Larger budget and outsourcing to get around the security crisis

A sense of lack of confidence and of not being able to deal with today’s cyber risks is plaguing organizations’ cybersecurity leaders. Some are doubling their budgets and many are investing in new infrastructure, and many are outsourcing more functions than ever before. 

IDG’s Security Priorities 2021 Study highlighted what cybersecurity executives will have as priorities for the next 12 months. First and foremost, they want to be better prepared to react to new incidents of (48%). They are also looking to better protect critical and confidential data (43%) and raise end users’ cybersecurity awareness through training (42%).

Priority may vary depending on the size of the business. For example, for small and medium-sized enterprises (SMBs), increasing security readiness will be more important (53%), as will be training (46%). For large organizations, the top priority will be to upgrade IT and data security capabilities to increase corporate resilience (45% vs. 38% for SMBs). 

These priorities make sense because they address the key challenges security leaders have faced recently that have caused them to redirect time resources. These challenges include unforeseen risks imposed on the business (such as pandemics), awareness training, and a new crop of external threats such as ransomware attacks, not to mention governance and compliance rules that have changed security requirements in many regions (26%). 

To address these priorities, security leaders are evaluating tools that can help mitigate security risks. At the top are Zero Trust solutions, which are currently being researched or tested by 52% of respondents. A share of 21% already uses them, up from 18% reported last year. Another 25% of security leaders say they plan to adopt such solutions in the next 12 months. 

Zero Trust is a concept that opposes the perimeter security model (whose premise is “trust and verify”) and starts from the idea that organizations should eliminate implicit trust in any element, node, or service and establish strict authentication and authorization processes to give users only the necessary access to digital assets, in order to limit the damage if breaches occur. 

Security Orchestration, Automation, and Response (SOAR) solutions are also gaining traction – 49% of respondents are researching or testing this platform that coordinates data produced by a broad set of tools and automates security analysis.  

Almost half (49%) of organizations say they already outsourced or will outsource some IT security functions in the next 12 months. Another 13% say they already outsource or will outsource all security functions in the same period. The focus of outsourcing is on security assessment and audit services (38%), followed by network, endpoint, and cloud monitoring and security analytics (33%). In the coming year, behavioral monitoring and analysis (29%) and security awareness training (27%) have a good chance of moving up the list of outsourced functions. 

Still, 68% of organizations handle the majority of IT security functions in-house. This percentage is not expected to change dramatically by 2022, however, it is lower than the level recorded in 2020 (72%).  

Causes of the current insecurity 

The cause of so much insecurity may lie in the voluminous number of ransomware attacks and zero-day vulnerabilities, coupled with concerns about remote working and the increasing integration between the IT and OT universes of late. 

The IDG study reported this scenario in numbers. Nine out of 10 IT and cybersecurity leaders believe their organizations fall short when it comes to protecting against cyber risks. In response to these threats, they are adopting proactive security strategies, investing in hardware and software to protect sensitive data, and seeking to raise employee awareness through training. In many cases, they are outsourcing security actions – one in five organizations (21%) surveyed said they will have outsourced security functions by 2022. 

These initiatives don’t usually come cheap, so organizations are predicted to increase their security budgets. Small and medium-sized companies are expected to double spending in the next 12 months, reaching an average of US$11 million. For large companies, the average security budget is expected to be $123 million next year. 

The idea of failure to address cyber risks plaguing security leaders is justified, mainly because the causes are internal. The IDG study showed that 44% of security incidents in 2021 involved employees who were victims of phishing or breached security policies. In the previous year, this share was 36%. This growth occurred in spite of training and awareness programs for employees. 

However, employees are not always to blame. Unpatched software and third-party or vendor security flaws are tied as the second leading cause of security incidents (27%), followed by misconfiguration of on-premise or remote services or systems (26%).  

One in five companies surveyed over with zero-day vulnerabilities or breaches in their software supply chains (21%) in the last 12 months. 

The silver lining in this scenario is that 70% of security incidents were detected within the first week, according to respondents’ reports. This percentage ranges slightly downward for large enterprises (63%) and upward for small and medium enterprises (80%).