2020 security priorities: Pandemic changing short- and long-term approaches to risk

Security planning and budgeting is always an adventure. You can assess current risk and project the most likely threats, but the only real constant in cybersecurity risk is its unpredictability. Layer a global pandemic on top of that and CISOs suddenly have the nearly impossible task of deciding where to request and allocate resources in 2021.

IDG, CSO’s parent company, released its Security Priorities Study in November. Its goal is to show how the COVID pandemic has changed what security focuses on now and what will drive security priorities and spending in 2021. Based on a survey of 522 security professionals from the US, Asia/Pacific and Europe, the study reveals how the pandemic has changed the way organizations assess risk and respond to threats—permanently.          

Looking at risk in a new light

Threat actors have amped up their attacks in the wake of the pandemic. They know that many people are now working remotely and are likely more vulnerable. The study found that 36% of security incidents in the past year involved phishing attacks aimed to access corporate date, for example.

Attackers also know that the disruption caused by moving workforces to home offices might have distracted security and IT teams. Respondents reported that 29% of security incidents involved unpatched software vulnerabilities, and enterprise-level organizations claimed that 34% of security incidents stemmed from misconfigured services or systems. It is hard to know, however, whether those maintenance lapses would have occurred without the pandemic.

As companies change their technology and security systems to adjust to these threats, attackers in turn are expected to change their tactics to pinpoint new weaknesses. As a result, organizations are reviewing their risk evaluation and response strategies. Sixty-two percent of the IDG survey respondents said they expect the pandemic to affect their approach to risk.

Most (87%) believe their organization falls short in addressing cyber risk. More specifically, 31% believe their risk response efforts are under-funded. Thirty percent said security is not always addressed during application development. About 25% say there is not enough security training for users.

The top way in which they will respond is investing in more people to enable their response to risk (43%). Thirty-eight percent said they will spend more on response planning, while 30% will update and modernize business continuity plans.

Will the COVID pandemic increase security budgets? Maybe

Interestingly, the concern over the ability to address post-pandemic risk will not necessarily mean bigger security budgets next year. While 41% of respondents expect their overall security budgets to rise in 2021, only 33% believe it will be due to COVID. In fact, 24% of respondents say they will see a smaller-than-expected security budget because of the pandemic. Of the remainder, 53% expect security budgets to be unchanged and 6% expect a decrease.

Respondents cited several factors that drive their decisions around how they will spend their security budget. Best practices (61%) and regulatory compliance (59%) are by far the leading spend factors. Best practices are a bigger driver (70%) for small- to mid-sized businesses (SMBs), while compliance is more important to enterprises (62%). Spending on workforce and business changes caused by the pandemic affect enterprises more than SMBs (47% versus 42%).

Whether the budget goes up or down, the largest item for which security leaders will spend is on personnel (23% on staff, 8% on consultants). Systems, software and services make up the bulk of security spend with 19% going toward on-premises infrastructure and equipment, 17% to on-premises tools and software, and 12% toward cloud-based security services.

Pandemic technology winners

The pandemic has created new challenges or magnified old ones for security teams. This has caused many organizations to evaluate new security technologies or accelerate planned deployments of others. Now, security must protect widely dispersed endpoints and deal with increased and evolving threats to their networks. They need tools that can better control access, identify threats, and help them better manage their security infrastructure. These are the technologies the IDG study respondents said they are evaluating or implementing.

Zero trust Zero trust promises better access control across all devices and locations. Prior to the pandemic, many companies were already evaluating or piloting zero-trust solutions, if not actually deploying them. Now, more organizations are giving it a hard look. Twenty-eight percent of respondents said they were either piloting zero trust or had it in production, up from 19% last year, and 40% say its on their radar or they are evaluating options.

Deception technology Deception technology fools attackers into believing they are accessing real data and systems when they are actually accessing dummy data and fake networks. These tools can also alert security teams to threats and help analyze the threat. This buys valuable time in the event of a breach and acts as a force multiplier for security teams by automating tasks. About a third (32%) of respondents said they are researching deception technology.

Authentication solutions An increase in remote work, sometimes on devices not owned by an organization, has increased focus on authentication policies and tools. Companies are implementing multi-factor and role-based authentication at a faster pace, and in many cases that means changing or updating authentication systems, which 32% of respondents said they will invest in for the coming year.

Cloud and evaluation services As priorities shift due to the pandemic, companies are re-assessing their security functions and services. That includes outsourcing some of them in the name of efficiency and cost savings. Twenty-two percent of respondents said they plan to or currently outsource cloud monitoring and cloud data protection, as well as security evaluation services such as penetration testing, risk assessments and audits.

Other areas where respondents expect to increase security spend are access controls (27%) and application monitoring (25%).

Pandemic’s lasting impact on attitudes toward risk

The study’s authors predict that it could take another year for organizations to return to pre-pandemic security strategies, but maybe with changes for the better. “Security leaders’ reaction to risk will never be the same,” they wrote in the report, “but the rapid pivot to new security priorities in the wake of COVID-19 has organizations improving the protection of confidential and sensitive data and increasing security awareness for employees and partners.”