The results in this report are from the Cyber Security Hub survey which we fielded to subscribers from May and June 2020 to benchmark actual results from H1 2020 vs. expectations for H2 2020. A balanced representation of the enterprise cyber security mindset, the largest segment of survey respondents (41 percent) describes their job function as cyber security. The next largest segment is IT at (27 percent) followed by corporate management at (9 percent).
Qualified respondents were truly cross industry coming from automotive, education, financial services, government, healthcare/life science, manufacturing, media/telecommunications, retail/consumer packaged goods (CPG), technology, travel/hospitality and utilities/oil and gas/energy.
There were potentially alarming responses to our global pandemic related questions in this mid-year survey. When asked “Has your approach to security changed as a result of the global pandemic and an increasingly remote workforce?” 40 percent said no.
Has your approach to security changed as a result of the global pandemic and an increasingly remote workforce?
Roughly two in five cyber security organizations have not changed their approach to security as a result of the global pandemic. Such a large percentage of the CISO community not having changed their approach to cyber security as a result of the global pandemic that has hurdled us all into a new workforce infrastructure is truly concerning.
How the cyber security landscape has changed due to the pandemic:
- Network infrastructure use has changed
- Endpoints have changed
- Access management has changed
- Collaboration tools have changed
- The concept of insider threat has changed
- Enterprise cloud infrastructure has changed- no matter where you were in your cloud migration
- Data in transit has changed
- Myriad threat vectors have changed
- Vulnerability management has changed
- Cybercriminal attacks have changed
Why did 40 percent of the cyber security community not change their approach?
In addition to an inert mindset change from a significant portion of the community, the reduction in staff due to financial pressures on companies during the pandemic was similarly concerning. A past potential insider threat now had the potential to become a nefarious external threat.
Has your IT/Security staff been reduced as a result of the global pandemic?
As reported on Cyber Security Hub in Why Is Top Cyber Security Talent Suddenly In Flight, when asked about the 19 percent unemployed DevOps/DevSecOps community Parag Deodhar, director of information security, Asia Pacific for VF Corporation noted: “when people do not have access to enough money, food or resources, there will be more actors coming up”. Deodhar explained also that the pandemic has expanded the threat landscape, meaning that “not only were folks pushed [towards cyber crime], but also, the landscape open[ed] up for folks as well.”
Jamal Hartenstein, who has worked with the department of defense on military bases as a part of joint task forces and has experience with every branch of service, notes that there was industry realization that organizations needed to be more proactive and better focus on detection and that the global pandemic has accelerated that focus.
When asked what about his perception, he explains that, “if you do not increase your security measures, you have exponentially just multiplied in magnitudes the risk based on all the threat and vulnerability and risk.”
Changing cyber security mindset
We asked survey respondents to share how their cyber security approach was changing. Here is a sample of their responses:
- Fully remote working cyber security teams
- Implementing a zero-trust network strategy to provide scalability and flexibility whilst improving network security
- Adding contractors and outsourcing
- Rethinking cyber security strategy through the context of the pandemic
- Adjusting to changes in environment, operations and business
- Constantly monitoring all situations to better understand the the issues and concerns
- Introducing awareness programs, online trainings and increased system auditing
- Changed training and awareness program to cater for changes in workforce practices, e.g. remote working
- Focusing on what is needed to support remote working employes and ensuring that employees have safety in front of mind when returning to the office
- Making adjustments for the fact most endpoints are now remote to ensure that they remain secure
- An increased focus more messaging and content that will resonate better with a remote workforce-emphasize security controls that protect remote workers and mobile
- Increasing security for both mobile and critical infrastructure
- Increased use of multi-factor authentication
- Greater emphasis on cloud-based protection to accommodate home-based workers
- Working to combat the increased difficultly in quickly identifying and mitigating issues remotely
- More expertise and focus on DevSecOps
- Increased use of automation to detect changes to controls. This means we are automatically being notified of the change, responding to and addressing the incident, analyzing itand rectifying the control(s).
- Streamlining the operational cost of IT to remove unnecessary spending and services that are not being used
- More user training and simulated phishing campaigns
- Proactively monitoring threats and regular updating our security strategy to combat new challenges
- More stringent compliance with regards to minimum security requirements to prevent data leakage
- Decreasing the time taken to follow through on incident reports from security and threat intelligence tools
In 2021, 40 percent of the cyber security community said they had not changed their mindset in the face of the global pandemic, while 20 percent of top cyber security talent was made redundant. With this in mind, it was unsurprising that 67 percent of the cyber security community reported their budgets were decreasing or staying the same.
May 2019-June 2020 cyber security budget reported as decreasing or staying the same
While over two thirds of cyber security professionals noted their budget was staying the same or decreasing in July 2020, just one year ago 59 percent reported an increase in budget in the Mid-Year Market repor 2019. This means the pandemic had a significant impact on cyber security spend.
In the wake of the global pandemic with attacks on the rise, it would be expected that cyber security budgets would increase to combat this. Those in the cyber security community, however, disagree with 62 percent expecting budgets will decrease or stay the same.
