Gartner has forecasted worldwide security and risk management spending growth to slow but remain positive in 2020.
Worldwide spending on information security and risk management technology and services will continue to grow through 2020, although at a lower rate than previously forecast, according to Gartner.
Information security spending is expected to grow 2.4% to reach US$123.8 billion in 2020. This is down from the 8.7% growth Gartner projected in its December 2019 forecast update. The Coronavirus pandemic is driving short-term demand in areas such as cloud adoption, remote worker technologies and cost saving measures.
“Like other segments of IT, we expect security will be negatively impacted by the COVID-19 crisis,” said Lawrence Pingree, Managing Vice President at Gartner. “Overall, we expect a pause and a reduction of growth in both security software and services during 2020.
“However, there are a few factors in favour of some security market segments, such as cloud-based offerings and subscriptions, being propped up by demand or delivery model. Some security spending will not be discretionary and the positive trends cannot be ignored,” said Pingree.
The ongoing shift to a cloud-based delivery model makes the security market somewhat more resilient to a downturn, with an average penetration of 12% of overall security deployments cloud-based in 2019, according to Gartner research. Cloud-based delivery models have reached well above 50% of the deployments in markets such as secure email and web gateways.
Networking security equipment including firewall equipment and intrusion detection and prevention systems (IDPS) will be most severely impacted by spending cuts this year. Consumer spending on security software is also forecast to decline in 2020.
We hear from a number of experts who offer their opinions on the matter.
Bharat Mistry, Principle Security Strategist at Trend Micro: “COVID-19 has already forced major changes on organisations around the world. CISOs have most likely been spending most of their time in recent weeks trying to close any security gaps in new remote working processes. The situation is still uncertain which can make strategic planning a challenge. But the good news is that with the right technologies and policies to hand, there’s no reason why distributed workforces should drive significant new cyber-risk for these organisations.
“So, what does best practice security look like in a new era of remote working? It must include endpoint monitoring or patch and asset management tools, to generate visibility into all home working machines and keep them updated and secure. If users aren’t on corporate laptops, they should have endpoint security vetted and enhanced if necessary. A whitelist of approved, enterprise-grade video conferencing/collaboration platforms will further reduce cyber-risk.
“We often talk about employees remote working under lockdown, but let’s not forget that most IT staff have to as well. That’s why CISOs may want to migrate to virtual Security Operation Centre (SOC) set-ups. In fact, this could be a new opportunity to create a truly 24/7 operation that breaks free of the usual 9-5 constraints, by using staff working across the globe. The only caveat is trust.
“In the longer term, staff security training and awareness-raising is essential. Real-world simulation exercises should be run during lockdown for all remote working staff, using some of the latest COVID-themed phishing lures spotted in the wild. Once staff are finally allowed to return to their offices in greater numbers, a new wave of training must begin.
“Threat levels remain elevated as cybercriminals target distracted employees and IT staff, and remote access infrastructure. That could force CISOs to take a fresh look at security solutions that offer greater automation and advanced capabilities like Machine Learning, cross-domain correlation and data analytics. It’s about catching threats faster, more effectively and potentially with fewer IT security staff available to manage controls.
“CISOs must drive home the message whenever they get the chance – that information security is a business-wide responsibility and not just in the IT department’s sphere of influence. That means security budget should be considered outside the normal IT budget. Depending on organisational culture, this may be a difficult sell. But the events of recent weeks present an opportunity to articulate how important technology is to ongoing business operations — and how, if mismanaged, security issues can have a huge impact on business risk.”
Rory Duncan, Security GtM Leader, UK, NTT Ltd: “According to NTT’s global 2019 Risk:Value report which explores why organisations are failing to make progress with their security, security budgets are failing to keep up with increasing cybersecurity risk. There has only been a minimal increase in the percentage of IT budgets attributed to security (15%), while the percentage of the operations budget attributed to security has fallen since 2018 to 16%.
“While security spending has fallen, the estimated revenue loss (following a data breach) in percentage terms is up year-on-year – 12.7% in 2019, compared to 10.3% in 2018 and 9.9% in 2017, according to the report. The cost of recovery is $1.2 million, on average.
