Closing the Gaps: How Security Confidence Fell While Budgets Rose

By Insight Solutions

Near the end of 2020, IDG Research carried out an Insight-commissioned survey of more than 200 IT and security leaders. Our goals were to learn how 2020’s challenges impacted corporate security strategies and priorities and to measure current confidence levels in respondents’ enterprise security postures.

The security posture paradox

What we found seemed to be paradoxical: All respondents agreed that boards and executive teams were more focused on the company’s security posture than in the past1, 96% had increased their cybersecurity budgets in 20202, and most organizations accelerated 5‒6 cybersecurity initiatives3. Yet 78% lack confidence in their IT security postures4.

That’s three out of four security leaders indicating that a year defined by increased financial and strategic cybersecurity efforts failed to result in a security stance they could feel confident in. How could confidence rank so low in a year in which nearly all organizations upped their budgets and accelerated so many initiatives?

The pandemic led to shifting priorities

The answer to this seeming paradox lies in the reality that 2020 was an unprecedented year for cybersecurity challenges. Despite best efforts, cybersecurity leaders were limited in the scope of responses they could implement rapidly against such a quickly evolving threatscape.

To get a fuller picture of the reality of the challenges of 2020 and how our respondents handled them, here are some of our other key findings:

  • Respondents agreed that the distributed IT landscape (86%) and transition to a remote workforce (81%) created new IT security challenges for their organizations5.
  • Security leaders felt least confident in their organization’s security roadmaps (32%), technology and tools (30%), and internal teams and skill sets (27%)6.
  • Companies shifted cybersecurity priorities in response to challenges posed by the pandemic, limiting their focus on security operations and staff expansion and newly prioritizing threat visibility (73%), incident response (70%), network security (68%), endpoint security (67%), app security/DevOps (67%), and malware protection (64%)7.
  • Only 57% of businesses conducted a data security risk assessment during the year8.

What a deeper dive into the data tells us is that most security leaders spent the year focused largely on closing immediate security gaps, implementing the tools and technologies for security that were easier to deploy. Critical foundational and complex, longer-range projects were tabled for a later date.

Beginning the year, organizations had already been grappling with the ramifications of an increasingly distributed IT landscape — as we’ve seen in recent years, Internet of Things (IoT) has skyrocketed, Bring Your Own Device (BYOD) has gained traction, and hybrid and multicloud strategies have grown in popularity. Enter the pandemic’s sudden push for remote work and cloud-based collaboration, and long-term, strategic security plays wound up on pause as organizations essentially spent the year putting out fires.

Rather than being able to expend financial and strategic resources on creating a more confident security posture, organizations had no choice but to leverage what resources they had to address the urgent security concerns arising from an IT environment that was forced to evolve faster than anyone had prepared for.

Still, we saw progress

What may be surprising is that, despite the low confidence levels among IT and security leaders, significant progress was made in integrating cybersecurity efforts across the entire organization. As the IT environment has grown more complex, cross-functional security integration has proven to be a critical effort, but one that many organizations struggle to achieve.

The security concerns of 2020 seemed to press the accelerator on security integrations, with 68% of organizations integrating incident response into companywide business continuity plans9, 61% integrating cybersecurity into infrastructure and DevOps decisions10, and 59% integrating cybersecurity into broader business operations decisions11.

While confidence may still be low, this is a promising and significant step in the right direction that will create a surer foundation for those longer-term, more complex cybersecurity projects still to come.

For more details on how security leaders pivoted in 2020 and what they’re planning for 2021, read the report, "Cybersecurity at a Crossroads: The Insight 2021 Report." And if you’re interested in the full scope of granular detail we gathered from the survey, you can dive into the full survey results here.