Survey
methodology
and
respondent
profiles
The
results
in
this
report
are
from
the
Cyber
Security
Hub
survey
which
we
fielded
to
subscribers
from
May
and
June
2020
to
benchmark
actual
results
from
H1
2020
vs.
expectations
for
H2
2020.
A
balanced
representation
of
the
enterprise
cyber
security
mindset,
the
largest
segment
of
survey
respondents
(41
percent)
describes
their
job
function
as
cyber
security.
The
next
largest
segment
is
IT
at
(27
percent)
followed
by
corporate
management
at
(9
percent).
Qualified
respondents
were
truly
cross
industry
coming
from
automotive,
education,
financial
services,
government,
healthcare/life
science,
manufacturing,
media/telecommunications,
retail/consumer
packaged
goods
(CPG),
technology,
travel/hospitality
and
utilities/oil
and
gas/energy.
Pandemic
dynamic
There
were
potentially
alarming
responses
to
our
global
pandemic
related
questions
in
this
mid-year
survey.
When
asked
“Has
your
approach
to
security
changed
as
a
result
of
the
global
pandemic
and
an
increasingly
remote
workforce?”
40
percent
said
no.
Has
your
approach
to
security
changed
as
a
result
of
the
global
pandemic
and
an
increasingly
remote
workforce?
Roughly
two
in
five
cyber
security
organizations
have
not
changed
their
approach
to
security
as
a
result
of
the
global
pandemic.
Such
a
large
percentage
of
the
CISO
community
not
having
changed
their
approach
to
cyber
security
as
a
result
of
the
global
pandemic
that
has
hurdled
us
all
into
a
new
workforce
infrastructure
is
truly
concerning.
How
the
cyber
security
landscape
has
changed
due
to
the
pandemic:
-
Network
infrastructure
use
has
changed -
Endpoints
have
changed -
Access
management
has
changed -
Collaboration
tools
have
changed -
The
concept
of
insider
threat
has
changed -
Enterprise
cloud
infrastructure
has
changed-
no
matter
where
you
were
in
your
cloud
migration -
Data
in
transit
has
changed -
Myriad
threat
vectors
have
changed -
Vulnerability
management
has
changed -
Cybercriminal
attacks
have
changed
Why
did
40
percent
of
the
cyber
security
community
not
change
their
approach?
In
addition
to
an
inert
mindset
change
from
a
significant
portion
of
the
community,
the
reduction
in
staff
due
to
financial
pressures
on
companies
during
the
pandemic
was
similarly
concerning.
A
past
potential
insider
threat
now
had
the
potential
to
become
a
nefarious
external
threat.
Has
your
IT/Security
staff
been
reduced
as
a
result
of
the
global
pandemic?
As
reported
on
Cyber
Security
Hub in
Why
Is
Top
Cyber
Security
Talent
Suddenly
In
Flight,
when
asked
about
the
19
percent
unemployed
DevOps/DevSecOps
community
Parag
Deodhar,
director
of
information
security,
Asia
Pacific
for
VF
Corporation
noted:
“when
people
do
not
have
access
to
enough
money,
food
or
resources,
there
will
be
more
actors
coming
up”.
Deodhar
explained
also
that
the
pandemic
has
expanded
the
threat
landscape,
meaning
that
“not
only
were
folks
pushed
[towards
cyber
crime],
but
also,
the
landscape
open[ed]
up
for
folks
as
well.”
Jamal
Hartenstein,
who
has
worked
with
the
department
of
defense
on
military
bases
as
a
part
of
joint
task
forces
and
has
experience
with
every
branch
of
service,
notes
that
there
was
industry
realization
that
organizations
needed
to
be
more
proactive
and
better
focus
on
detection
and
that
the
global
pandemic
has
accelerated
that
focus.
When
asked
what
about
his
perception,
he
explains
that,
“if
you
do
not
increase
your
security
measures,
you
have
exponentially
just
multiplied
in
magnitudes
the
risk
based
on
all
the
threat
and
vulnerability
and
risk.”
Changing
cyber
security
mindset
We
asked
survey
respondents
to
share
how
their
cyber
security
approach
was
changing.
Here
is
a
sample
of
their
responses:
-
Fully
remote
working
cyber
security
teams -
Implementing
a
zero-trust
network
strategy
to
provide
scalability
and
flexibility
whilst
improving
network
security -
Adding
contractors
and
outsourcing -
Rethinking
cyber
security
strategy
through
the
context
of
the
pandemic -
Adjusting
to
changes
in
environment,
operations
and
business -
Constantly
monitoring
all
situations
to
better
understand
the
the
issues
and
concerns -
Introducing
awareness
programs,
online
trainings
and
increased
system
auditing -
Changed
training
and
awareness
program
to
cater
for
changes
in
workforce
practices,
e.g.
remote
working -
Focusing
on
what
is
needed
to
support
remote
working
employes
and
ensuring
that
employees
have
safety
in
front
of
mind
when
returning
to
the
office -
Making
adjustments
for
the
fact
most
endpoints
are
now
remote
to
ensure
that
they
remain
secure -
An
increased
focus
more
messaging
and
content
that
will
resonate
better
with
a
remote
workforce-emphasize
security
controls
that
protect
remote
workers
and
mobile -
Increasing
security
for
both
mobile
and
critical
infrastructure -
Increased
use
of
multi-factor
authentication -
Greater
emphasis
on
cloud-based
protection
to
accommodate
home-based
workers -
Working
to
combat
the
increased
difficultly
in
quickly
identifying
and
mitigating
issues
remotely -
More
expertise
and
focus
on
DevSecOps -
Increased
use
of
automation
to
detect
changes
to
controls.
