It’s an unfortunate reality that, across the business landscape, the novel coronavirus has not been an equal-opportunity problem. Some commercial sectors – think airlines and restaurants – have been ravaged, while other industries have not only avoided slowdowns, but have actually seen a surge in business. Those delivering their products via the internet, for instance, have thrived while serving a population stuck at home.
The same schism is seen within the narrower business segment of IT, as the continued use and/or new adoption of technological applications and products has seen a wide discrepancy during COVID-19 times. Hardware products like servers and storage arrays were tasked with eking out one more year before upgrade. Meanwhile, just as in the consumer world, businesses whose products and services were delivered via the cloud were less likely to be impacted by the pandemic.
On the whole, security spending grows
According to Dan Kennedy, senior research analyst in the enterprise security practice of 451 Research, cybersecurity is, by and large, an IT segment that continued to grow throughout the past year, albeit slower than in prior years.
In a webinar titled Security in the Time of Coronavirus, which presented aggregate findings from several surveys of 451 Alliance members, Kennedy first recognized the grim reality that not all industries have enjoyed equivalent IT experiences. “I want to appreciate the fact that a CISO in the hospitality industry is experiencing this very differently than a CISO at a technology company,” he stated.
That said, Kennedy noted that the model of recession spending – the posture of ‘keeping the lights on’ following the economic contractions in 2000 and 2008 – “isn’t fundamentally holding up for security this time around. The adjusted average budget increase for information security was 16% between the second and third quarters of last year.” Kennedy allowed that the rate of security budget expansion was about four percentage points higher in 2019.
WFH elevates security’s importance
Security is, in fact, one of those sectors of commerce that actually gained relevance and momentum during the pandemic. Kennedy observed that “28% of respondents to our coronavirus flash survey [in June 2020] noted spending more in information security specifically due to COVID-19 in March of last year. This rose to 42% in June, trailing only collaboration technologies and mobile devices like laptops.”
“For a significant percentage of enterprises, security spending is increasing specifically because of the need to support security during this period of work-from-home, if you will, at scale,” he said.
The complicated COVID-19 role of the VPN
The use of corporate virtual private networks, or VPNs, exploded over the past year to accommodate the mammoth WFH movement. Still, Kennedy noted, the value of the VPN has changed since workloads began moving from an organization’s datacenter to hosted environments.
“When we think about VPNs, they became popular almost two decades ago, and in a world where everything you needed to access on a remote basis was probably on-premises,” he remarked. But as the cloud has taken root, “a significant amount of IT resources required no routing through on-premises architecture…. Many employees did not need to connect to an overtaxed VPN [in the past year] to do their job.”
The proliferation of these off-premises resources has left a gap in security, Kennedy explained. “Security – especially network security controls and the gathering of telemetry for security monitoring and decision making – are still architected as if you have to connect through that chokepoint.”
“Tactically, we’ve seen a reported increase in security incidents during this period,” Kennedy noted about the tendency for employees to bypass their VPNs for at least portions of their workday. “And when we dig into what those are, phishing is the most common attack type; security practitioners have seen an increase during the pandemic of 69%…. While phishing is certainly not a new attack type for security teams to deal with, at-home work setups and current conditions allow for some new wrinkles.”
VPN is essential, but still inadequate
“There’s a reflection of somewhat soft confidence in VPNs in terms of security controls,” Kennedy said, primarily because much of the work employees do resides in the cloud and can therefore be accessed directly, without an active VPN.
“And the rub is this: many network-based security controls assume access from a network campus out to the internet or other resources. [As a result], 77% of respondents note there are security controls that don’t work when employees are not connected to the VPN.”
“[This is] probably something we could have lived with up till now, with a minimal amount of remote work in many enterprises. But if the situation is becoming permanent with work-from-home at a greater scale…something in security architecture is going to have to change to accommodate this situation,” he said.
Kennedy covered a number of related topics over the balance of an engaging hour-long webinar. His presentation was part of 451 Alliance’s monthly webinar series, offered to Alliance members who participate in our quantitative surveys or qualitative interviews. This and all webinars and accompanying slide decks are available exclusively (and at no cost) to members on the 451 Alliance member portal, along with a complete library of on-demand research products. We thank our members for sharing their knowledge with peers through their participation in our studies.