If you’ve asked your peer network “what should we be spending on IT?” you’ve probably gotten answers ranging from 1.5% of revenue to 8%. Both numbers are technically true. Both are also nearly useless for actual budgeting.
Here’s the problem with revenue-as-denominator: a 30-person professional services firm doing $20M in revenue and a 30-person manufacturing firm doing $4M have wildly different revenue numbers but nearly identical IT footprints. The endpoints, the identity surface, the security obligations — they don’t care about your top line.
The defensible denominator is employees (more precisely, managed identities, but for most growing companies headcount is a close-enough proxy). And the defensible answer, based on Gartner, IDC, Spiceworks, and our own client cohort, falls into a much narrower range than you’d guess.
The number, before the caveats
For a growing company between 5 and 500 employees, total annual IT spend per employee — including endpoints, software licenses, security, support, and cloud infrastructure but excluding specialized industry-specific software — typically runs:
- $2,400 – $4,800 per employee per year for a leanly-run firm with productized infrastructure (where we live)
- $4,800 – $7,200 per employee per year for a typical firm with a mid-tier MSP and standard-issue tooling
- $7,200 – $12,000 per employee per year for firms with in-house IT staff, premium tooling, or compliance-heavy industries (regulated finance, healthcare, government contractors)
Why the spread? Three things move the number more than anything else: in-house staffing decisions, regulatory exposure, and tooling discipline.
What actually drives the number
In-house vs. outsourced
A single in-house IT generalist costs roughly $90,000 – $120,000 fully-loaded (salary + benefits + recruiting amortization). At our 30-person example, that’s $3,000 – $4,000 per employee per year for just one person — before any tooling, before any 24-hour coverage, before any specialization. By 75 employees, you can probably afford a real two-person team. Below that, outsourcing wins on capability and cost both.
Regulatory exposure
A SOC 2-pursuing company spends roughly 15-25% more on IT than a non-compliant peer of the same size, because the same tasks now need evidence. HIPAA covered entities run higher again. Government contractors with CMMC obligations can run double. None of that is wasteful — it’s the table stakes for selling into those markets.
Tooling discipline
The difference between a well-run and a poorly-run IT shop, at any size, is mostly tooling consolidation. Companies that run 4 separate vendors for what should be 1 integrated stack pay more for less coverage. The number that matters here isn’t the per-license cost; it’s how many windows you have to keep open in your head to know what’s happening.
The math you can defend
Here’s a model you can present to your board with numbers that hold up to scrutiny:
| Component | Per-employee annual range | Notes |
|---|---|---|
| Endpoint (laptop refresh amortized) | $700 – $1,200 | 3-year refresh; mid-range business laptop |
| Productivity suite (M365 / Google) | $180 – $480 | Per-seat licensing, mid to premium tier |
| Endpoint management + security + support | $250 – $500 | The 360SmartIT range, before volume tiers |
| Backup + disaster recovery | $60 – $120 | Cloud backup, business-grade |
| Compliance evidence collection | $0 – $400 | Driven by regulatory posture |
| Industry-specific software | varies wildly | Excluded from this analysis |
| Network + connectivity (per location) | varies by size | Allocated separately |
| Subtotal (typical) | $1,190 – $2,700 | The “blocking and tackling” |
That’s IT spend you’d recognize. Add salaries-or-outsourced-services on top:
| Path | Per-employee per year |
|---|---|
| Outsourced (productized) | $250 – $500 (the 360SmartIT range above already includes this) |
| Outsourced (traditional MSP) | $1,200 – $2,400 |
| In-house team (at 75+ employees) | $1,500 – $3,500 amortized |
Sum the rows: total IT for a 30-person growing firm should rationally land somewhere between $2,400 and $5,000 per employee per year. Below $2,400 and you’re underinvesting in something — usually security or backup; above $7,000 and there’s likely consolidation work to do.
What this number is not
- It’s not a target. It’s a check. If you’re far outside this band, ask why — there might be a great reason (you sell into healthcare, you have a custom-built product, your security posture is genuinely worth the premium) or there might be a budget hole.
- It’s not a percentage of revenue. We deliberately don’t lead with that, even though the press loves “industry IT spend at 4.2% of revenue!” headlines. Revenue is the wrong denominator for SMBs.
- It’s not your decision-making framework. It’s an input. The decision-making framework is what outcomes you’re buying with the spend — uptime, security posture, compliance readiness, support quality.
What we tell our clients
When we onboard a new GCO client, we benchmark them against this model in the first 30 days. Most fall within the typical range; some are notably high (usually because of vendor sprawl that consolidation will fix); a few are notably low (almost always because their security posture is undefended). Either way, the number tells us where to start.
If you’d like the same benchmark applied to your firm’s IT spend, the build flow gives you the productized-outsourced number for your size and industry. Compare against your current run rate. The delta tells you something useful either way.