Cybersecurity Spending Hits Temporary Pause Amid Pandemic
For now, security teams face freezes in projects and hiring - and budget cuts, security industry analysts say.
Not even the red-hot cybersecurity sector is immune to the major economic downturn resulting from the global coronavirus pandemic. As parts of the world begin to gradually reopen for business as stay-at-home orders lift, many IT security teams now also face a fresh new reality of spending and hiring freezes.
The security industry currently is experiencing an overall slowdown that ultimately could shape the future direction of some security technologies and products - especially as organizations rethink how they operate in the wake of the pandemic. Security industry experts are cautiously calling it a short-term slowdown but admit theres no way to know just how long or what kind of recovery security will experience.
Forecasts are grim, at least in the short term: Gartner estimates a $6.7 billion decrease overall in global security spending in 2020 for software and services as a result of the economic impact of the pandemic, while Forrester Research has warned security teams to expect to see leaner budgets and trimming of their already-thin staffs.
Chenxi Wang, founder of cybersecurity venture capital firm Rain Capital, characterizes the slowdown as a temporary pause on an explosive growth phase. Security budgets and market growth are freezing, she says, and thats true across most of the IT sector right now. Security spending is under more intense scrutiny than before.
CIOs are telling me if you have a new project, you have to convince the rest of the company why its so important, she says. Older projects are likely to remain on course if they are deemed to be critical to the organization, she says.
So which security technologies are thriving or waning in the age of COVID-19? Security analysts and investors say endpoint remote-access technology got a temporary bump in the rapid, mass exodus from the office to work-from-home, prompting some organizations to purchase, for example, additional hardware for VPN connectivity and Citrix virtual machine access for remote desktops.
Meanwhile, overall endpoint security spending has dropped slightly, according to Gartner data. It will be moderate to strong in the next several years, says Lawrence Pingree, managing vice president for TSP (Technology and Service Provider) Security Technologies at Gartner.
Unsurprisingly, more organizations are turning to cloud-based services, including some cloud-based security offerings, as well as so-called zero-trust technologies for application access. Cloud security has enjoyed modest growth during the pandemic, notes Pingree, because its considered an operations expense, not a capital one.
Youre not going to wait 60 days for hardware to be shipped to beef up the corporate VPN for the new population of work-from-home employees, he says. They will prefer the cloud because you can turn it on really quickly.
The fading network perimeter already had been on the decline, so hardware security and firewall appliances have been hard-hit in the pandemic, as have big projects such as identity and access management overhauls, analysts say.
Because many organizations cant populate their own data centers amid the pandemic, theyre looking more at the cloud as an alternative.
It used to be, Lets have a five-year plan to do cloud, and now its, Can we do it in 18 months? Wang says. This pandemic is a violent shakeup of a transformation that was going to come anyway. Its now [coming] in a more accelerated fashion.
Cloud-based SOC services are becoming more attractive to organizations as well as theyve had to shutter their physical SOC locations in the pandemic and operate them remotely. Alberto Yepez, head of ForgePoint Capital, says his fund sees SOC-as-a-service as a promising sector: His firm recently invested $26 million in Cysiv, a startup in that burgeoning space.
Cut or On Ice
In IT and security overall, capital expenditures and many consulting-type services have been cut, according to Gartners data models. Some 66% of enterprises expect to delay capital expenditures this month if they already have not, and 65% plan to cut their consulting/contractor expenditures, the data shows. Some of that includes product implementation services, for example, as well as discretionary security consulting, although some security consulting teams are refocusing now on helping organizations transition to the pandemic and post-pandemic.
Jeff Pollard, vice president and principal analyst at Forrester, says organizations as of May had continued freezing new security projects and spending, with the exception in some cases of VPNs, zero-trust remote access, and even looking at the automation of security processes. Security teams with members who can write their own scripts to automate and integrate some SOC processes could help fill staffing and product gaps, according to Pollard, who co-authored the report, Security Will Fall Out Of Growth Mode Due To COVID-19.
