Data on security spending is hard to come by. That's why this recent Forrester report posted by Dark Reading is a nice treat. Unfortunately it seems like you have to cough up $995 for the full report, but the summary contains some interesting stats.
So, on to the data...IT security spending as a percentage of total IT spending is anywhere from 9.1% for small and medium sized businesses to 11.7% for large. Slightly higher than I expected, and not in line with a report by Gartner earlier last year. That report listed 5-10% for small and medium sized businesses, and (interestingly) a lower 3-6% for large enterprises. The difference in figures could be accounted for by different definitions, but that doesn't explain the reverse correlation between spending and size.
But the ballpark figures seem right - a CompTIA survey puts this figure at 12% in 2007. I read a figure of 10% for the US government a few months ago on GCN, but the link is no longer active.
I would have liked to know how exactly they qualify security spending; after all, the big trend amongst the Microsofts, Oracles, Ciscos etc of the world has been to intergrate security directly into their product offerings. If you buy a Cisco ASA and use it as a firewall and a VPN, is that considered purely security spending? These critical definitions are probably in the full report.
Its interesting how much data there is on security security as a part of overall IT security spending, and how little data there is on security spending as a percentage of development costs. The OWASP Security Spending Benchmarks Project plans to fill in that gap.