CISOs face a whole new budget world this year

It’s budget season for many CISOs, and cybersecurity investment for 2021 looks a lot different than it did a year ago. In late 2019, organizations were focused on rationalizing infrastructure, optimizing spend, and automating for efficiency. Fast forward to today and the COVID-19 pandemic has drastically changed our priority list.

The widespread and immediate work-from-home requirement caused companies everywhere to engage in emergency digital transformation projects. In fact, the 2020 Flexera State of the Cloud Report found that because of the pandemic, more than half of the companies polled expect higher cloud usage than initially planned.

Because of this abrupt change in operating model and the resulting forced digital transformations, the No.1 priority for CISOs has become building cyber resilience. This means migrating to the cloud, enforcing cloud security, and enabling a “work from anywhere” workforce. We’ll see this play out in 2021 cybersecurity budgets with companies making investment in three distinct areas:

  • DevSecOps.

Developers are deploying containers as fast as they can in their mad rush to the cloud, making Kubernetes the standard DevOps container-orchestration platform. While this benefits organizations from an operations perspective, it’s also introducing a new set of security challenges.

First, developers now run on “cloud time,” or near instantaneous speeds, and they don’t want security teams to slow them down several weeks to implement the proper controls. They often push their applications to the cloud as quickly as possible, leaving security as an afterthought. But this is like an automobile manufacturer putting a new car on the market without first adding in the proper safety features, such as airbags, seat belts, and antilock brakes. This  “deploy now, secure later” mentality escalates enterprise risk, and it also increases friction between DevOps and security teams.

Second, Kubernetes and containers are still relatively new technologies, and many companies don’t have the in-house expertise to secure them effectively. The lack of Kubernetes skills (and cloud security skills in general) hampers the migration of IT systems to the cloud. If cloud assets aren’t properly secured, the risk of moving them becomes far greater than the reward. The Kubernetes trend has also accelerated the adoption of DevSecOps, where security personnel are integrated with DevOps teams, just like safety engineers are integrated into the automobile design process.

To combat these challenges, we’ll see CISOs invest in DevSecOps tools and processes to make security teams part of the DevOps workflow from the start. In doing so, they can implement the proper controls throughout the application development cycle. They will also invest in cloud experts to obtain the architecture, migration and security expertise required to execute successful digital transformation projects, and secure digital transformation projects.

  • Secure Access Service Edge (SASE).

A concept coined by Gartner in an August 2019 report “The Future of Network Security Is in the Cloud,” the Secure Access Service Edge (SASE) has become an emerging offering, combining comprehensive WAN capabilities with network security functions (such as SWG, CASB, FWaaS and ZTNA) to support the dynamic secure access needs of digital enterprises. In simple terms, SASE combines networking and security functions and brings both to the edge, with a focus on providing secure access based on the identity of a user or device, rather than a particular location (a data center).

In the post-COVID “work from anywhere” world, it’s exactly what companies need. Widescale work-from-home programs have caused the attack surfaces at companies to expand dramatically. Employees now work on a number of devices connected to their home or commercial guest networks, and data and cloud access has gone with them. Teams can no longer confine their security strategies to a known user in a known place – they need to extend to the edge of the enterprise and validate every endpoint and access attempt. SASE brings access security out to the edge, wherever that edge exists.

Because of this new way of working, we’ll likely we’ll see a much broader and faster SASE adoption rate than the one predicted by Gartner pre-COVID: By 2024, at least 40 percent of enterprises will have explicit strategies to adopt SASE, according to Gartner.

  • Cybersecurity training.

The work-from-home transition has also caused organizations to increase investment in cybersecurity awareness training. Once a compliance “checklist” item, awareness training will become a core cybersecurity competency in today’s “work from anywhere” enterprise.

COVID-19 has caused an escalation in the number of phishing and other social engineering attacks. A recent survey by GreatHorn found that companies experience 1,185 phishing threats every month on average. Everyone knows that people are every company’s weakest link.

Work-from-home employees no longer have the comforts of their IT team in the cubicle around the corner. They are on their own and need to stay self-sufficient  and confident when it comes to cybersecurity. Think of security education, training and awareness (SETA) as a company’s first line of defense against attackers, and CISOs need to invest both budget and time accordingly.  

The transition to remote work and the acceleration of digital transformation were both prompted by COVID-19, but these trends will stay with us long after the pandemic ends. As such, CISOs will invest in DevSecOps, SASE and SETA in 2021 and beyond.

Todd Weber, chief technology officer, Optiv Security  

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.