How to Create a Cybersecurity Budget: A Guide

A small business gets quoted a number for a security tool, balks, and buys nothing. A year later it pays a ransomware demand, eats the downtime, and rebuilds from backups it never tested. The tool would have cost a fraction of the incident. The problem was not that security was too expensive. The problem was that there was no budget, so every purchase looked like an isolated cost instead of part of a plan.

That is what a cybersecurity budget fixes. It turns security from a series of reactive, panic-driven purchases into a deliberate allocation tied to what you are actually defending and what it would cost you to lose it. For a company starting from zero, with no line item for security at all, the work is not picking products. It is building the case, sizing the number, and spending it where the risk is.

This guide builds a cybersecurity budget from scratch. It covers how much to spend, then walks the sequence in order: inventory what you have, assess the risk, map controls to that risk, account for people and compliance, and leave room for the incident you hope never comes. It is written for the person who owns the decision, often without a security background, and for the defenders who will spend whatever gets approved.

What a cybersecurity budget is, and why start from a number

A cybersecurity budget is the planned allocation of money, over a defined period, to the people, tools, services, and processes that protect your organization from cyber threats. That is the whole definition. The value is not in the document. It is in the discipline it forces: deciding in advance what you will defend, what it is worth, and what you will spend to defend it, instead of reacting to the loudest vendor or the most recent scare.

Starting from scratch is different from trimming an existing one. You have no prior spend to review, no baseline of what worked. You are answering a blank page. That makes the order matter more, not less, because every later decision depends on an honest picture of your assets and your risk. Skip that and you end up with the small-business default: a firewall, antivirus, and hope, sized to whatever felt affordable rather than to what the business actually needs.

The budget is also a justification tool. When you ask leadership for money, "we need security" loses. "These three assets would cost us this much if breached, and these controls reduce that exposure for a fraction of it" wins. The budget is where that argument gets made in numbers.

How much should a small business spend on cybersecurity?

The honest answer is that it depends on your risk, your industry, and what you are protecting. But a starting benchmark helps when you are facing a blank page, and the most widely cited one is a percentage of the IT budget.

A common industry guideline puts cybersecurity spend at roughly 5 to 20 percent of the total IT budget. The wide range is the point. Where you land inside it depends on factors you can actually reason about:

• Industry and regulation. A medical practice or a firm handling payment data carries compliance obligations and breach liability that a local retailer does not. Regulated and high-value-data businesses sit toward the top of the range.
• Risk profile and threat exposure. A company that is fully remote, cloud-heavy, or holds sensitive customer data has a larger attack surface and belongs higher in the range.
• What you are protecting. The more a breach would cost you in money, downtime, and reputation, the more the spend is justified.
• Current maturity. Starting from nothing, your first year may skew high because you are buying foundational controls you never had, then level off as it becomes maintenance.

Treat the percentage as a sanity check, not a target. A budget built bottom-up from your real assets and risks is far stronger than one reverse-engineered to hit 12 percent. Use the benchmark to confirm you are in a reasonable range and to frame the conversation with leadership, then justify the actual number with the risk work below.

Step 1: Inventory your assets and current spend

You cannot budget to protect what you have not listed. The first move, before any tool or number, is an honest inventory of two things: what you are defending and what you already spend.

Catalog the assets. List the data, systems, applications, and devices that matter: customer records, financial systems, email, the cloud services you run on, employee laptops, the website. For each, note where it lives and how sensitive it is. This is the raw material for every later decision, because you size controls to assets, not to vibes.

Then catalog current spend, even informal spend. Most companies starting "from scratch" are not actually at zero. There is probably antivirus on the laptops, a firewall in the router, email filtering bundled with the mail provider, maybe a password manager someone expensed. Write it all down with its cost. This tells you your real starting point and surfaces what you are already paying for so you do not double-buy.

The output of step one is two lists: assets ranked by value, and existing controls with their costs. Everything after this is deciding how to close the gap between them.

Step 2: Conduct a risk assessment

With the asset inventory in hand, the risk assessment is where the budget gets its spine. This is the single most important step, because it converts a list of assets into a ranked list of risks, and you fund risks in order.

A risk assessment audits your business for the assets vulnerable to a cyberattack and weighs each exposure by two things: how likely a threat is to hit it, and how bad the impact would be if it did. A high-likelihood, high-impact risk (employee credentials phished, leading to a data breach of customer records) gets funded before a low-likelihood, low-impact one. The assessment is what stops you from spending the whole budget on a fashionable tool that addresses a risk you do not actually carry.

The practical method:

• List the threats each asset faces: ransomware, phishing, business email compromise, stolen credentials, insider error, lost devices.
• Rate likelihood and impact for each, even on a simple high/medium/low scale. Precision is less important than ranking.
• Identify the gaps between the threats and the controls you already have from step one. Those gaps are what the budget buys.

If you lack the in-house expertise to do this credibly, this is the one place outside help pays for itself early. A third-party risk assessment, or one required by a client or partner, should itself be a line item. The assessment produces the prioritized list that the rest of the budget spends against.

Step 3: Map controls to risk and size the spend

Now you turn the ranked risk list into line items. For each top risk, the question is: what control reduces it, and what does that control cost? This is where the budget stops being abstract and becomes a list of things you will actually pay for.

Spend in priority order, and start with the foundational controls that cut the most risk per dollar. For most small businesses those are not exotic:

Two principles keep this honest. First, optimize before you buy. Some gaps close by configuring a tool you already pay for, turning on MFA in the email suite you already license, rather than purchasing something new. Catch those in step one and you free budget for real gaps. Second, avoid tool sprawl. A pile of overlapping products you cannot manage is worse than a smaller set you operate well. Buy for a mapped risk, not for a feature list.

