Not even the red-hot cybersecurity sector is immune to the major economic downturn resulting from the global coronavirus pandemic. As parts of the world begin to gradually reopen for business as stay-at-home orders lift, many IT security teams now also face a fresh new reality of spending and hiring freezes.
The security industry currently is experiencing an overall slowdown that ultimately could shape the future direction of some security technologies and products - especially as organizations rethink how they operate in the wake of the pandemic. Security industry experts are cautiously calling it a short-term slowdown but admit there's no way to know just how long or what kind of recovery security will experience.
Forecasts are grim, at least in the short term: Gartner estimates a $6.7 billion decrease overall in global security spending in 2020 for software and services as a result of the economic impact of the pandemic, while Forrester Research has warned security teams to expect to see leaner budgets and trimming of their already-thin staffs.
Chenxi Wang, founder of cybersecurity venture capital firm Rain Capital, characterizes the slowdown as a "temporary pause on an explosive growth phase." Security budgets and market growth are freezing, she says, and that's true across most of the IT sector right now. Security spending is under more intense scrutiny than before.
"CIOs are telling me if you have a new project, you have to convince the rest of the company why it's so important," she says. Older projects are likely to remain on course if they are deemed to be critical to the organization, she says.
So which security technologies are thriving or waning in the age of COVID-19? Security analysts and investors say endpoint remote-access technology got a temporary bump in the rapid, mass exodus from the office to work-from-home, prompting some organizations to purchase, for example, additional hardware for VPN connectivity and Citrix virtual machine access for remote desktops.
Meanwhile, overall endpoint security spending has dropped slightly, according to Gartner data. "It will be moderate to strong in the next several years," says Lawrence Pingree, managing vice president for TSP (Technology and Service Provider) Security Technologies at Gartner.
Unsurprisingly, more organizations are turning to cloud-based services, including some cloud-based security offerings, as well as so-called zero-trust technologies for application access. Cloud security has enjoyed "modest growth" during the pandemic, notes Pingree, because it's considered an operations expense, not a capital one.
"You're not going to wait 60 days for hardware to be shipped" to beef up the corporate VPN for the new population of work-from-home employees, he says. "They will prefer the cloud because you can turn it on really quickly."
The fading network perimeter already had been on the decline, so hardware security and firewall appliances have been hard-hit in the pandemic, as have big projects such as identity and access management overhauls, analysts say.
Because many organizations can't populate their own data centers amid the pandemic, they're looking more at the cloud as an alternative.
"It used to be, 'Let's have a five-year plan to do cloud,' and now it's, 'Can we do it in 18 months?'" Wang says. "This pandemic is a violent shakeup of a transformation that was going to come anyway. It's now [coming] in a more accelerated fashion."
Cloud-based SOC services are becoming more attractive to organizations as well as they've had to shutter their physical SOC locations in the pandemic and operate them remotely. Alberto Yepez, head of ForgePoint Capital, says his fund sees SOC-as-a-service as a promising sector: His firm recently invested $26 million in Cysiv, a startup in that burgeoning space.
Cut or On Ice
In IT and security overall, capital expenditures and many consulting-type services have been cut, according to Gartner's data models. Some 66% of enterprises expect to delay capital expenditures this month if they already have not, and 65% plan to cut their consulting/contractor expenditures, the data shows. Some of that includes product implementation services, for example, as well as discretionary security consulting, although some security consulting teams are refocusing now on helping organizations transition to the pandemic and post-pandemic.
Jeff Pollard, vice president and principal analyst at Forrester, says organizations as of May had continued freezing new security projects and spending, with the exception in some cases of VPNs, zero-trust remote access, and even looking at the automation of security processes. Security teams with members who can write their own scripts to automate and integrate some SOC processes could help fill staffing and product gaps, according to Pollard, who co-authored the report, "Security Will Fall Out Of Growth Mode Due To COVID-19."
"You're going to see an explosion in DIY if you have people who can experience and write scripts and do a lot of leveraging of open source while spending constraints [remain]," Pollard says.
The physical restrictions of the pandemic already have opened up previously dismissed options for cloud services, such as incident response (IR). One of Wang's Rain Capital clients, a startup called Mitiga that offers remote IR services, told her that prior to the pandemic, it was difficult to get companies to embrace the concept of its service of no on-site incident responders coming to their offices to help investigate a breach.
That has changed dramatically in the pandemic, she says: "Now everyone wants it."
Tal Mozes, co-founder and CEO of Mitiga, says more organizations are looking at the IR-as-a-service model now.
"We already had remote [IR] projects going on before the pandemic," but the shift to work-from-home has resulted in more organizations looking at remote IR services, says Tal Mozes, co-founder and CEO of Mitiga. "Organizations are panicking and adjusting to a new routine that takes a lot of resources."
For example, a pharmaceutical company with manufacturing locations around the globe that had to shift its operations to remote control recently adopted Mitiga's cloud-based IR service. "The CISO was very busy enabling remote access to its factories," says Mozes. "To allow them to deal with the business challenges, they [sent] their entire IR to us."
Gartner's take for now is that there will be growth again in IT and security at the end of this year, after this seemingly temporary growth decline likely rebounds.
"At the moment, the perception is that there will be growth" at the end of 2020, Pingree notes. "The reason our forecast is still positive is we do believe that security is like an insurance policy: It's one of the last items on the budget to get cut. [But] that's not to say we won't revise upward or downward" based on the climate later this year.
Forrester's Pollard echoes cautious optimism. He says it could take anywhere from six months to a year for the security sector to recover from the economic impact, depending on the vertical market and geographic region. "I think there will be a bounce-back," he says.
But a pandemic's effect on the economy is much different than that of a finite event, such as a natural disaster, he explains. "It's not a traditional recovery," Pollard says. "... As we're seeing in other countries as more and more people go out and as the disease spreads again ... it's going to be a stop and start nature of the event."
Forrester, meanwhile, is warning security teams to prepare for cuts in their already resource-strapped staffing.
"Security and risk leaders must expect downsizing to occur. Think about which employees can be let go, if full-time employees can be converted to contractors, or if salary reductions for exempt employees and reductions in hours for nonexempt workers will give you the breathing room your CFO and CEO will ask for as a technique to avoid cutting jobs," the consulting firm said in its report.
"Expect cybersecurity to get a much smaller piece of what we expect will be a much smaller budget pie. Security leaders must get proactive and show senior execs they understand the gravity of the situation by listing the projects and initiatives they can cut, along with the critical must haves," Forrester warned in its report.
Meanwhile, many organizations' physical offices may not reopen at all, or at least not fully, as businesses opt to keep some or all of their employees working from home for both health and economic reasons.
Kevin Simzer, chief operating officer at Trend Micro, says the pandemic has forever changed the physical office model, and that, in turn, will shift the security model.
"The COVID-19 experience will not only build our courage to persevere, but also our courage to adopt new patterns to fix antiquated processes. As a result, organizations will ditch the notion of having a big office and revert back to a small-town model of working in cluster offices with more remote work," he says. "Even more so, company 'headquarters' will be located in the cloud, shifting how we protect enterprise data in the virtual cloud and how we secure data from more diverse endpoints."
Next installment: A look at venture capital and private equity investment in security products and services amid the pandemic.