In a recent survey, we learned that more than 90% of C-level executives and VPs interviewed have delayed or cancelled key security projects to accommodate the transition to a distributed workforce. What can we expect the impact to be on organizations as a result of delayed or cancelled security projects?
For answers, we turned to members of the IDG Influencer Network, a community of industry analysts, IT professionals, and journalists. While their viewpoints were varied, as would be expected, Helen Yu (@YuHelenYu), a C-Level Tech Executive, spoke for many when she said, “The COVID-19 pandemic has become a catalyst for cyberattacks.”
Will Kelly (@willkelly), a Senior Technical Writer, was similarly blunt: “We’re going to see a new era of corporate data breaches,” he said.
Frank Cutitta (@fcutitta), CEO and Founder of HealthTech Decisions Lab, worries that the consequences could be grave, especially given that businesses have become much more reliant on rapidly deployed technology to fill the gap in face-to-face interactions.
“History tells us that developing a culture of security at the employee level is not for the faint of heart,“ he added. “Yes, we can send phishing tests to employees to see if they bite, but with more sophisticated hacks and ransomware, the lack of sophisticated security platforms will take its toll.”
“Information security abhors a vacuum. Attackers and your firm’s adversaries will capitalize on those delays to their advantage,” warned Ben Rothke (@benrothke), Senior Information Security Specialist at Tapad. “Attackers were ready with their stimulus scams well before the stimulus checks were even mailed. Most delays in information security deployments have a corresponding risk that must be considered.”
“Playing defense with an uptick in phishing attacks and malware is a horrible position to be in, but it’s the likelihood for not just small-cap companies but also mid-caps,” said Sarah Ramsingh (@SarahRamsingh), a Machine Learning and Quantum Mechanics Expert. “The impact is having your organization in a more vulnerable position.”
“Security moves very fast, obviously, and it’s already hard to keep up with the attackers,” said Tricia Howard (@TriciaKicksSaaS), Marketing Manager at HolistiCyber. “This is why burnout is so rampant in our industry. Security professionals are having to be on 24/7 and it’s not sustainable.”
An ‘acceptable trade-off’ if bankruptcy is the only other option
Kayne McGladrey (@kaynemcgladrey), Cybersecurity Strategist at Ascent Solutions, said delaying or cancelling security projects is “an acceptable trade-off” only if bankruptcy is the alternative.
“Due to the pandemic, this is the choice that some organizations face today,” he continued. “Other organizations should first prioritize their security projects to mitigate those risks with the highest potential impact to the business. Organizations should then have a difficult conversation about residual risks with their cyber insurance providers, and plan to implement monitoring of those risks not transferred to insurance or mitigated through implementation of technical controls.”
‘Security needs to be front and center’
Not all of the Influencers painted such a bleak picture.
“Now’s the time to double down on information security,” advised George Gerchow (@georgegerchow), Chief Security Officer at Sumo Logic. “Since the pandemic started, we’ve seen a rise in ransomware, endpoint attacks, phishing, and nation-state indicators of compromise. In times of high uncertainty and anxiety, bad actors thrive. Lock down those endpoints and start building a Zero Trust model.”
Former IT Director Cedric Wells (@cedricfwells) agreed.
“Understandably, many organizations are closely watching their cash flow and preparing for the worst with what has now been declared as a recession,” he said. “I agree that there needs to be more scrutiny and prioritization of security projects. However, now more than ever, with a more distributed workforce, security needs to be front and center. Delaying or canceling security projects at a minimum will put organizations at a greater risk.”
Scott Schober (@ScottBVS), President and CEO of Berkeley Varitronics Systems Inc., was also optimistic, pointing out that when companies put off expenditures in areas such as security, they tend to come back and spend at an accelerated rate when economic conditions improve.
“Once the pandemic fears calm, CEOs, CIOs and CISOs will be preparing for a new wave of security spending,” he predicted.
Brian Thomas (@DivergentCIO), Chief Technology Officer for Coruzant Technologies, expressed a similar view.
“While some of these projects may have been delayed, by and large technology leaders still have critical security projects at the top of their priority list,” he said. “There is too much at stake today with the plethora of malware and ransomware attacks, no matter the company size or budget.”
“Working with customers every day, and the partners who serve them in the Microsoft ecosystem, I am seeing less of a pullback and more differentiation in how our customers worldwide are approaching projects in the security space,” said Wayne Anderson (@DigitalSecArch), Security and Compliance Architect with Microsoft’s M365 Center of Excellence. “It isn’t a matter of ‘Are companies spending more or not?’ but rather it’s a question of ‘Which projects are getting investment right now?’ While there are about a fifth of companies that are overall decreasing cybersecurity budget, broadly a majority are reorienting around the remote work atmosphere and the data streams that are critical to next-generation business.”
Ratan Jyoti (@reach2ratan), Chief Information Security Officer of Ujjivan Small Finance Bank Limited, was also focused on the future.
“It’s high time for organizations to reorient their security budget in the right area,” he said. “There can be a huge spike in security budgets in 2021 as remote working has introduced a new array of risks that must be managed. I also see a huge hike in cloud and automation in 2021.”
“There may be projects that will have to be deferred around increasing efficiency or improving the user experience, which may set the organization back compared to their peers, but these activities can’t be prioritized over preventing breaches and maintaining compliance,” said Larry Larmeu (@LarryLarmeu), an Enterprise Technology Leader.
Caroline Wong (@CarolineWMWong), CIO of Cobalt, said that if key security projects were delayed or cancelled to make room for critical projects that would enable a distributed workforce to work more securely (for example, VPN implementation or training on how to setup a secure home WiFi network), “then it could be a positive change, resulting in a more secure setup given the new work environment.”
Within the first two months of the COVID-19 pandemic, Tanium helped the world’s most demanding organizations recover their operations and regain control and visibility. Learn how to secure your distributed workforce today with Tanium as a Service, the world’s first unified endpoint management and security solution with a single console, a single agent, and zero infrastructure.