Size each line item with a real quote or a researched estimate, sum them, and check the total against the 5-20 percent benchmark. If you are far above it, you may be over-buying or facing genuinely high risk; if far below, you may be leaving a top risk unfunded. Either way the benchmark is the gut check, the risk list is the answer.

Step 4: Budget for people, training, and compliance

Tools are only part of the spend, and a budget that funds only software underestimates the real cost of security. Three non-tool categories belong in the plan from the start.

People. Someone has to run the tools, watch the alerts, and respond when something breaks. Security talent is scarce and expensive, which is why many small businesses get more coverage per dollar by outsourcing, to a managed service or a security operations center run by a provider, rather than hiring a full team they cannot afford or keep busy. Budget for the staffing model you choose, in-house, outsourced, or a blend, because unmonitored tools catch far less than tools someone is actually watching.

Training. Your people are the most-attacked entry point, and security awareness training is among the cheapest risk reduction available. Phishing simulations and regular awareness sessions cost little against the breaches they prevent. Make it a recurring line item, not a one-time event.

Compliance and insurance. If you handle regulated data or sell to enterprises, compliance is not optional and its costs are real: assessments, audits, controls mandated by a framework or a contract. Document those obligations and fund them. Cyber insurance increasingly belongs here too, often required by clients and partners, and the underwriting process itself will tell you which controls you are missing. Budget the premium, and budget the controls the policy requires.

Step 5: Plan for the incident you hope never happens

A budget that funds only prevention assumes prevention always works. It does not. The mature move, even on a first budget, is to set aside resources for response, because the cost of an incident handled with a plan is a fraction of one handled in a panic.

This does not require a large reserve. For a small business it means a few concrete things with a cost attached: a tested backup and recovery capability so you can restore without paying a ransom, a basic incident response plan that says who does what when something breaks, and a pre-arranged relationship or retainer with an outside responder if you have no in-house capability. Cyber insurance, budgeted in step four, also backs this category by funding response and recovery after an event.

The logic is the same one that justifies the whole budget. The expected cost of an incident, its probability times its impact, is almost always larger than the cost of being ready for it. Funding response is not pessimism. It is the part of the budget with the highest return when the day comes that you need it.

Putting it together

The sequence is the whole method, and it runs in one direction:

1. Inventory. List the assets worth defending and what you already spend protecting them.
2. Assess the risk. Rank threats by likelihood and impact, and find the gaps in current controls.
3. Map and size. Match a control to each top risk, cost it, and check the total against the 5-20 percent benchmark.
4. Fund people and compliance. Budget for who runs the tools, for training, and for regulatory and insurance obligations.
5. Plan for response. Set aside tested backups, an incident plan, and a way to respond, because prevention is not enough.

Do it in that order and each number traces to a real risk, which is exactly the argument that gets a budget approved. Skip the inventory and risk steps and you are back to buying tools by reflex, which is the expensive habit the budget was supposed to end.

Frequently asked questions

How much should a small business spend on cybersecurity?

A widely cited benchmark is roughly 5 to 20 percent of the total IT budget, with the right figure depending on your industry, regulatory obligations, risk profile, and what a breach would cost you. Regulated businesses and those holding sensitive data sit toward the top of the range. Treat the percentage as a sanity check on a number you build bottom-up from your actual assets and risks, not as a target to hit.

What is the first step in creating a cybersecurity budget?

Inventory what you are defending and what you already spend. List your data, systems, devices, and applications ranked by value, then catalog the security controls you already pay for, even informal ones like bundled email filtering or router firewalls. Most companies starting "from scratch" are not actually at zero, and this two-part inventory is the foundation every later budgeting decision depends on.

Why is a risk assessment important for budgeting?

A risk assessment converts a list of assets into a ranked list of risks, weighed by how likely each threat is and how bad its impact would be. You fund risks in priority order, so the assessment is what directs money to the exposures that actually matter instead of to a fashionable tool addressing a risk you do not carry. It produces the prioritized list the rest of the budget spends against.

What should a small business spend on first?

Start with the foundational controls that cut the most risk per dollar: multi-factor authentication to stop stolen credentials, endpoint protection against malware and ransomware, and tested backups so an incident does not become a catastrophe. Email security, patching, and security awareness training follow closely. Buy for a mapped risk rather than a feature list, and configure tools you already own before purchasing new ones.

Should a cybersecurity budget include staff or outsourcing?

Yes. Tools that nobody watches catch far less than tools someone actively monitors, so the budget has to fund the people who run them. Security talent is scarce and expensive, so many small businesses get more coverage per dollar by outsourcing monitoring and response to a managed provider rather than hiring a full team. Budget for whichever staffing model you choose: in-house, outsourced, or a blend.

Does a small business need to budget for cyber insurance?

Increasingly yes, especially if clients or partners require it or you handle regulated data. Cyber insurance funds response and recovery after an incident, and the underwriting process itself reveals which controls you are missing. Budget both the premium and the controls the policy requires, since insurers expect baseline protections like multi-factor authentication and tested backups before they will cover you.

The bottom line

Creating a cybersecurity budget from scratch is not a shopping problem, it is a risk problem with a price attached. The companies that get it wrong buy tools by reflex and discover the gaps during an incident. The ones that get it right work in order: inventory the assets and the spend you already have, assess and rank the risks, map a costed control to each top risk, fund the people and compliance the tools depend on, and reserve something for the response you hope never to use. Check the total against the 5 to 20 percent of IT benchmark as a gut check, but let the risk list, not the percentage, decide the number. Done that way, every line item traces to something you are actually defending, which is both the cheapest way to spend on security and the only argument that reliably gets the budget approved.