Cyber is drawing real investment and the big players are spending most 

Cyber security spend is increasing and becoming an investment priority across the board.

However, larger and multinational businesses have greater budget commitment, deeper specialist resourcing and more formal leadership structures.

Inclination to increase or decrease security investment appears relatively proportionate to organisation size. This could indicate that external economic pressures (which are more keenly felt by smaller organisations) are the cause for budget cuts, rather than perceived value of cyber security. 

The proportion of budget allocated to cyber security has shifted upwards in the past few years. 

 

In 2026, most organisations are allocating between 9-15% of their total IT budget to security. Larger organisations invest more heavily, typically allocating between 12-20% of their IT budget. 

Investment alone does not equal cyber maturity

While a welcome change from the chronic levels of under-investment in the not-so-distant past, business leaders should be mindful not to assume that spending more automatically translates to better protection. 

Managing the cyber security budget predominately falls on the Chief Technology Officer. 

However, there is some interesting nuance that appears when comparing secondary choices. Rather than a direct linear progression of specialised roles scaling with organisation size, mid-sized organisations with 200-1000 employees consistently stand out. 

 Mid-sized organisations invest more effectively 

Typically, only organisations with under 1000 employees will have the Chief Executive Officer directly handle the budget.  

Leaving the budget to the Chief Financial Officer is relatively common across organisations, but occurs more frequently in both smaller and larger organisations than in those in the middle tier. 

And the middle bracket, surprisingly, are the most likely to have a Chief Information Security Officer (CISO) in charge of the cyber security budget and the least likely to place it in the hands of a Chief Risk Officer. 
 

Chapter 2. Resourcing and operating model: In-house vs outsourced maturity

 

 Want to understand how your organisation compares? 

Speak with our cyber security & resilience specialists to benchmark your cyber maturity against organisations across Australia.

How can we help?

 FAQs about cyber security investment and executive ownership 

There is no one-size-fits-all cyber security budget. Investment should reflect your organisation's size, industry, risk profile and regulatory obligations. 

What RSM's research reveals is that true cyber security is not achieved through investment alone. Rather than focusing on spend, organisations should ensure cyber investment delivers measurable improvements in cyber resilience, governance and operational readiness. 

RSM's information and cyber security risk specialists can help assess whether your investment aligns with your cyber maturity objectives.

Cyber security budgets are increasing as organisations respond to a growing number of ransomware attacks, AI-enabled threats, regulatory expectations and increasingly sophisticated cyber criminals. Investment is no longer focused solely on technology and instead it also includes governance, employee awareness, incident response and cyber resilience. 

Learn how RSM's cyber security & resilience services help organisations develop a strategic approach to cyber risk.

Cyber security is no longer solely an IT responsibility. Effective cyber governance requires accountability across executive leadership, boards, risk teams and business units. Clearly defined ownership and decision-making processes help organisations respond more effectively to evolving threats. 

Learn how RSM's risk management specialists help organisations strengthen governance and accountability.

Cyber maturity measures how effectively an organisation manages cyber risk through governance, security controls, security incident response plans and an emphasis on people, processes and technology. 

In our experience, mature organisations continually assess and improve their cyber capabilities rather than relying on technology alone. 

RSM's information and cyber security risk team can help benchmark your cyber maturity and identify practical opportunities for improvement.

Boards play a critical role in overseeing cyber risk by setting clear accountability, regularly reviewing cyber performance and ensuring cyber security is embedded within the organisation's broader risk management framework. Independent reviews, governance assessments and incident response testing can help boards gain greater confidence in organisational resilience. 

Learn more about RSM's enterprise risk management and risk advisory services.

Continue reading...

AI Security Assessment for Australian Organisations

RSM is pleased to offer its AI Secure by Design Review and Systems Assessment service that can help organisations identify, mitigate and manage their AI risks.