Remote working exploded into the consciousness of every networking professional back in March, as huge numbers of staff began working from home almost overnight. For some organizations, that meant vastly more remote workers than normal, but for others it was the first time that anyone had been allowed to work from home for any significant length of time.
That's had a huge impact on security spending as IT departments have rushed to secure these remote workers. What's more, this COVID-19-related spending is unlikely to abate anytime soon. That's because security is ultimately an exercise in risk management, and spending has to be prioritized so as to bring the big risks associated with home working down to acceptable levels. According to management consultancy McKinsey, home workers' security will remain a priority at least until the end of the year and perhaps well into the first half of 2020.
IT budgets shift toward network security - as revenue falls
That money will likely be spent on security basics like rolling out multi-factor authentication to provide strong network and application authentication for remote workers, as well as increasing VPN capacity.
But here's the problem. Most companies' revenues and profits have taken a hit – often a severe one – thanks to the pandemic, and that means that budgets are under pressure. When that happens, the security budget is often the first to be cut. "Like other segments of IT, we expect security will be negatively impacted by the COVID-19 crisis," says Lawrence Pingree, managing vice president at Gartner.
If security budgets are cut, and spending on securing home workers continues, then there's only one possible outcome: spending on other security-related activities is going to have to be cut.
The obvious areas which look like tempting candidates for budget cutting include governance and compliance, although doing so could lead to all kinds of trouble in the future. Perhaps more tempting areas to cut include advanced long term security projects around security orchestration, automation and response (SOAR) systems, behavioral analytics, and AI-assisted detection systems. And according to Gartner, spending on more familiar networking security equipment including firewall equipment and intrusion detection and prevention systems (IDPS) will be most severely impacted by spending cuts this year.
And therein lies the bigger problem. The pandemic has led to spending on securing remote workers being prioritized, because that's where the biggest risk is. But let's not forget that the old security risks haven't gone away. Hackers are attracted to wherever the biggest opportunities are, and once remote workers are no longer the easy targets that they may have been for the past few months, the hackers will circle back to corporate networks.
That means IT departments need bigger budgets, not smaller ones, if they are to continue to prioritize pandemic-related spending while controlling all the other security risks at manageable levels.
Of course COVID-19 might disappear overnight – as if by magic – and this security problem will disappear. But reality suggests that securing an adequate network security budget should be a priority for every CIO and CISO.