“During the current crisis, organisations are being forced to adapt to changing circumstances and prepare for a post-COVID-19 world. With more people working from home, the focus is on trying to maintain ‘business as usual’, supporting staff in virtual work environments, complete with collaboration tools, file sharing, video and teleconferencing facilities. Security processes and systems must be in place to support this new structure and ensure people can work remotely, but securely and with confidence. As a result, it’s likely that many security projects or initiatives where budget would have been allocated may have to be put on hold.
“Ensuring the security basics are in place, such as patch management (NTT’s Global Threat Intelligence Report 2020 shows that old vulnerabilities remain an active target) and having incident response plans in place that are communicated to staff and tested on a regular basis, is critical during this time.
“Post-COVID-19 security budgets will need to consider the implications of supporting more remote workers for longer periods, and the need to put controls in place for these new working models. For example, recognising the unexpected spend to move people to remote working, and other actions to keep the business running, such as replacing BYOD or home computing kit with corporate-controlled devices, as well as the consumption models of more cloud-based services. There’s also the question about how much office space is needed in the future, and for whom.
“Reverting back to my opening comments about allocation of budgets for security, what’s really interesting is the fact that a global pandemic has changed the way most of us work. Despite all the disruption, changes and adjustments we have had to make, businesses have continued to function and security has been an important part of this. This will help CISOs in their board-level conversations when it comes to securing budget – it’s not just security, it’s business investment.”
Robert Huber, CISO at Tenable: “As organisations face a potentially lengthy period of economic uncertainty, it becomes more critical than ever to review all areas of the business, particularly financial commitments. While it may be possible to reduce costs in some areas, the recent shift to address the immediate change in working practices driven by the global pandemic, but also the way organisations continue to operate in the coming weeks, months and years, may mean security budgets need to be revised and investment made. However, blindly throwing money at the problem isn’t the answer and may actually leave the organisation vulnerable to unaddressed risk.
“Hopefully, organisations have performed an enterprise risk management exercise to bring clarity to business risks. What is revealed in the process will help the entire organisation understand how to best prioritise resources — both human and financial — to keep the business running, even during times of crisis. Was an economic downturn or pandemic listed in the organisation’s top risks? Generally, organisations must develop mitigation plans to address top enterprise risks.
“A thorough business impact analysis (BIA) of all systems and processes will determine which are critical to the organisation, and those it can least afford to live without, to identify and focus effort on real rather than theoretical business risks.
“Finally, a security risk survey to gather the viewpoint of key stakeholders within the organisation should be sought — typically senior director level and above — and include representatives from all of the major departments in the organisation, including finance, legal, human resources, Information Technology, Information Security, sales, operations, marketing and R&D.
“The BIA and security risk survey are used to hone in on, or prioritise, critical functions, assets, services, people and locations. Evaluating these risks based on potential impact and likelihood will highlight where security leaders should be focusing their resources.
“All risks are then presented to executives to finalise the top risks, assign executive risk owners, prioritise effort and determine the financial investment necessary but also demonstrate the impact it has.
“Performing the above steps is a painstaking exercise that yields a high degree of benefit by giving a clear set of priorities including an agreed-upon list of major-, moderate- and low-risk processes or functions. As an example, major-risk systems are those which, if taken offline for four hours or less, could cause harm in any key enterprise risk categories: strategic and reputational; operational; financial; legal and compliance; and human resources (people and culture). It’s also important to define the maximum allowable outage (MAO) for each of the risk levels.
“Understanding the systems based on this type of business risk calculus not only serves as the foundation for cybersecurity strategies, it becomes essential as the organisation builds out Business Continuity, disaster recovery and crisis management playbooks.
“When a business continuity event occurs, the organisation will be prepared. Even if a specific event is not anticipated, the organisation can quickly run through the process with the event in question to adjust risk posture and resources across the enterprise.”
Anna Collard, MD at KnowBe4 Africa: “The World Bank predicts a global GDP contraction of 5.2% in 2020. Many organisations thus are focusing on cost savings and cancelling or postponing planned investments. Facilities and general capex are most affected, but it has also had an impact on IT and technology spend. For example, organisations severely affected by the lockdown, such as those in the brick and mortar retail and hospitality industries, are cancelling or defaulting on some of their IT supplier’s contracts to pay staff’s salaries.
