According to ESG research, 62% of organizations were poised to increase spending on cybersecurity in 2020. Thirty-two percent of survey respondents said they would invest in cybersecurity technologies using AI/ML for threat detection, followed by data security (31%), network security (30%), and cloud application security (27%).
Of course, that was back in the innocent and carefree days before COVID-19. Have things changed? Yes, and seemingly overnight. Like society at large, the cybersecurity world's priorities, strategies, and tasks have been turned upside down.
I reached out to some CISOs and industry beacons this week to get their account of what's happening. My first observation is it’s difficult to get CISOs on the phone right now as they are heads down trying to secure the new reality. But I did manage to get a few on the line; here’s a synopsis of what they said:
- Big projects have been postponed indefinitely. Large organizations tend to have a few cybersecurity projects that require engineering, piloting, and cooperation with IT operations. Think of things like reengineering the security data pipeline, data discovery/classification/security across the enterprise, or IAM initiatives like identity federation. With everyone working remotely, these projects have been tabled for now—even if they were already progressing.
- It’s all about securing remote users. This one is obvious but its also the reason why CISOs are so busy. The mandate from executives was to get employees up and running first and then address security afterward. CISOs have been fighting “bolt on” security cycles like this for years, but the virus has forced security teams to work uphill to catch up. This means on-the-fly risk assessments, controls adjustments, and lots of work in tandem with IT and network operations teams.
- An immediate search for “quick wins.” CISOs are finding and patching holes as quickly as they can. In some cases, this means they are starting from scratch as they quickly ramp up product research, purchasing cycles, testing, piloting, and deployment. Despite this workflow, CISOs are looking for tools that can be easily installed and configured to mitigate new risks.
Budgets haven’t been cut yet and CISOs really don’t have time right now to deal with paper pushing. Rather, security teams are grabbing money as they can to address the new reality. Some of the emergency purchasing needs include:
- Endpoint security controls. There are two priorities here: providing network access and blocking malware. This equates to VPN clients and antivirus software—especially for employees sharing their systems with family members. Some are also looking at asset and operations management tools (a la Tanium) to turn unmanaged home PCs into managed short-term corporate assets.
- Mobile device security. This was on the to-do list at the beginning of the year. Now that executives, high-value employees, and privileged account managers are working from home, mobile device security efforts have become a high priority.
- Network security. CISOs are defaulting to VPNs to deal with a work from home population that grew from 20% to greater than 80% of employees in a matter of weeks. In some cases, basic VPN access has superseded more thorough zero-trust access projects that require time and planning for things like policy management. VPN growth is accompanied by the need for more firewall and other gateway appliances. Finally, I’m seeing increasing interest in secure DNS services, which is also perceived as a quick win.
- Simple multi-factor authentication (MFA). Organizations that have success with MFA in small pockets are expanding these efforts as high-value employees migrate from office cubicles to their home offices. Again, the goal is to bolster security first and then fine-tune policies over time.
Some final observations:
- The degree of cooperation between security and IT/network operations is unprecedented, with lots of things happening simultaneously.
- CISOs aren’t doing a lot of shopping. Rather they are working with trusted partners to get things done quickly. This will impact startups.
- CISOs have asked their staff to do what they can to increase end-user monitoring. They are also working with HR on “crash course” security awareness training. Those that have synthetic phishing tools have increased activity here as well.
- Data security remains a big issue as there aren’t really any quick fixes. This is one of the reasons for increased end-user monitoring.
- Before COVID-19, many organizations did not configure endpoint security tools in the maximum protection setting for fear of disrupting users with false positives or reduced performance. Some of the CISOs I talked with have mandated a change in this policy, reconfiguring endpoint security tools for maximum protection everywhere.
- CISOs are asking trusted vendors for help. In some cases, they are discovering security product capabilities and free features and services they were unaware of. Who knew?