The new European General Data Protection Regulations came into effect on 25 May, although countries and institutions have a period of two years to prepare for their final implementation. Given this situation, and to comply with the requirements of the standard, one would hope for companies to increase their investment in computer security. However, the scenario turns out to be quite different, according to a recent report from Gartner, a technology consultancy.

The firm’s experts warn that security spending generally makes up for between 1 and 13% of the corporate budget for technology. The important thing, analysts say, is not the size of the budget designated to secure and protect systems, but how the budgets are used.

“Clients want to know if what they are spending on information security is equivalent to others in their industry, geography and size of business in order to evaluate whether they are practicing due diligence in security and related programs,” explained Rob McMillan, research director at Gartner.

However, these comparisons between companies or sector-averaged data are not much use, according to the analyst. “You could be spending at the same level as your peer group, but you could be spending on the wrong things and be extremely vulnerable,” he warned.

According to the Gartner study, most companies continue to misuse and misinterpret IT spending figures with projections spanning over at least the next four fiscal years.

The consultancy indicates some guidelines for companies in their allocations of future budgets. The goal is to optimize the returns on their investment, which must meet the costs of hardware, software, services (such as consulting and auditing) and personnel.

To identify actual security costs, you must consider the equipment that security solutions integrates, updates, cybersecurity solutions, and other programs and applications, outsourced services, tools to ensure privacy, and training for employees.

According to the consultancy, it is not necessary to allocate large sums of money to implement measures to ensure the security of corporate systems and data. It would be enough if the expenditure involves between 4 and 7% of the technology budget, depending on how sensitive the information the company handles and the type of systems it already uses.