Keri Lewis is a CISO in a major FSI company. He distills his years of experience into giving us some predictions for what effect COVID-19 will have on security. Please note that the views in this article are those of the author, and are not intended to represent the company that the author is employed by.

What is clear is that there will be significant changes for all organisations. Additional pressure for working from home and flexibility is here to stay, and this brings major challenges that are much discussed in the realm of complexity and in the increase in attack surface that the “multi-hybrid-cloud, work from home every piece of data accessible from anywhere” scenarios in the press at the moment. I’d like to apply a different filter.. here’s the headline.

“Post COVID Recession leads to an investment crunch”

Most of the predictions for the economy post-COVID are for a dramatic contraction. There is high likelihood that a lot of companies are going to be in a tough financial position. This means that the focus of the business management will be getting back to a position of financial stability. There may be delayed tax bills, rent arrears, customers to reacquire and so forth.

How will that impact a CISO or CIO? How best to “play the game” and get the company through that transition. I’d like to pick three themes, and make some obvious predictions.. well I’d like the predictions to be right.. so they would need to be obvious, but it’s not going to be a smooth road to tech-nirvana.

Business Case Alignment

Budgets for investment will need to align to these new realities, any business case will have to readjust to the tighter purse strings. Clear benefit will be needed to be shown in cost-saving or in enabling a specific business objective through process or technology. In the reality of an organisation under budget stress, the temptation to cut back is often more appealing than the need to invest. Similarly, given the “we loosened a bunch of controls and nothing bad happened” arguments that are commonplace, the risk appetite of organisations may shift to tolerating higher risks.. at least until there is a high-profile breach.

Predictions

• Cost-savings and short-term investment window – if it costs new money it needs this year payback.. a lot of inhouse scripts etc. as quick payback

• Short-term loosening of risk appetite statements with higher potential for “CISO defenestration” due to looser controls. “It was OK during COVID” being the excuse

• Operational Resilience – how to survive a shock – will be the key to IT and Security in the short-term

Supplier Consolidation

The Post-COVID period will be tough for the smaller suppliers. The basic economics of the cost of a sales team mean that the larger companies will run lower overheads per unit of sale. From the buyer’s side, there will be pressure to ensure few vendors are added as each vendor has a set of costs in contracts, vendor management and procurement cycle etc. Fewer, bigger relationships is a likely strategy for discount leverage and lower cost per procurement unit.

Predictions

• “New and Shiny” loses out to “part-of-a-suite” – a chance for “nearly as good” to win

• Tough times for niche-players/specialists that don’t have strong implementation partners on existing corporate supplier lists

• SAAS – but at added complexity and attack surface risk instead of project risk

Automation and Orchestration will grow in importance

With a resource crunch, and the purported skills shortage in Security, getting the routine tasks out of the way with minimum effort becomes more and more important. Whether this is simple scripting, individual tools or mass orchestration through suites of products, the ability to drive out cost through automation becomes more important. It is also an opportunity to allow team members to “get rid of” the boring bits of their jobs by doing well documented automations.

Predictions

• Increase in “BAU projects” to refine automation for efficiency

• Effort on test/patch-remediate cycle becoming faster and more streamlined

• Linking of hybrid environments more pressing – avoiding the gaps between the systems