Although the global economy faces troubled times, we can expect no pause in cyber threats and attacks, so CISOs must direct investment towards technologies to protect customer-facing and revenue-generating workloads, and should consider increasing or defending their investment in critical applications and cloud security, zero-trust technology and operations during 2023, according to analyst house Forrester’s Planning guide 2023: security and risk.
The Security and risk guide is part of a wider series of 2023 investment forecasts produced by Forrester, which collectively suggest IT buyers and business leaders who plan for “business as usual” modest spending increases in 2023 will find themselves falling short, and in a turbulent global economy, advises that a more disciplined and precise approach will be needed to planning in order to “trim waste, experiment, and make bold, smart investments”.
“Leaders are faced with navigating a tumultuous business landscape defined by global unrest, supply chain instability and soaring inflation, as well as the ongoing aftermath of the pandemic,” said Sharyn Leaver, chief research officer at Forrester. “Tackling 2023 budget planning is a daunting task.”
Maxim Merritt, vice-president and research director at Forrester, said the surge in breaches, ransomware, legislation and third-party requirements since 2017 has already forced executives beyond the confines of the security function to recognise how important comprehensive cyber controls really are, which has led to an increase in budget and high demand for compliance and security pros at all levels of the organisation.
But as CISOs have become more relevant, they have also begun to face more challenges, such as a growing and unwieldy list of potential technologies and suppliers, staff and skills shortages, and extensive work and customisation to integrate security solutions appropriately.
This year and next, the macroeconomic headwinds mean CISOs will be under pressure to prioritise technologies that generate optimum value and will have their budgets scrutinised more closely.
Forrester is recommending CISOs to channel investment into these key areas of security technology:
- API security, increasingly the de facto approach to modern development, enabling organisations to build new business models and engagement methods, but prone to breaches due to unprotected APIs and API endpoints.
- Bot management, actively profiling incoming traffic to determine intent and protect from malicious bots – which comprised 25.6% of internet traffic in 2020 – by delaying, misdirecting or blocking them.
- Industrial control system (ICS) and operational technology (OT) threat intelligence, which is becoming a non-negotiable buy for organisations working in sectors such as energy, manufacturing, utilities or transport.
- Cloud workload, container and serverless security to protect the compute, storage and network configurations of cloud workloads in infrastructure- and platform-as-a-service (IaaS/Paas) environments. This market is still immature and a challenge to address.
- Multifactor authentication (MFA) or even passwordless authentication, one of the quickest and cheapest ways to align security strategies around zero-trust principles.
- Zero-trust network access (ZTNA), a more appropriate and agile solution to secure remote workers in a post-pandemic world than the traditional VPN.
- Security analytics platforms, to replace legacy rules-based security information and event management (SIEM) offerings that are too easily overwhelmed by the rapidly evolving threat landscape.
- Crisis simulations and purple teaming.
Forrester’s report goes on to suggest that CISOs may wish to consider evaluating and running proofs of concept (PoCs) in the following areas:
Areas to consider reducing or avoiding investment in include:
- Standalone data loss prevention (DLP), as this is increasingly a feature capability in email security and cloud security gateways, security suites, and platforms such as Office 365, making it easier to acquire and enable as part of a broader approach.
- Standalone security user behaviour analytics (SUBA), most of which have similarly been assimilated or evolved into various services platforms alongside DLP.
- Generalised managed security services providers (MSSPs), the capabilities of which can be focused better by shifting investment to dedicated managed detection and response (MDR) or security operations centre-as-a-service (SOCaaS) providers.
- Indicator of compromise (IoC) feeds, which, again, are increasingly baked into other enterprise security controls.
- Legacy, on-prem network security technology, such as standalone web gateways and network access control (NAC) – save for in specific IoT/ICS/OT use cases. Next generation firewalls (NGFWs) and ZTNA, combined with software-defined perimeters, are more powerful and integrated.