The early phases of the COVID-19 pandemic had a positive impact on the cybersecurity profession, raising the profile of chief information security officers and others within their organizations, and giving them a new sense that their work and expertise were appreciated.
“The overall implication will be that cybersecurity is valued at a higher level and has a better voice within the overall organization,” said one CISO.
While the study, developed by CRA Business Intelligence and published in summer 2020, offered other more sobering perspectives on the profession at peak pandemic — including elevated levels of stress and burnout — it stands also as a powerful reminder of cybersecurity professionals emerging role as the business world’s quintessential crisis managers. The full report can be found here.
In the weeks after COVID-19 was declared a pandemic in the U.S., a consensus quickly emerged that the outbreak had significantly raised the global community’s cyber risk profile — by forcing a massive shift to less-secure home-based workforces, sparking a rise in exploits that preyed on pandemic-related fears and emotions, and expanding attack surfaces in sectors like healthcare, banking and food distribution.
CRA’s research looked beyond the pandemic threat landscape, focusing instead on its many significant implications for cybersecurity as a profession and organizational function. And it offered recommendations to security professionals hoping to seize the moment.
The study, “The Pandemic as Catalyst for Change,” is based on a survey of some 280 cybersecurity professionals, completed in June 2020. Respondents, 77% of whom were located in North America, represent a cross-section of the profession, including large (49%), medium (29%) and small companies (23%), and a broad selection of industries, such as IT/technology, services, financial services, education, government, manufacturing and healthcare. It also analyzes cybersecurity strategies by industry and examines how organizations’ pre-pandemic security stances affected their responses and outcomes.
The report’s key findings include:
- Cyber professionals say they are newly appreciated and valued by their organizations owing to their work in the pandemic — countering the profession’s long-held sense of its marginalization, and even disregard, by leaders and others in their organizations.
- The pandemic’s broad impact across the U.S. and the world exposed sharp differences in preparedness and performance that map to specific organizational attributes. These include differences among industry sectors. Among other things, governments and universities lagged, while financial services excelled.
- In considering next steps for managing IT security post-pandemic, organizations uniformly asserted a strong bias to action but paradoxically said they did not expect to increase spending or hiring.
- The pandemic did little to repair the disconnect between business executives and technology professionals about how to manage cyber risk at their organizations, with the former projecting more optimism than the latter perceive in the trenches.
- Organizations reported shifting priorities to develop new pandemic-specific cybersecurity preparedness and disaster recovery plans — but expressed low confidence that measures would be effective.
Two-thirds of respondents said the pandemic positively affected their organizations’ perception of the cybersecurity function. “This was a wake-up call to management to ensure the institution has a well-thought-out pandemic and cybersecurity plan and capabilities to support it,” said an executive-level manager.
The study also tapped into skepticism. Only 36% of respondents said they believed their work would change as a result of the pandemic. Meanwhile, the intense challenges of supporting remote work, with its greater vulnerabilities and increased attacks, clear took their toll: 47% of respondents reported an increase in stress and burnout. And there was also concern that the increased emphasis on cybersecurity, while generally positive, would result in more responsibilities being placed on these teams — without additional resources to carry them out.
Asked whether their organizations were likely to invest additional resources in the next six months (or had already done so), only 29% of respondents anticipated increased spending on cybersecurity. When asked specifically about additional cybersecurity employees, 17% anticipated a staff increase, and 52% said new hires were not on the table, rising to 76% for small organizations.
Despite the elevated profile cybersecurity has attained, the pandemic did not manage to bridge the traditional gap between business and technology leaders. “It should raise awareness and bring at least a short-term plus to the industry,” said a cybersecurity professional at a government organization. “Long-term, something else will come along and grab the attention, or budget cutbacks — maybe because of the pandemic — will take hold.”
Although 41% of business leaders strongly believed their organizations deployed advanced or proven security best practices during the pandemic, for instance, only 25% of IT and security respondents agreed.
For more information on how you can partner with CRA Business Intelligence, please contact Dave Kaye, Chief Revenue Officer.