Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:50 AM
Connect Directly

Cybersecurity Spending Hits 'Temporary Pause' Amid Pandemic

For now, security teams face freezes in projects and hiring - and budget cuts, security industry analysts say.

Not even the red-hot cybersecurity sector is immune to the major economic downturn resulting from the global coronavirus pandemic. As parts of the world begin to gradually reopen for business as stay-at-home orders lift, many IT security teams now also face a fresh new reality of spending and hiring freezes.

The security industry currently is experiencing an overall slowdown that ultimately could shape the future direction of some security technologies and products - especially as organizations rethink how they operate in the wake of the pandemic. Security industry experts are cautiously calling it a short-term slowdown but admit there's no way to know just how long or what kind of recovery security will experience.

Forecasts are grim, at least in the short term: Gartner estimates a $6.7 billion decrease overall in global security spending in 2020 for software and services as a result of the economic impact of the pandemic, while Forrester Research has warned security teams to expect to see leaner budgets and trimming of their already-thin staffs.

Chenxi Wang, founder of cybersecurity venture capital firm Rain Capital, characterizes the slowdown as a "temporary pause on an explosive growth phase." Security budgets and market growth are freezing, she says, and that's true across most of the IT sector right now. Security spending is under more intense scrutiny than before.

"CIOs are telling me if you have a new project, you have to convince the rest of the company why it's so important," she says. Older projects are likely to remain on course if they are deemed to be critical to the organization, she says.

So which security technologies are thriving or waning in the age of COVID-19? Security analysts and investors say endpoint remote-access technology got a temporary bump in the rapid, mass exodus from the office to work-from-home, prompting some organizations to purchase, for example, additional hardware for VPN connectivity and Citrix virtual machine access for remote desktops.

Meanwhile, overall endpoint security spending has dropped slightly, according to Gartner data. "It will be moderate to strong in the next several years," says Lawrence Pingree, managing vice president for TSP (Technology and Service Provider) Security Technologies at Gartner.

Unsurprisingly, more organizations are turning to cloud-based services, including some cloud-based security offerings, as well as so-called zero-trust technologies for application access. Cloud security has enjoyed "modest growth" during the pandemic, notes Pingree, because it's considered an operations expense, not a capital one.

"You're not going to wait 60 days for hardware to be shipped" to beef up the corporate VPN for the new population of work-from-home employees, he says. "They will prefer the cloud because you can turn it on really quickly."

The fading network perimeter already had been on the decline, so hardware security and firewall appliances have been hard-hit in the pandemic, as have big projects such as identity and access management overhauls, analysts say.

Because many organizations can't populate their own data centers amid the pandemic, they're looking more at the cloud as an alternative.

"It used to be, 'Let's have a five-year plan to do cloud,' and now it's, 'Can we do it in 18 months?'" Wang says. "This pandemic is a violent shakeup of a transformation that was going to come anyway. It's now [coming] in a more accelerated fashion."

Cloud-based SOC services are becoming more attractive to organizations as well as they've had to shutter their physical SOC locations in the pandemic and operate them remotely. Alberto Yepez, head of ForgePoint Capital, says his fund sees SOC-as-a-service as a promising sector: His firm recently invested $26 million in Cysiv, a startup in that burgeoning space.

Cut or On Ice
In IT and security overall, capital expenditures and many consulting-type services have been cut, according to Gartner's data models. Some 66% of enterprises expect to delay capital expenditures this month if they already have not, and 65% plan to cut their consulting/contractor expenditures, the data shows. Some of that includes product implementation services, for example, as well as discretionary security consulting, although some security consulting teams are refocusing now on helping organizations transition to the pandemic and post-pandemic.

Jeff Pollard, vice president and principal analyst at Forrester, says organizations as of May had continued freezing new security projects and spending, with the exception in some cases of VPNs, zero-trust remote access, and even looking at the automation of security processes. Security teams with members who can write their own scripts to automate and integrate some SOC processes could help fill staffing and product gaps, according to Pollard, who co-authored the report, "Security Will Fall Out Of Growth Mode Due To COVID-19."

