Coronavirus: Cyber security spend to slow in 2020

High demand for cyber security services and systems to protect cloud environments and remote workers during the Covid-19 coronavirus pandemic is keeping the sector going, but this is a short-term peak and, in reality, worldwide spending on security and risk management technology will slow this year, according to new statistics gathered by analysts at Gartner.

Back in December 2019, the market-watcher predicted that the cyber security market would grow by 8.7% in 2020, but at the halfway point of the year, it has now revised this down to just 2.4% for a total market value of $123.8bn (£97.04bn/€108.4bn).

“Like other segments of IT, we expect security will be negatively impacted by the Covid-19 crisis,” said Gartner managing vice-president Lawrence Pingree. “Overall, we expect a pause and a reduction of growth in both security software and services during 2020.

“However, there are a few factors in favour of some security market segments, such as cloud-based offerings and subscriptions, being propped up by demand or delivery model. Some security spending will not be discretionary and the positive trends cannot be ignored.”

Gartner now predicts that the cloud security market will see by far and away the greatest growth this year, at 33.3%, with most other markets within the sector, such as data security, application security, and identity and access management, up somewhere between 5% and 10%. Sales of consumer security software will drop by 0.2%, and network security equipment – firewalls and intrusion detection and prevention – will be down 12.6%, it says.

Pingree said the shift to cloud-based delivery models, as evidenced in the statistics, made the security market somewhat more resilient to the Covid-19 downturn than other sectors. It noted an average of 12% of overall security deployments were cloud-based last year, and well over 50% in secure email and web gateway services.

Piers Wilson, head of product management at Huntsman Security, said the jump in cloud- and remote working-related deployments was little surprise as businesses rushed to transition to new models of working during the pandemic, but he said too many had not really paid attention to whether or not they were fully secure.

“Add to this the fact that spending on security in the post-lockdown recession is likely to be lower than planned and there is a perfect storm for increasing the risk of breaches taking place in the near future,” he added.

“Internal audits, consultancy projects and third-party assurance activities have all been delayed, cancelled or rearranged, in many cases into reduced timescales or with less focus.

“The reality of belt-tightening and spending constraints is in stark conflict to this increased risk and the higher reliance in many businesses on their technology platforms, for customers, online sales and their own staff working. The risk and regulatory expectations have not lessened, so security infrastructure and the processes that are in place to manage controls still need to be robust.”

Wilson added: “It might look as though things have quietened down from a cyber security perspective compared to the beginning of the pandemic, but the fact is that the risk is as high today as it was three months ago – if not higher.”

Amanda Finch, CEO of the Chartered Institute of Information Security Professionals (CIISec), said: “The slowdown Gartner has forecast shows us was to be expected, as organisations have tightened their belts to get through this indeterminate period of reduced activity. While it is positive to see some continued growth throughout 2020 – however small – a recession is still seemingly inevitable, given the economic damage the virus has already caused.

“Budgets will be stretched even tighter in the near future and cutbacks in some sectors will be brutal. Simultaneously, this won’t stop attackers, who will see this as a golden opportunity. As such, with this tightening of purse-strings, security teams will need to do more with less. That might mean automating key business processes, or relying on upstream service providers that can provide essential capabilities more cost-effectively.

“However, as these approaches can also open new avenues for attackers, security teams will need to develop creative new ways to shut down these opportunities. This may be as simple as increased collaboration, as security researchers use new ways to share potential threats and processes – especially as the chances to meet in-person are likely to become rarer.

“Or it may mean automating as many security processes as possible, while still keeping an essential level of human decision that removes the ability of attackers to predict and identify weaknesses.”