Cyber security continues its emergence as a focus of IT buyer attention, with big increases in spend predicted in areas such as security awareness training, multifactor authentication, risk and regulatory compliance, and threat detection, according to the TechTarget/Computer Weekly IT Priorities 2022 study.
The annual TechTarget/Computer Weekly IT Priorities study was fielded in September and October, aggregating responses from nearly 275 respondents representing a blend of large and medium-sized enterprises and small businesses from across a wide range of industries in the UK and Ireland.
This time last year, the data reflected the hurried transition to hybrid forms of working in the early stages of the multi-year Covid-19 pandemic. In real terms, this translated to IT leaders shifting their attention from risk management and compliance to end-user training, with many buyers acutely conscious that the bulk of their users were now accessing organisational crown jewels outwith the confines of the secure enterprise network.
Did this trend continue into 2021? And then some; despite the UK government’s entreaties to return to the office, hybrid working remains the norm for millions, and the heightened vulnerability of the remote and hybrid workspace remains a top concern for IT and security leaders.
The headline data suggest that over the next 12 months, security awareness training will be the most popular IT project, bar none, in the UK and Ireland, with 66% planning to spend in this area, followed closely by multifactor authentication, where 51% planned to invest. Data privacy, governance and regulatory compliance (GDPR, CCPA etc) are on the agenda for 43% of buyers, while threat detection also remains a top concern looking ahead, with 40% planning some investment in this area.
Commenting on the findings, ESET security expert Jake Moore said: “I am instantly relieved to see that people-centric security initiatives are being followed through. Security awareness training maybe started on the wrong foot a decade ago but we have come a long way since the compulsory monotonous click through exercises, which often hold no weight in terms of sticking the education to the front of employee’s minds.
“Gamifying learning has far more impact and can resonate with those who even believe they are up to speed and IT savvy. Sessions such as the Cyber Escape Rooms currently being trialed on businesses in London by the Met Police’s Cyber Crime Unit are impressive and shape up a new era of educating staff on all levels of the business.”
Security awareness training
KuppingerCole senior analyst Warwick Ashford agrees the pandemic has certainly driven the continued focus on security awareness training, but adds that there is another factor in play that may prove equally impactful.
“An increased number of organisations have been affected by cyber attacks in the past year, particularly ransomware attacks, and this has in turn resulted in greater mainstream coverage,” he said.
“Organisations are acutely aware of the need to defend against cyber attacks, and many of them realise that it is essential to raise the security awareness of end users, who are routinely targeted by social engineering methods to enable cyber attacks in some way, such as revealing valid user credentials that attackers can use to bypass security controls.”
MFA having its day
Increasing interest in multifactor authentication may be a positive sign that security teams are getting wise to the extent that credential theft and exploitation has become threat actors’ weapon of choice for breaking into target networks.
“It is … encouraging to see that just over half of respondents are planning to implement MFA,” said Ashford. “At the very least, organisations should be using MFA to reduce reliance on username/password combinations.”
ESET’s Moore said the high will have ramifications for spend in other areas, such as training. “Making MFA work tirelessly is the key to make employee transition easy on the move and at home,” he said. “Many people still struggle with MFA and find it an inconvenience, so with more organisations looking at implementing it over the next 12 months, it is important to make sure employees are familiar with the process and understand the importance.
“This can even spill into their home life, where people will start to use authenticator apps and security keys on their personal accounts, too, once the ease outweighs any prior doubts.”
Getting to grips with threat detection
Threat detection is also one of the top investment priorities for the next 12 months, and getting to grips with it may be a challenges for many buyers, said Moore at ESET, who claimed the constantly evolving nature of the threat landscape, and increasing sophistication among threat actors, makes this a tough area to work in.
“The constant cat and mouse game will never be won by the mouse but the gap can shrink to a manageable distance,” he said. “More remote working has excelled the headache for security teams but has arguably been more controllable that first thought at the start of the pandemic.
“Threat intelligence compounded with better research and shared best practice all help close the gap on malicious entry into systems but we should never become complacent due to the ever changing environment. Clever targeted campaigns often come out of nowhere and pull the rug out from underneath business in moments. As the number of attacks increase, it remains important to monitor cloud services and detect potential breaches and identify the security gaps before it is too late.”
Up and coming
Buyers are also investigating data loss prevention (36%), risk assessment and visibility tools and services (32%), vulnerability management tools (32%), single sign-on (32%), mobile security (30%), zero trust (30%), privileged identity or account management (30%), threat intel (28%) monitoring software (26%), cloud workload security (26%), security incident and event management (26%), and encryption (26%).
Of these products and services, Ashford at KuppingerCole said that while it is pleasing to see more organisations planning to adopt zero-trust initiatives, interest is, according to the data, “relatively low” compared with other sources – KuppingerCole’s own polling found 76% of buyers thought the pandemic had increased the adoption of zero trust for remote access.
“After a decade of talking about a zero-trust approach to security, now is the time to move towards full implementation because it is more appropriate than ever, and is rapidly gaining support from security suppliers,” he said. “This means it is now easier to implement than ever before, due to the availability of supporting tools and technologies such as micro-segmentation and dynamic authorisation.”
SASE fails to break through
One finding in the survey data that the casual observer may find puzzling, given the relentless focus on it by services providers and suppliers, is that secure access service edge (SASE) is not breaking through with buyers, with only 6% incorporating it into their investment plans for 2022.
“Like most concepts in IT, SASE is not the perfect solution for everything and everyone, and perhaps many organisations are recognising this or are rightly just approaching it with caution, and hence the relatively low levels of investment,” said Ashford at KuppingerCole.
He said an appropriate strategy around assessing SASE – for the time being – is to analyse their own use cases and requirements to understand how they can be addressed by a particular offering, paying particular attention to the risk of supplier lock-in, and platform flexibility and adaptability.
“Before adopting SASE, organisations should verify that SASE is a viable solution in their context and evaluate potential alternatives, such as zero-trust, that may be a better overall fit to the organisation’s challenges and issues,” said Ashford.
Also somewhat lower down the list than might be expected are passwordless authentication tools, of interest to 17% of buyers. He referred to this as surprising given the traditional username and password combo approach is essentially broken at this point.
“Credential theft is one of the top ways attackers gain unauthorised access to corporate networks; organisations should be investing more in passwordless authentication tools to improve security, while at the same time improving the user experience,” said Ashford.
Other security technologies that are failing to get much traction among buyers include application and container security, cited by just 13% of buyers, identity and access management as a service, cited by 11%, and zero-trust network access and cloud infrastructure and entitlement management tech, cited by just 4% of buyers respectively, and extended detection and response tools and services, of interest to a meagre 2%.