Last week Infosecurity explored the immediate impact of COVID-19 on the cybersecurity industry, and what experts felt would be the short-term significance.
It is clear that whilst efforts are being made to contain the coronavirus, there will be a long-term impact upon society, and therefore a long-term impact upon the cybersecurity industry also.
So, having looked at what the short-term consequences could be, Infosecurity now assesses the longer-term impact, and where we could be by the end of 2020.
Ed Williams, director EMEA, SpiderLabs at Trustwave, said that the move towards remote working will need to be reconsidered, as “education of users is key when looking to keep an organization safe” and while he didn’t believe that this will change too much, the focus of that education will probably be specific towards remote working.
“Education of users is key when looking to keep an organization safe”
Another angle for the long-term focus should be on disaster recovery and business continuity, according to Etay Maor, CSO at IntSights, who recommended “having a runbook for this situation.”
So will this be a case of actually being more resilient from lessons learned? Jack Kudale, founder and CEO of Cowbell Cyber, said the longer the crisis, the more likely significant changes will stick in the long-run. “COVID-19 is changing the way we engage with work,” he said.
“It will trigger a new wave of innovation and accelerate the deprecation of obsolete technologies. Cybersecurity is highly likely to fall behind again. Cyber insurance will continue to grow as a valid alternative to mitigate loss.”
“It will trigger a new wave of innovation and accelerate the deprecation of obsolete technologies”
Infosecurity's previous article addressed the issue of whether this will impact small businesses. Richard Hughes, head of the technical cybersecurity division at A&O Cybersecurity, said smaller startup cybersecurity firms “could be amongst the worst hit by the challenges faced due to COVID-19” due to a lack of an established customer base and repeat business to help weather the storm.
Rick Holland, CISO and VP of Strategy at Digital Shadows, agreed there will be a risk to smaller and emerging firms, but sales revenue and the amount of capital raised should provide some resilience.
Steve Durbin, managing director of the Information Security Forum, added that the traditional way of operating in a crisis is to fall back on trusted suppliers, and this clearly presents a challenge for a new entrant. “That being said, those that are able to sufficiently differentiate themselves through smart marketing interactions that demonstrate value to the target audience will flourish.”
If those with more of a solid business strategy will be those who survive, should we get used to the reality of some businesses not surviving, and work in a more dispersed fashion? Holland admitted that “the world has changed, and this is the new status quo” where remote work and risks associated with this new workforce will not end when the COVID-19 pandemic is over. “We will be more distributed than ever, and this will drive even more zero trust adoption.”
Durbin agreed that “this is the new business normal” and he doubted if we will ever return to the way in which we were working and interacting prior to the pandemic. “Remote working and remote business interactions will identify new opportunities, new ways of working that we would not otherwise have spotted, and I think will also give rise to a number of new ventures that are able to seize the opportunities that will arise.”
This flexibility will enable businesses to change, and David Greene, chief revenue officer at Fortanix, said that this will allow businesses to get the right cybersecurity systems and processes in place if they can, so “we can all be ready for what comes next.”
“Remote working and remote business interactions will identify new opportunities, new ways of working that we would not otherwise have spotted”
Another positive could be that businesses will take their business continuity plans seriously, and take the time to revise them, as “many found out they were subpar, really didn’t work and now they needed to figure it out quickly because working remotely, self-quarantining and continuing to be productive would be paramount for many companies to maintain operation,” said John Norden, VP of engineering and CSO at Infocyte.
He believed that the cybersecurity landscape will permanently change when the dust settles, and businesses will take their business continuity planning seriously. “Many will move to a zero trust security model and they’ll embrace a more remote stance on handling security incident response scenarios leveraging security platforms that enable and simplify handling remote scenarios,” he said.
“In many cases, businesses will find that they operate more efficiently from an operating expense standpoint by embracing remote workers; therefore, the corporate security and compliance stance will shift in order to support a more remote workforce.”
So the future looks much like it does now: with a more remote workforce, and businesses finally able to take on industry advice around operating a zero trust environment. Is this going to be part of a wider evolution of technologies? Maor said he believed we will see companies looking to fully utilize the technologies that they currently have, and maximize the value and offering from products and services.
“I don’t think it is only a matter of the company size but rather the value it provides its customers,” he said, saying that companies will need to grow out of their siloed approach and show their value add in the likes of integration to other products in the security stack and providing professional services.
Maor said: “Even before the current situation I heard CISOs talking about consolidation and integration of security offerings – they don’t want analysts sitting in front of eight different product screens and then working on tying the data they analyzed – they want less screens with more capabilities and integrations.”
Theoretically then, in the longer-term we’re looking at a change in the way we work, the way we connect to the network and the way that companies deploy technology to enable those connections. Hughes believed “we will almost certainly see budgets reduced across the board” and some companies with less mature information security programs may well consider that a reduction in their cybersecurity spend would be without consequence, as businesses will be looking to spend in areas where they can expect the greatest returns. “Whilst this is unlikely to be cybersecurity, those tasked with such decisions must consider that although cybersecurity programs rarely increase revenue, they almost certainly protect it.”
Hughes said that currently “we are in a normalizing phase and after ironing out the wrinkles we will be left with what is likely to be the new norm for a while, but this is certainly not all bad.” He said as businesses will face any number of challenges, some unique and some shared, “necessity is the mother of invention and those that are able will adapt.”
Rodney Joffe is SVP and senior technologist and fellow at Neustar, and he admitted that security processes and policies for remote working will need to be part of the permanent plan going forward, especially as attitudes towards work change. “As infosec professionals, we’ll need to be vigilant to remain one step ahead of hackers” and this will involve figuring out improved ways of safeguarding VPNs, ensuring these are fully encrypted, and ensuring employees take precautions, and “educating the workforce on security best practice will be particularly key.”
However, to conclude on a more positive note, Joffe said that from a technical point of view, we’ll come out of this much better. “While businesses may be facing initial challenges now, software will improve and organizations will begin to better understand how their security strategies must change as workforces become increasingly remote,” he said.
“What we’re currently facing will change the world without question, and the infosec industry is no different. It will never go back to where it was before.”
The long-term impact of COVID-19 will affect society, and therefore the cybersecurity industry with untold consequences. As many have explained, the optimists would suggest that we take measures to overcome and survive this pandemic. Those businesses that take proactive measures to endure it will be in a much better and stronger place in the long-term.