Youre going to see an explosion in DIY if you have people who can experience and write scripts and do a lot of leveraging of open source while spending constraints [remain], Pollard says.
The physical restrictions of the pandemic already have opened up previously dismissed options for cloud services, such as incident response (IR). One of Wangs Rain Capital clients, a startup called Mitiga that offers remote IR services, told her that prior to the pandemic, it was difficult to get companies to embrace the concept of its service of no on-site incident responders coming to their offices to help investigate a breach.
That has changed dramatically in the pandemic, she says: Now everyone wants it.
Tal Mozes, co-founder and CEO of Mitiga, says more organizations are looking at the IR-as-a-service model now.
We already had remote [IR] projects going on before the pandemic, but the shift to work-from-home has resulted in more organizations looking at remote IR services, says Tal Mozes, co-founder and CEO of Mitiga. Organizations are panicking and adjusting to a new routine that takes a lot of resources.
For example, a pharmaceutical company with manufacturing locations around the globe that had to shift its operations to remote control recently adopted Mitigas cloud-based IR service. The CISO was very busy enabling remote access to its factories, says Mozes. To allow them to deal with the business challenges, they [sent] their entire IR to us.
A Bounce-Back
Gartners take for now is that there will be growth again in IT and security at the end of this year, after this seemingly temporary growth decline likely rebounds.
At the moment, the perception is that there will be growth at the end of 2020, Pingree notes. The reason our forecast is still positive is we do believe that security is like an insurance policy: Its one of the last items on the budget to get cut. [But] thats not to say we wont revise upward or downward based on the climate later this year.
Forresters Pollard echoes cautious optimism. He says it could take anywhere from six months to a year for the security sector to recover from the economic impact, depending on the vertical market and geographic region. I think there will be a bounce-back, he says.
But a pandemics effect on the economy is much different than that of a finite event, such as a natural disaster, he explains. Its not a traditional recovery, Pollard says. ... As were seeing in other countries as more and more people go out and as the disease spreads again ... its going to be a stop and start nature of the event.
Forrester, meanwhile, is warning security teams to prepare for cuts in their already resource-strapped staffing.
Security and risk leaders must expect downsizing to occur. Think about which employees can be let go, if full-time employees can be converted to contractors, or if salary reductions for exempt employees and reductions in hours for nonexempt workers will give you the breathing room your CFO and CEO will ask for as a technique to avoid cutting jobs, the consulting firm said in its report.
Expect cybersecurity to get a much smaller piece of what we expect will be a much smaller budget pie. Security leaders must get proactive and show senior execs they understand the gravity of the situation by listing the projects and initiatives they can cut, along with the critical must haves, Forrester warned in its report.
Meanwhile, many organizations physical offices may not reopen at all, or at least not fully, as businesses opt to keep some or all of their employees working from home for both health and economic reasons.
Kevin Simzer, chief operating officer at Trend Micro, says the pandemic has forever changed the physical office model, and that, in turn, will shift the security model.
The COVID-19 experience will not only build our courage to persevere, but also our courage to adopt new patterns to fix antiquated processes. As a result, organizations will ditch the notion of having a big office and revert back to a small-town model of working in cluster offices with more remote work, he says. Even more so, company headquarters will be located in the cloud, shifting how we protect enterprise data in the virtual cloud and how we secure data from more diverse endpoints.
Next installment: A look at venture capital and private equity investment in security products and services amid the pandemic.
Related Content:
Is Zero Trust the Best Answer to the COVID-19 Lockdown?
7 Secure Remote Access Services for Todays Enterprise Needs
How Cybersecurity Incident Response Programs Work (and Why Some Dont)
7 Tips for Security Pros Patching in a Pandemic
Latest Security News & Commentary About COVID-19
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that really bad day in cybersecurity. Click for
more information and to register
.
Tags:
Cybersecurity Spending Hits Temporary Pause Amid Pandemic