The cybersecurity landscape looks significantly different than just one year ago. We all know why. The pandemic pushed just about everyone to figure out how to implement and secure widespread work-from-home arrangements nearly overnight.
And as the new year approaches and another wave of COVID-19 outbreak is upon us, it doesn't look like the need to "work from anywhere" is going away soon.
"Because IT has traditionally been built around the stability of office operations, the shift to remote work has both opened organizations to new digital threats and slowed response time to digital emergencies," says Darren Deslatte, vulnerability operations leader at Entrust Solutions, a provider of technology solutions, IT managed services, and staff augmentation.
This, in turn, has impacted 2021 security budgets and where CISOs plan to allocate their dollars. As we batten down the hatches and move full-force forward, let's take a look at their budget priorities.
With disparate employees and company assets all over the globe, it's critical to take stock of what you have now.
"Before you can secure a network, you must know what's on your network," says Brian Wilson, CISO of SAS Institute, a developer of analytics. "How do you know your inventory or asset management systems are adequately finding all your assets?"
Wilson advises security teams to think about new ways to validate and refresh their asset data to help teams stay on top of life cycle management projects and better enable incident response.
Steve Dotson, CISO of marketing tech company Acoustic, says he thinks CISOs will look to budget for more data-mapping and data-inventory solutions to get visibility into how data flows through microservices and cloud data stores.
"Solutions that provide asset visibility while allowing technology teams to continue to leverage point solutions for asset management give security teams and other teams the holistic asset information necessary to ensure protection," he says.
New work arrangements and priorities mean new applications and services are being developed constantly – and most of them are cloud-based. It also introduces new security challenges given pushing apps to the cloud faster means security is often an afterthought. CISOs will need to invest more in DevSecOps tools and processes in 2021 to ensure security is part of the DevOps process from the start.
"Security teams and DevSecOps teams continue to shift further left in the SDLC or CI/CD into areas like security checks on infrastructure as code and security testing earlier in the development/build life cycle," Acoustic's Dotson says.
Getting security involved at the outset better ensures the proper controls are in place throughout the application development cycle.
"The more that security and compliance evaluation processes can be embedded in developer and DevOps processes, the more effective they will be," Dotson says.
Secure access service edge (SASE), an emerging security concept, will be hot in 2021, says Todd Weber, chief technology officer for Optiv Security.
"SASE will be far more prominent in CISO 2021 budgets than could have been anticipated a year ago," he says. "SASE has accelerated from an emerging category to a priority for CISOs in 2021."
That's because the attack surface has expanded dramatically with widespread work-from-home arrangements – and security leaders can't confine protection to one user or one location. Rather, they will need to extend to the edge of the enterprise and validate every endpoint and access attempt, Weber says.
SASE combines networking and security functions and brings both to the edge, with a focus on providing secure access based on the identity of a user or device rather than a particular location.
"This is exactly what companies need in our new work-from-home reality," Weber says. "Gartner predicted before the pandemic that by 2024, at least 40% of enterprises will have explicit strategies to adopt SASE. I believe the pandemic has accelerated that time frame to 2021 or 2022, at the latest."
If any lesson is to come from this year about technology and security, it's that flexibility and resilience are top needs. Entrust's Deslatte says CISOs are focusing on investments in hardware and digital tools that can securely accommodate work-from-home or hybrid office operations because there is no telling anymore what the future will look like.
"In the remote work era, these costs may include VPNs, new antivirus software, virtual servers, and associated hardware – as opposed to on-site data centers – [as well as] updated laptops with more secure TPM chips and card readers, or even employee training for spotting cyberattack attempts," he adds.
Security became chaotic as systems spread out. Now CISOs want simplicity, says Chloé Messdaghi, vice president of strategy at security firm Point3 Security.
"Many CISOs are looking at their security stacks – what they need and what they don't," she says. "The average organization uses 45 separate security tools, and as they update their playbooks, they're finding that an average of 19 of these tools are actively used and require coordination, especially in the event of an attack. The other 26 may or may not be needed."
Another factor playing into this is the continued talent gap in security. Gone are the days when budgets allowed for in-house experts for each tool. CISOs are now investing with an eye toward tools that can perform multiple security functions through one platform – and that don't require multiple licenses.
The money tree isn't that well-watered in many places – especially for security teams in the hospitality and travel industries. This may be the year to look for places to repurpose existing investments.
"What's old is new again," says Ed Bellis, CTO and co-founder of Kenna Security and former CSO for travel site Orbitz. "As a CISO I would often make a point of inventorying the tools used by our business. While this gives you visibility into all the applications within your environment, it also has the added effect of potential security repurposing."
For example, tools used in fraud can often be used in security for different purposes, he said. Same for product analytics applications, which "can be used to identify malicious users or usage of your applications," Bellis said. "CISOs can often benefit their programs from existing licenses within the business."Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online. View Full Bio