If you have asked your peer network “what should we be spending on IT?” you have probably gotten answers ranging from 1.5% of revenue to 8%. Both numbers are technically true. Both are also nearly useless for actual budgeting.
Here is the problem with revenue-as-denominator: a 30-person professional services firm doing $20M in revenue and a 30-person manufacturing firm doing $4M have wildly different revenue numbers but nearly identical IT footprints. The endpoints, the identity surface, the security obligations — they are indifferent to your top line.
The defensible denominator is employees (more precisely, managed identities, but for most growing companies headcount is a close-enough proxy). And the defensible answer, based on Gartner, IDC, Spiceworks, and our own client cohort, falls into a much narrower range than you would guess.
The number, before the caveats
For a growing company between 1 and 500 employees, total annual IT spend per employee — including endpoints, software licenses, security, support, and cloud infrastructure but excluding specialized industry-specific software — typically runs:
- $2,400 – $4,800 per employee per year for a leanly-run firm with productized infrastructure (where we live)
- $4,800 – $7,200 per employee per year for a typical firm with a mid-tier MSP and standard-issue tooling
- $7,200 – $12,000 per employee per year for firms with in-house IT staff, premium tooling, or compliance-heavy industries (regulated finance, healthcare, government contractors)
- Heavy $7,200 – $12,000 / employee / year
- In-house IT staff Salary + benefits + tooling
- Compliance-heavy CMMC, HIPAA, regulated finance
- Premium tooling Top-tier per-seat licenses
- Standard $4,800 – $7,200 / employee / year
- Mid-tier MSP Reactive ticket-based service
- Standard tooling Best-of-breed not consolidated
- Some compliance SOC 2 in pursuit
- Lean $2,400 – $4,800 / employee / year
- Productized infrastructure Where goCloudOffice lives
- Consolidated tooling One management plane
- Outcome-priced support AI-led, human-escalated
Move down the stack by consolidating tooling and shifting to outcome-priced support. Move up by hiring in-house or carrying heavier compliance obligations.
Why the spread? Three things move the number more than anything else: in-house staffing decisions, regulatory exposure, and tooling discipline.
What actually drives the number
In-house vs. outsourced
A single in-house IT generalist costs $130,000+ fully loaded (salary + benefits + recruiting amortization). At our 30-person example, that is more than $4,300 per employee per year for just one person — before any tooling, before any 24-hour coverage, before any specialization. By 75 employees, you can probably afford a real two-person team. Below that, outsourcing wins on capability and cost both.
Regulatory exposure
A SOC 2-pursuing company spends roughly 15-25% more on IT than a non-compliant peer of the same size, because the same tasks now need evidence. HIPAA covered entities run higher again. Government contractors with CMMC obligations can run double. All of that spend is purposeful — it is the table stakes for selling into those markets.
Tooling discipline
The difference between a well-run and a poorly-run IT shop, at any size, is mostly tooling consolidation. Companies that run 4 separate vendors for what should be 1 integrated stack pay more for less coverage. The number that matters here is the cognitive surface area — how many windows you have to keep open in your head to know the state of play — rather than per-license cost.
The math you can defend
Here is a model you can present to your board with numbers that hold up to scrutiny:
| Component | Per-employee annual range | Notes |
|---|---|---|
| Endpoint (laptop refresh amortized) | $700 – $1,200 | 3-year refresh; mid-range business laptop |
| Productivity suite (M365 / Google) | $180 – $480 | Per-seat licensing, mid to premium tier |
| Endpoint management + security + support | $225 – $300 | The 360SmartIT Department range per computer per year, annual prepay to month-to-month; cloud-backup + MDR add-ons can take it to roughly $475 – $640 |
| Backup + disaster recovery | $60 – $120 | Cloud backup, business-grade |
| Compliance evidence collection | $0 – $400 | Driven by regulatory posture |
| Industry-specific software | varies wildly | Excluded from this analysis |
| Network + connectivity (per location) | varies by size | Allocated separately |
| Subtotal (typical) | $1,165 – $2,500 | The “blocking and tackling” |
That is IT spend you would recognize. Add salaries-or-outsourced-services on top:
| Path | Per-employee per year |
|---|---|
| Outsourced (productized) | $225 – $300 (the 360SmartIT Department range above already includes this) |
| Outsourced (traditional MSP) | $1,200 – $2,400 |
| In-house team (at 75+ employees) | $1,500 – $3,500 amortized |
Sum the rows: total IT for a 30-person growing firm should rationally land somewhere between $2,400 and $5,000 per employee per year. Below $2,400 and you are underinvesting in something — usually security or backup; above $7,000 and there is likely consolidation work to do.
What this number is and is not
- It is a check, rather than a target. If you are far outside this band, ask why — there might be a great reason (you sell into healthcare, you have a custom-built product, your security posture is genuinely worth the premium) or there might be a budget hole.
- It is not a percentage of revenue. We deliberately lead with per-employee math, even though the press loves “industry IT spend at 4.2% of revenue!” headlines. Revenue is the wrong denominator for SMBs.
- It is an input rather than a decision-making framework. The decision-making framework is what outcomes you are buying with the spend — uptime, security posture, compliance readiness, support quality.
What we tell our clients
When we onboard a new GCO client, we benchmark them against this model in the first 30 days. Most fall within the typical range; some are notably high (usually because of vendor sprawl that consolidation will fix); a few are notably low (almost always because their security posture is undefended). Either way, the number tells us where to start.
If you would like the same benchmark applied to your firm’s IT spend, the build flow gives you the productized-outsourced number for your size and industry. Compare against your current run rate. The delta tells you something useful either way.