wrong things? The Security Budget Planner compares your current security budget to industry averages and helps determine where every euro has the greatest impact. On this page, we explain how the tool works, the methodology behind it and what you can expect from the free and premium reports.
What is the Security Budget Planner?
The Security Budget Planner is a free online tool that helps you benchmark your cybersecurity spending against industry averages. By entering your industry, company size, IT budget and current security spending, you gain immediate insight into how your budget compares to similar organisations.
The tool analyses not only how much you spend, but also where you spend it. Are you investing enough in endpoint protection? Is your incident response budget in line with the norm? And which areas deserve more attention? The planner answers these questions with concrete, data-driven recommendations.
The purpose is twofold: on the one hand, the tool gives IT managers and CISOs an objective basis for budget discussions with management. On the other hand, it helps organisations that do not yet have a formal security budget to determine a realistic starting point.
Methodology and sources
The Security Budget Planner bases its benchmarks and recommendations on three authoritative sources from the cybersecurity industry:
- Gartner IT Security Spending Benchmarks — Gartner publishes detailed annual data on security spending by industry, company size and region. These benchmarks are used worldwide by CISOs and IT directors to substantiate budgets.
- SANS Security Spending Survey — The SANS Institute conducts an extensive annual survey among security professionals on budget allocation, priorities and expected growth. The results provide a practice-oriented view of how organisations distribute their security budget.
- IDC Worldwide Security Spending Guide — IDC's spending guide offers quantitative insights into security investments by technology domain and industry, with forecasts for the coming years.
The tool combines these sources to compare your current spending to the industry average. Two variables are taken into account: the security budget as a percentage of the total IT budget and the distribution across spending domains. This yields a more nuanced picture than a single percentage figure.
All calculations run locally in your browser. No data is sent to a server — your budget data remains entirely private.
The two steps explained
The Security Budget Planner consists of two steps. Each step collects specific information needed to generate an accurate benchmark and allocation recommendation.
In the first step, you map out your organisation profile. You select your industry (healthcare, finance, government, technology, retail, manufacturing or other), the number of employees (1-50, 50-250, 250-1,000 or 1,000+), your total annual IT budget (five ranges from less than €100,000 to more than €10,000,000) and the current percentage allocated to security (six options from less than 3% to more than 15%, including “unknown”).
Why these questions? The optimal security budget varies significantly by industry and company size. A healthcare institution with 500 employees has different security needs than a technology company with 50 people. By incorporating this context, the tool compares your budget to the right peer group rather than a generic average.
In the second step, you indicate how your security budget is being spent. You select from ten spending areas: endpoint protection (EDR/AV), network security (firewall/IDS), identity & access management, security awareness training, vulnerability management and pentesting, incident response, compliance & auditing, cloud security, data protection and DLP, and security operations (SOC/SIEM).
Additionally, you indicate where you experience the largest gap: prevention, detection, response, compliance or “no clear picture”. This helps the tool provide targeted investment recommendations. For example, if you spend heavily on prevention but nothing on detection, the tool highlights this blind spot in your defences.
What do you get?
After completing both steps, the Security Budget Planner immediately generates a comprehensive analysis with five components:
- Budget comparison — Your current security budget as a percentage of the IT budget, compared to the average in your industry and company size. This gives you immediate insight into whether you are above or below the norm.
- Recommended allocation per domain — An overview of how your budget should be distributed across the key security domains, based on industry averages and best practices.
- ROI analysis — An indication of where additional investment has the greatest impact on your risk profile. Based on IBM data on the average savings per euro invested in preventive security.
- Investment recommendations — Concrete suggestions for domains where you should increase or decrease investment, tailored to your current spending and the identified gaps.
- Industry comparison — How your budget compares to other industries, so you can see whether your sector structurally invests more or less in security.
Free report
- PDF with your budget comparison against industry averages
- Recommended allocation across security domains
- Basic recommendations for budget optimisation
- Directly usable for internal budget discussions with management
The free report provides a solid starting point for organisations looking to substantiate their security budget. You receive a clear PDF that you can share with your manager or CFO to open the conversation about security investments. The comparison with industry averages makes it easier to explain why the current budget may be insufficient — or confirms that you are on track.
