When IT and business leaders disagree on the tech budget

This article is part of Spiceworks’ Recalibrating Risk Tolerance series investigating the contemporary landscape of cybersecurity risk. You can follow along on our landing page, where we’ll be adding new stories all week.

Do you believe your organization spends enough on technology to support its strategic business objectives? It doesn’t take that much lived experience to appreciate that if the people who allocate the resources think the answer is “yes,” and the people who apply the resources and do the work think the answer is “no,” things are probably not going to work out as planned.

In the Spiceworks State of IT 2025 report, responses showed that technical professionals are significantly out of sync with IT leadership and senior business leadership when it comes to technology budget allocations:

The index for “Net adequacy of IT spend” for each of these groups is based on their responses to our question at hand. A net adequacy index of +100% means that all respondents perceived current IT spending as adequate, while -100% means that all perceived it as inadequate. Generally, a net adequacy index of +50% or higher would be considered strongly positive, and -50% or lower would be considered strongly negative.

To put this in perspective, an index of -51.9% can be thought of as a “not adequate” to “adequate” ratio of about 3 to 1. An index of +20% is an “adequate” to “not adequate” ratio of 3 to 2.

In the State of IT 2026 study, the chasm between Leadership and IT Staff still exists.

Note: the full SWZD State of IT 2026 report is scheduled for release on November 11, 2025, the first day of SpiceWorld 2025 in Austin, Texas. Be sure to check it out — or even better, come and join us!

Let’s put tech spending in perspective. Based on the State of IT 2025 dataset:

• Total annual tech spend as a percentage of annual revenue ranges from less than 1% (5^th percentile) to more than 50% (95^th percentile), with a median of about 2%.
• Total annual tech spend per employee ranges from less than $5 (5^th percentile) to more than $35,000 (95^th percentile), with a median of about $1K

Note that the average spend per employee is about $7,100, which is an excellent illustration of how the average (mean) and the median can be wildly different for distributions with “long tails.” For example, there are a smaller number of multi-million dollar homes in the greater Boston area and a larger number of more modestly priced homes in Massachusetts located outside the Route 128 beltway. But the Massachusetts overall, expensive homes skew the average much higher than the median, which is the 50/50 mark — half are above, and half are below. I generally prefer to use the median, because it’s much more useful for understanding the data.

Technology budget insights into cybersecurity and risk

Let’s dive deeper and look at some insights specific to spending on cybersecurity. Across all respondents:

• For the numerator, I took all of the tech spending on cybersecurity-related categories
• For the denominator, I took that plus all of the other spending on “computing infrastructure” (which included hardware, software, services, and facilities)

The ratio — cybersecurity spending as a percentage of total expenditure on computing infrastructure — is especially interesting. Think of it: if you have a total of $100 to spend on computing infrastructure, how much of that will you spend on cybersecurity?

• In the State of IT 2025 dataset, the range was 5% to about 26% (median: 11.2%)
• This was marginally higher than the State of IT 2024 findings (median: 11.1%)

If you have zero tolerance for risk, you could spend 100% of your technology budget on cybersecurity, and you’ll pretty quickly go out of business. At the other extreme, you could spend 0% of your technology budget on cybersecurity — and you might get away with it. Still, there’s also a pretty good chance you’ll suffer a cybersecurity incident and potentially go out of business. There’s no one right answer.

Why is there such a wide range? I can think of at least three significant reasons:

1. Acceptable risk. Your organization may have a low risk tolerance, and therefore spend a higher percentage of its total budget on cybersecurity. Mine may be the opposite: a higher risk tolerance, and consequently a lower willingness to spend on cybersecurity. Maybe you’re in an industry with stringent regulatory compliance requirements. Maybe I’m unaware of or simply ignoring the cybersecurity-related risks — which effectively means that I’m accepting them. The point is, there’s no one right answer. This is the crux of the risk professional’s ultimate mission: to help the senior leaders make better-informed business decisions about cybersecurity-related risks.
2. Costs to mitigate risk: I may prefer to invest more in cybersecurity and “buy down” my risk, but maybe I simply can’t afford it. As an analogy, much earlier in my career, with a wife and three young children, I would have preferred to buy a large life insurance policy to ensure that they were taken care of for many years should I unexpectedly meet my maker. My appetite for risk was low. However, those were the “struggle bus” years financially, so I couldn’t afford to buy down that risk as much as I would have liked.
3. Ability to implement (e.g., technical staffing). You may have a budget that matches your threshold for acceptable risk, but not the staffing and skills required to implement it.

There could be other reasons as well. But to bring this discussion full circle, this is why technical professionals need to do a better job of speaking the same language as senior business leaders. We’ll be more likely to get the budgets we’d like if we help them understand the risks, as risks are properly defined (i.e., how frequently something occurs, and how much business impact there would be if it does occur).

We must also remember that we justify proposed investments in technologies based on business outcomes, which, in my experience, fall into three high-level categories:

1. Managing downside risks to an acceptable level (cost avoidance)
2. Improving operational efficiencies (cost savings)
3. Enabling upside opportunities (revenue, profit, growth, market share, and so on)

This is the focus of my talk at the Spiceworld 2025 conference in Austin, Texas this November. It’s called “Budgets, Business Value, and Better-Informed Decisions: Applying the ‘Overton Window’ Concept to Cybersecurity Risks.”

I’m aiming to help attendees gain insights into a new way to define and articulate their organization’s cybersecurity risk appetite — the amount of risk it’s willing to accept, in pursuit of its strategic goals — and understand how this relates not only to budgets but also to fostering a healthy risk culture where shared values and behaviors guide more effective decision-making.

If you’re able to come, great! I’ll see you there. If not,  no worries. I’m also hoping to share more of that important content, post-Spiceworld 2025.