[BreachExchange] The impact of COVID-19 on how CISOs make buying decisions

[Destry Winant]

https://www.helpnetsecurity.com/2021/01/26/cisos-buying-decisions/

It’s no secret that the past year has resulted in organizations
fast-tracking their digital transformation projects, making drastic
changes to their operations while also attempting to prepare for a
very uncertain future. To get a sense of the real impact of the
pandemic on cyber security, we conducted a wide-ranging survey with UK
IT decision makers on their expectations and priorities for the next
12 months.

We found that COVID-19 has not only led to an increase in security
spending, but also placed a greater level of strategic importance on
strong relationships between businesses and vendors.

Increased attacks are driving up spending

“When, not if” has been a common mantra regarding cyberattacks for
some time, and the inevitability of suffering an attack was more
apparent than ever in 2020. Three quarters of respondents told us they
had been attacked at least once this year and one in five were hit
more than five times.

Against this increasingly hostile threat landscape, CISOs are under
mounting pressure to equip their organizations with the tools and
skills required to identify and defend against incoming attacks and
mitigate the impact of those that slip through.

Most businesses told us they are planning to increase their IT
security budgets over the next year, with more than a third saying
increases will be between six and ten percent. Notably, 13 percent
said that budget increases were in direct response to the new
challenges of the pandemic.

Security around remote working is particularly important as firms
continue to adapt to remote workforces. After the madcap dash in
March, CISOs have had time to implement more long-term strategies to
keep remote staff secure, and this will continue to be a priority into
2021.

Optimizing defense investments

While security budgets have increased, it is imperative that
organizations maximize the value of their spend and invest in the
right solutions for their risk profile. They will need to conduct
thorough analyses of their most pressing security needs and research
the plethora of options to assemble the most robust defense possible.

Preventing data breaches was the biggest priority highlighted by
respondents for the 12 months ahead, narrowly followed by defending
against malware and phishing attacks.

Given the increasing range of attack strategies and tools used by
threat actors, there is an increased emphasis on tools that can cover
more ground. Endpoint Detection and Response (EDR) has emerged as one
of the most popular solutions due to its ability to identify a range
of attack behaviors. More than half of the CISOs and other IT security
decision makers responding to our research indicated that EDR was a
purchasing priority.

The importance of trust and flexibility

Investing in effective security skills and technology is often only
half the answer. The way services and solutions are delivered is also
increasingly important, particularly when it comes to the uncertain
economic environment created by the pandemic.

Accordingly, our research showed that the vast majority of businesses
prefer to pay for security products and services on a monthly basis,
rather than annually. More than a quarter also favor flexible
contracts wherever possible. This flexibility makes it easier for
firms to ramp up or scale back their investments and activity as the
economic and threat landscapes continue to shift.

Flexibility and clear, fair contracts were particularly important
elements for those businesses buying their solutions through service
providers and resellers. Trust was also cited as an important factor
when selecting an external specialist to help protect essential IT
systems. Without a solid foundation of trust, the relationship can
quickly fall apart.

In-house security management was still the most popular approach for
most organizations, and more than half of respondents maintained their
own cyber security personnel. This trend reverses for firms with under
200 employees however – smaller businesses are generally unable to
budget for the expense of dedicated, full-time security specialists,
and were much more likely to work with managed security service
providers (MSSP) for their essential security needs.

Investing in security service providers as strategic partners

While most larger firms still prefer to manage their security
in-house, the value of relationships with outsourced security
providers – and their importance as trusted partners – was also
highlighted in the research. Over 80 percent of respondents that
worked with an IT service provider or reseller stated they viewed them
as a key or strategic partner.

Outsourcing security not only provides access to the latest in
security solutions but also, perhaps more importantly, the skills and
expertise of qualified security personnel.

Financially, cybersecurity salaries and in-house operations are
costly, meaning outsourcing is a more efficient way to conduct
business security obligations.

This strategic relationship goes beyond simply identifying and
mitigating cyber threats, as security providers can also act as
trusted advisors. A good security partner will use their industry
experience to provide valuable insight in shaping the company’s
security strategy and investments, helping to ensure that future
purchases are the best match for the company’s security priorities.

With the future still full of uncertainty, investing in strong
relationships and trusted partners can often be as important as buying
the latest security solutions.