“However, there is some silver lining. According to a June PWC survey across 989 CFOs from 23 countries, 52% of the respondents reported that they will make remote work a permanent option. CFOs in Africa (67%) are more likely than the global average to accelerate automation. A total of 75% of the CFOs surveyed say the increased flexibility and resiliency developed during the crisis will make their organisation stronger over the long term. Cybersecurity is one of the areas least affected by cost saving exercises, noted at just 3% according to the report.
“I had the pleasure of speaking to Hosea, the CISO at Stanbic Uganda during a panel discussion at the Africa Cyber Security Culture conference held earlier this month. According to Hosea, the pandemic has helped leapfrog security investments that would have taken much longer to get management approval for prior to COVID-19. Many of the speakers and panellists shared his view that the pandemic had a positive impact on both Digital Transformation and cybersecurity investment.
“A common thread throughout the conference and the result of research conducted by Orange Cyber Defense was that basic security failures such as poor patching as well as not addressing people’s behaviour are some of the root causes most often linked to security breaches. People right now are more vulnerable as they are in a state of heightened psychological stress. Security teams have less control over the systems they are supposed to protect, for example, personal devices and home Wi-Fi routers. Many had to rush into setting up remote work infrastructure without the necessary planning and testing. Security budgets had to be re-prioritised to improve the technologies and processes of their remote working infrastructures and to make these stable and secure for the long run.
“With budgets under greater pressure, CISOs need to construct resilient and data-driven cybersecurity programmes based on a deeper understanding of the risks their organisations are exposed to.
“According to ESI ThoughtLab’s report published in June 2020, successful CISOs and effective cybersecurity leaders rely heavily on advanced analytics, conduct frequent cyber-risk scenario analysis, invest more in security culture and end-user awareness training coupled with frequent phishing simulations, and make cybersecurity hygiene, such as patching, a top priority.”
Alain Sanchez, EMEA CISO, Senior Evangelist at Fortinet:
The black swan of 100% remote working
“Even the most far-sighted of business leaders did not see it coming. No contingency plan that I know of had forecasted that almost the entire workforce was grounded in just a couple of days. Even telcos whose transport practices earned them the terminology of carrier-grade, were initially taken by surprise. But very rapidly, the importance of securing these traffics that were literally business critical, emerged as the immediate priority. Security could not be traded for connectivity and the irresponsible hackers that squeezed themselves into video conferences that did not implement the full authentication options, did the digital world a favour by accelerating a security wake-up call. Moreover, the confinement made the need for a holistic approach of cybersecurity even more obvious. In two weeks, secure remote working became the most popular topic in those corporate e-meetings that intended on taking emergency investment steps. Fortinet, for instance, saw its SD-WAN revenues grow significantly; already recognised by the Omdia report as the fastest growing vendor among all other SD-WAN vendors, Fortinet reported 305% year-over-year growth in the SD-WAN area. This massive adoption of the holistic approach of cybersecurity incarnated by the Fortinet Security Fabric, says a lot about the maturity leap created by the recent crisis; business leaders are massively adopting the idea that cybersecurity has to be thought as a whole and not any more as a mosaic of isolated point-solutions. The times of disjointed and budget-consuming ‘Best of Breed’ are over.”
Orchestration, the big brother of automation
“Now a question remains, is this huge demand for broader, integrated and automated cybersecurity platforms a sign that the entire IT budget is about to grow in the same proportion? Although it is still a bit early to jump to conclusions, it seems that the raise of holistic cybersecurity platforms might happen as part of a rationalisation trend. I see more and more of these charts where the plethora of logos once seen as a security insurance is now depicted as unnecessary complexity. And rightly so, the gap is broadening between the sophistication of the threat and the cybersecurity headcount. For this reason, organisations are more and more attracted by the promise of automation and his big brother, orchestration. Their reasoning is simple: too many products lead to too many alerts which puts a tremendous amount of stress on the cybersecurity staff. Investments are thus shifting towards solutions that not only enable visibility, reporting an analytics for all ‘on platform’ devices and endpoints, but also enable multi-vendor incident detection to finally lead to unified orchestration of the response across the entire infrastructure.”
Holistic does not mean monopolistic
“Business leaders hate to be locked in, so they rather invest in open, standardised solutions that offer a wide range of documented APIs and connectors, not only to ensure seamless integration but also to maintain the freedom of choice of strategic vendors such as cloud providers and Managed Security Service Providers. The same is happening in the cybersecurity world – investments are going into platforms that make openness and standardisation a core value.”