Premium budget analysis (€79)
- Budget gap analysis: current vs. recommended budget, per employee and as a percentage of revenue
- Return on Security Investment (ROSI) per measure — know which investment removes the most risk
- Recommended allocation across six domains with substantiation per domain
- Quick wins: the measures with the highest ROI at the lowest investment
- Comparison with Gartner and SANS benchmarks for your specific industry and company size
- Presentation-ready PDF designed for management and board presentations
The premium report goes significantly further than the free version. The budget gap analysis shows exactly how much your current spending deviates from the recommendation — not only in total, but broken down by domain. The ROSI calculations per measure help you set priorities: which investment removes the most risk per euro spent?
Particularly valuable is the overview of quick wins. These are measures that are relatively inexpensive but have a significant impact on your security posture. Think of multi-factor authentication, security awareness training or implementing a patch management policy. For each quick win, the estimated investment and expected risk reduction are displayed.
The presentation PDF is specifically designed to share with management and the board. No technical jargon, but clear charts and financial substantiation that make the business case for security investments transparent.
Free vs. premium compared
| Component | Free | Premium (€79) |
|---|---|---|
| Budget comparison with industry averages | ✓ | ✓ |
| Basic allocation recommendations | ✓ | ✓ |
| Budget gap analysis (current vs. recommended) | — | ✓ |
| ROSI calculation per measure | — | ✓ |
| Allocation across 6 domains with substantiation | — | ✓ |
| Quick wins (highest ROI, lowest investment) | — | ✓ |
| Gartner/SANS benchmark comparison | — | ✓ |
| Presentation PDF for management | — | ✓ |
Frequently Asked Questions
There is no fixed amount that applies to every organisation. The right security budget depends on your industry, company size, risk profile and the regulations you must comply with. On average, organisations spend 8-14% of their IT budget on security. The Security Budget Planner helps you determine the right percentage for your specific situation by comparing you to similar organisations.
The industry average varies considerably. Financial services and healthcare typically spend 12-14% of their IT budget on security, partly due to strict compliance requirements such as PCI DSS and NEN 7510. Technology companies are around 10-12%, while retail and manufacturing average 8-9%. These percentages are rising annually due to the increase in cyber threats and new regulations such as NIS2.
This depends on your current security posture. Organisations without basic measures gain the most by investing in endpoint protection, identity & access management and security awareness training. For organisations that have the fundamentals in place, investment in detection (such as SIEM or SOC) and incident response typically yields the highest ROI. The planner analyses your current spending pattern and pinpoints exactly where additional investment makes the biggest difference.
Return on Security Investment (ROSI) is calculated by comparing the expected damage without a measure to the expected damage with the measure, minus the cost of the measure itself. IBM research shows that every euro invested in preventive security saves an average of €3.50 during an actual incident. The premium report includes ROSI calculations per measure, so you know exactly which investment delivers the most value.
Yes, the difference is significant. Heavily regulated industries such as healthcare and financial services structurally spend more on security due to compliance requirements. The public sector is investing increasingly more due to NIS2 obligations. Industrial companies are seeing a sharp rise due to the convergence of IT and OT (operational technology). The Security Budget Planner accounts for these industry-specific differences and compares your budget to the right peer group.
Speak management's language: financial risk. Present the gap between your current budget and the industry average, show the expected cost of an incident without adequate protection, and support your proposal with ROSI calculations. Use concrete scenarios: “a ransomware attack would cost our organisation an estimated €X, while the preventive measure costs €Y.” The premium report includes a presentation-ready PDF specifically designed for management and board presentations.
No, these are two different line items. The IT budget covers all technology-related expenses: infrastructure, hardware, software, licences, support, development and security. The security budget is the portion specifically allocated to cybersecurity — think of endpoint protection, network security, identity management, security operations, compliance tooling and incident response. In practice, the security budget is a subset of the IT budget, typically 8-14% depending on the industry.