May 2019-June 2020 planned cyber security budget increase in the next 6 months
State of affairs
Do you feel as though the overall state of cyber security, meaning resiliency, compliance, awareness, etc., is improving?
Taking a step back shows that the industry feels that things are positive and getting better. When asked “Do you feel as though the overall state of cyber security, meaning resiliency, compliance, awareness, etc., is improving?” 84 percent said ‘yes’.
What is the most dangerous threat vector, in your opinion?
Most security issues at my organization are caused by…
The top three areas of focus for respondents during the pandemic were security awareness, detection and incident response and access controls, inkeeping with the results of the last three Cyber Security Hub surveys. Just outside of that group is elevating cyber security with top-level management, a topic that was similarly highlighted over the previous two surveys.
As a majority of cyber security budgets had not yet shifted in the face of a momentous societal occurrence, how money is spent became all the more important. Endpoint security went from the fifth highest to the second highest spend in the from November 2019 to June 2020, most likely as a response to employees working from home and therefore increasing the chance of an endpoint being used as a vector for attack.
Last six months
Which solutions have been the biggest priorities for you in the last 6 months?
While compliance priority decreased 17 percent from 2019 to 2020, this may be because those in cyber security had finished making the inital major chanegs needed to comply with GDPR. The 9 percent increase in SIEM focus showed that the community was looking to further adopt automation tools, potential due to the decrease in workforce and need to streamline cyber security.
Expert perspective from Sam McLane, head of security engineering at Arctic Wolf
What are your thoughts on the top threat vector being email?
Whether it is cloud or devices perimeter, there is a level to which a human element can make them fail but it is rare. Generally, people who play with firewalls tend to be security savvy. So, if they make a mistake, for example opening up a hole for a vendor or for an audit and then not shutting it down, that is generally when they are overworked.
Corporate email and personal email relies on common security awareness and intelligence, and the lowest common denominator usually wins. Malicious actors can go and find the CFO administrative assistant’s Facebook page, find out who their kids are and what school they go to, then easily craft an email that will make the CFO think, “Hey, my secretary just asked me to contribute to her son’s scholarship fund on GoFundMe.”
People naturally want to trust and playing on that trust is so easy to do and to make it look good. Especially in this Covid-19 world while most of us are working from home, you drop your guard a little bit because you are in unfamiliar surroundings. You are in that home setting rather than that work setting. That is what scares the tar out of me about email.
What are your thoughts on industry talent?
If you have got a great team, each member usually does one thing well. Even if you have already got the technology in place, can one person take care of firewall, compliance, intrusion detection, threat intelligence? Can they execute on multiple things? Each of these takes time, and if each member has to take care of three of them, how are they actually going to get each done well?
Our biggest customer was bringing in three new technologies simultaneously. Each technology takes six months to get right. They tried to go it alone with vendor products and failed. When they came to us they said, “We missed a breach,” because either their SIEM or SOAR were not tuned properly, or they never got our end point fully deployed.
What is the answer to a perceived talent shortage?
I am not sure how much of a shameless plug this should be, but a different way to deal with the staffing issue depending upon where you are is to rely on third parties who may have more people. One of our key selling advantages is that because we deal with thousands of customers, I can take that really good smart security person, and maybe she can look at a bank in the morning and hotel chain in the afternoon and a web front the next day. So, we provide variety. We provide something always challenging to our talent. Complacency hopefully never sets in and I have got the staffing capabilities to have a person work on a project three months to avoid burnout. That is really difficult to do unless you are a Fortune 100 company.
“You drop your guard a little bit because you’re in unfamiliar surroundings.”
Head of Security Engineering, Arctic Wolf
Cyber security and people
Challenges when building teams
When it comes to building out your security operations team, what is your biggest challenge?
There are two main issues that faced the cyber security community in building teams during the pandemic – a perceived shortage of talent and insufficient budget.
The lack of skilled workers that culturally align with your organization is often cited as a “pain point” for security teams. What are you doing to win the war?
As nearly half of the community perceived a shortage of talent, it is important to consider what companies were doing to acquire talent during the pandemic. More than one in five respondents reported implementing mentor programs. Another 20 percent saw interns as the answer, with nearly 10 percent reported engaging with universities to procure employees.
It was not all change, however, as just under two in five noted that they were simply going to maintain current behaviors and activities to move forward.
Also read: Automating enterprise cyber security report
Defense in depth vs. industry consolidation
Is “defense in depth” the answer or do enterprises desire more consolidation across their “point solutions”?
There was a marked shift in industry thinking from November 2019 to June 2020 around the concept of defense in depth. There was been a 10 percent composite swing from the concept of industry consolidation to defense in depth.
Do you leverage any of the following industry frameworks?
The industry craves standardization as so indicated by the continued increased use of industry frameworks.
In 2020, the state actor hacker space was becoming ever more crowded. Unemployed cyber security talent was a new and looming threat. Dovetailing with cyber-criminal sophistication and collaboration was a brand-new wide-open threat landscape. This all put increased pressure on cyber security professionals.