The Covid-19 coronavirus pandemic has highlighted fundamental gaps and failings in organisational attitudes to cyber security, with the result that security projects are receiving increased attention and budget across the board, according to the latest, updated edition of the TechTarget/Computer Weekly IT Priorities 2020 survey.
At the beginning of 2020, risk management and compliance were seen as the top spending priorities for CISOs, and while this remains a key area of focus, much has changed.
According to the new data, which was compiled in September and October 2020, with two exceptions, the most widespread IT projects all related to security and data protection, with end-user security training, governance, risk and compliance tools, and multifactor authentication the top current projects.
CIOs are also focusing heavily on vulnerability management, fraud detection systems and tools, identity and access management (IAM), and disaster recovery.
A total of 77% of respondents said investment in security and risk management was easier to justify since the pandemic began – while 71% said the same of backup and disaster recovery solutions – and the data clearly shows that, given the fundamental changes to the enterprise network and IT estate wrought by the sudden, sustained transition to remote working, the value of security has become increasingly apparent in boardrooms.
Santha Subramoni, head of cyber security solutions and centres of excellence at Tata Consultancy Services, said the pandemic had “forced transformation” for security professionals.
“In 2020, we saw Covid-19 force organisations to upgrade infrastructure they had been putting off for years,” she said. “This includes modernising security controls, developing a remote working culture, and educating employees on the importance of being vigilant.
“The trend of forced transformation will progress, but it was, and will continue to be, a series of positive changes that are helping us future-proof and evolve.
“We are now working and living in a boundaryless environment where end-user devices have become part of the enterprise ecosystem and, as a byproduct, vulnerabilities and entry points have increased.”
Looking ahead to 2021, a key theme in the refreshed TechTarget/Computer Weekly data is increased interest in people-centric security, with investment priorities for the next 12 months now fixed firmly on end-user training and securing endpoints.
Asked which compliance or risk-based security initiatives they planned to deploy in the next 12 months, 49% planned to spend on training, 45% on governance, risk and compliance tools, 30% on fraud detection systems and tools, including identity verification and risk assessment, 25% on zero-trust initiatives, and 13% on digital forensics.
When asked about cloud, network and application security spending, 33% planned to spend on vulnerability management, 25% on cloud security, 25% on threat detection and management, 23% on VPN and network access control, 23% on network traffic analysis, and 20% on web security.
Asked about operational security, endpoint and IoT (internet of things) security initiatives, 27% send they planned to spend on endpoint security, 23% on encryption, 22% on security analytics, 22% on mobile device security, 22% on email security, and 21% on data loss prevention.
Asked about identity security plans for 2021, 43% of buyers cited multifactor authentication, while 30% planned to spend on identity management, 29% on access management, and 25% on privileged identity and privileged account management.
From a data protection standpoint, 32% planned to spend on disaster recovery and 27% on business continuity tools. Highlighting the other emergent security trend of 2020 – ransomware – 19% said they had plans to spend on ransomware protection initiatives.
In spite of this, a heavily fragmented landscape of traditional, next-generation and cloud-centric tools is posing a challenge to both buyers and sellers of cyber security technology, the data suggested.
Dorit Dor, Check Point’s vice-president of products, said that dealing with the pandemic’s impact on the world of cyber security will continue to be a key focus for IT teams in 2021.
“The Covid-19 pandemic derailed business-as-usual for virtually every organisation, forcing them to set aside their existing business and strategic plans, and quickly pivot to delivering secure remote connectivity at massive scale for their workforces,” she said.
“Security teams also had to deal with escalating threats to their new cloud deployments, as hackers sought to take advantage of the pandemic’s disruption: 71% of security professionals reported an increase in cyber threats since lockdowns started.”
Dor added: “One of the few predictable things about cyber security is that threat actors will always seek to take advantage of major events or changes – such as Covid-19, or the introduction of 5G – for their own gain. To stay ahead of threats, organisations must be proactive and leave no part of their attack surface unprotected or unmonitored, or they risk becoming the next victim of sophisticated, targeted attacks.”
Check Point, which this week shared its own thoughts on security trends for 2021, said security trends needed to be ready for a series of different “new normals”, and focus on enforcing and automating threat prevention at all points of the corporate network. Dor noted that automation could well become a critical spending area, given the ongoing cyber security skills shortage.