The impact of COVID-19 on how CISOs make buying decisions

It’s no secret that the past year has resulted in organizations fast-tracking their digital transformation projects, making drastic changes to their operations while also attempting to prepare for a very uncertain future. To get a sense of the real impact of the pandemic on cyber security, we conducted a wide-ranging survey with UK IT decision makers on their expectations and priorities for the next 12 months.

We found that COVID-19 has not only led to an increase in security spending, but also placed a greater level of strategic importance on strong relationships between businesses and vendors.

Increased attacks are driving up spending

“When, not if” has been a common mantra regarding cyberattacks for some time, and the inevitability of suffering an attack was more apparent than ever in 2020. Three quarters of respondents told us they had been attacked at least once this year and one in five were hit more than five times.

Against this increasingly hostile threat landscape, CISOs are under mounting pressure to equip their organizations with the tools and skills required to identify and defend against incoming attacks and mitigate the impact of those that slip through.

Most businesses told us they are planning to increase their IT security budgets over the next year, with more than a third saying increases will be between six and ten percent. Notably, 13 percent said that budget increases were in direct response to the new challenges of the pandemic.

Security around remote working is particularly important as firms continue to adapt to remote workforces. After the madcap dash in March, CISOs have had time to implement more long-term strategies to keep remote staff secure, and this will continue to be a priority into 2021.

Optimizing defense investments

While security budgets have increased, it is imperative that organizations maximize the value of their spend and invest in the right solutions for their risk profile. They will need to conduct thorough analyses of their most pressing security needs and research the plethora of options to assemble the most robust defense possible.

Preventing data breaches was the biggest priority highlighted by respondents for the 12 months ahead, narrowly followed by defending against malware and phishing attacks.

Given the increasing range of attack strategies and tools used by threat actors, there is an increased emphasis on tools that can cover more ground. Endpoint Detection and Response (EDR) has emerged as one of the most popular solutions due to its ability to identify a range of attack behaviors. More than half of the CISOs and other IT security decision makers responding to our research indicated that EDR was a purchasing priority.

The importance of trust and flexibility

Investing in effective security skills and technology is often only half the answer. The way services and solutions are delivered is also increasingly important, particularly when it comes to the uncertain economic environment created by the pandemic.

Accordingly, our research showed that the vast majority of businesses prefer to pay for security products and services on a monthly basis, rather than annually. More than a quarter also favor flexible contracts wherever possible. This flexibility makes it easier for firms to ramp up or scale back their investments and activity as the economic and threat landscapes continue to shift.

Flexibility and clear, fair contracts were particularly important elements for those businesses buying their solutions through service providers and resellers. Trust was also cited as an important factor when selecting an external specialist to help protect essential IT systems. Without a solid foundation of trust, the relationship can quickly fall apart.

In-house security management was still the most popular approach for most organizations, and more than half of respondents maintained their own cyber security personnel. This trend reverses for firms with under 200 employees however – smaller businesses are generally unable to budget for the expense of dedicated, full-time security specialists, and were much more likely to work with managed security service providers (MSSP) for their essential security needs.

Investing in security service providers as strategic partners

While most larger firms still prefer to manage their security in-house, the value of relationships with outsourced security providers – and their importance as trusted partners – was also highlighted in the research. Over 80 percent of respondents that worked with an IT service provider or reseller stated they viewed them as a key or strategic partner.

Outsourcing security not only provides access to the latest in security solutions but also, perhaps more importantly, the skills and expertise of qualified security personnel.

Financially, cybersecurity salaries and in-house operations are costly, meaning outsourcing is a more efficient way to conduct business security obligations.

This strategic relationship goes beyond simply identifying and mitigating cyber threats, as security providers can also act as trusted advisors. A good security partner will use their industry experience to provide valuable insight in shaping the company’s security strategy and investments, helping to ensure that future purchases are the best match for the company’s security priorities.

With the future still full of uncertainty, investing in strong relationships and trusted partners can often be as important as buying the latest security solutions.