"You're going to see an explosion in DIY if you have people who can experience and write scripts and do a lot of leveraging of open source while spending constraints [remain]," Pollard says.

The physical restrictions of the pandemic already have opened up previously dismissed options for cloud services, such as incident response (IR). One of Wang's Rain Capital clients, a startup called Mitiga that offers remote IR services, told her that prior to the pandemic, it was difficult to get companies to embrace the concept of its service of no on-site incident responders coming to their offices to help investigate a breach.

That has changed dramatically in the pandemic, she says: "Now everyone wants it."

Tal Mozes, co-founder and CEO of Mitiga, says more organizations are looking at the IR-as-a-service model now.

"We already had remote [IR] projects going on before the pandemic," but the shift to work-from-home has resulted in more organizations looking at remote IR services, says Tal Mozes, co-founder and CEO of Mitiga. "Organizations are panicking and adjusting to a new routine that takes a lot of resources."

For example, a pharmaceutical company with manufacturing locations around the globe that had to shift its operations to remote control recently adopted Mitiga's cloud-based IR service. "The CISO was very busy enabling remote access to its factories," says Mozes. "To allow them to deal with the business challenges, they [sent] their entire IR to us."

'A Bounce-Back'
Gartner's take for now is that there will be growth again in IT and security at the end of this year, after this seemingly temporary growth decline likely rebounds.

"At the moment, the perception is that there will be growth" at the end of 2020, Pingree notes. "The reason our forecast is still positive is we do believe that security is like an insurance policy: It's one of the last items on the budget to get cut. [But] that's not to say we won't revise upward or downward" based on the climate later this year.

Forrester's Pollard echoes cautious optimism. He says it could take anywhere from six months to a year for the security sector to recover from the economic impact, depending on the vertical market and geographic region. "I think there will be a bounce-back," he says.

But a pandemic's effect on the economy is much different than that of a finite event, such as a natural disaster, he explains. "It's not a traditional recovery," Pollard says. "... As we're seeing in other countries as more and more people go out and as the disease spreads again ... it's going to be a stop and start nature of the event."

Forrester, meanwhile, is warning security teams to prepare for cuts in their already resource-strapped staffing.

"Security and risk leaders must expect downsizing to occur. Think about which employees can be let go, if full-time employees can be converted to contractors, or if salary reductions for exempt employees and reductions in hours for nonexempt workers will give you the breathing room your CFO and CEO will ask for as a technique to avoid cutting jobs," the consulting firm said in its report.

"Expect cybersecurity to get a much smaller piece of what we expect will be a much smaller budget pie. Security leaders must get proactive and show senior execs they understand the gravity of the situation by listing the projects and initiatives they can cut, along with the critical must haves," Forrester warned in its report.

Meanwhile, many organizations' physical offices may not reopen at all, or at least not fully, as businesses opt to keep some or all of their employees working from home for both health and economic reasons.

Kevin Simzer, chief operating officer at Trend Micro, says the pandemic has forever changed the physical office model, and that, in turn, will shift the security model.

"The COVID-19 experience will not only build our courage to persevere, but also our courage to adopt new patterns to fix antiquated processes. As a result, organizations will ditch the notion of having a big office and revert back to a small-town model of working in cluster offices with more remote work," he says. "Even more so, company 'headquarters' will be located in the cloud, shifting how we protect enterprise data in the virtual cloud and how we secure data from more diverse endpoints."

Next installment: A look at venture capital and private equity investment in security products and services amid the pandemic.

Related Content:


Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
6/9/2020 | 9:42:27 AM
Re: Comprehensive, engaging and informative
Owanate Bestman
Owanate Bestman,
User Rank: Author
6/3/2020 | 4:27:23 AM
Comprehensive, engaging and informative
Yup, this backs up what I have been seeing in the market and hearing from my conversations with CISO's and CIOS.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-19
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
PUBLISHED: 2020-09-18
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
PUBLISHED: 2020-09-18
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
PUBLISHED: 2020-09-18
Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11....
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...