This
means
we
are
automatically
being
notified
of
the
change,
responding
to
and
addressing
the
incident,
analyzing
itand
rectifying
the
control(s). -
Streamlining
the
operational
cost
of
IT
to
remove
unnecessary
spending
and
services
that
are
not
being
used -
More
user
training
and
simulated
phishing
campaigns -
Proactively
monitoring
threats
and
regular
updating
our
security
strategy
to
combat
new
challenges -
More
stringent
compliance
with
regards
to
minimum
security
requirements
to
prevent
data
leakage -
Decreasing
the
time
taken
to
follow
through
on
incident
reports
from
security
and
threat
intelligence
tools
In
2021,
40
percent
of
the
cyber
security
community
said
they
had
not
changed
their
mindset
in
the
face
of
the
global
pandemic,
while
20
percent
of
top
cyber
security
talent
was
made
redundant.
With
this
in
mind,
it
was
unsurprising
that
67
percent
of
the
cyber
security
community
reported
their
budgets
were
decreasing
or
staying
the
same.
May
2019-June
2020
cyber
security
budget
reported
as
decreasing
or
staying
the
same
While
over
two
thirds
of
cyber
security
professionals
noted
their
budget
was
staying
the
same
or
decreasing
in
July
2020,
just
one
year
ago
59
percent
reported
an
increase
in
budget
in
the
Mid-Year
Market
repor
2019.
This
means
the
pandemic
had
a
significant
impact
on
cyber
security
spend.
In
the
wake
of
the
global
pandemic
with
attacks
on
the
rise,
it
would
be
expected
that
cyber
security
budgets
would
increase
to
combat
this.
Those
in
the
cyber
security
community,
however,
disagree
with
62
percent
expecting
budgets
will
decrease
or
stay
the
same.
May
2019-June
2020
planned
cyber
security
budget
increase
in
the
next
6
months
State
of
affairs
Overall
state
Do
you
feel
as
though
the
overall
state
of
cyber
security,
meaning
resiliency,
compliance,
awareness,
etc.,
is
improving?
Taking
a
step
back
shows
that
the
industry
feels
that
things
are
positive
and
getting
better.
When
asked
“Do
you
feel
as
though
the
overall
state
of
cyber
security,
meaning
resiliency,
compliance,
awareness,
etc.,
is
improving?”
84
percent
said
‘yes’.
Threat
vectors
What
is
the
most
dangerous
threat
vector,
in
your
opinion?
Security
issues
Most
security
issues
at
my
organization
are
caused
by…
The
top
three
areas
of
focus
for
respondents
during
the
pandemic
were
security
awareness,
detection
and
incident
response
and
access
controls,
inkeeping
with
the
results
of
the
last
three
Cyber
Security
Hub
surveys.
Just
outside
of
that
group
is
elevating
cyber
security
with
top-level
management,
a
topic
that
was
similarly
highlighted
over
the
previous
two
surveys.
As
a
majority
of
cyber
security
budgets
had
not
yet
shifted
in
the
face
of
a
momentous
societal
occurrence,
how
money
is
spent
became
all
the
more
important.
Endpoint
security
went
from
the
fifth
highest
to
the
second
highest
spend
in
the
from
November
2019
to
June
2020,
most
likely
as
a
response
to
employees
working
from
home
and
therefore
increasing
the
chance
of
an
endpoint
being
used
as
a
vector
for
attack.
Solution
priority
Last
six
months
Which
solutions
have
been
the
biggest
priorities
for
you
in
the
last
6
months?
While
compliance
priority
decreased
17
percent
from
2019
to
2020,
this
may
be
because
those
in
cyber
security
had
finished
making
the
inital
major
chanegs
needed
to
comply
with
GDPR.
The
9
percent
increase
in
SIEM
focus
showed
that
the
community
was
looking
to
further
adopt
automation
tools,
potential
due
to
the
decrease
in
workforce
and
need
to
streamline
cyber
security.
Executive
Q&A
Expert
perspective
from
Sam
McLane,
head
of
security
engineering
at
Arctic
Wolf
What
are
your
thoughts
on
the
top
threat
vector
being
email?
Whether
it
is
cloud
or
devices
perimeter,
there
is
a
level
to
which
a
human
element
can
make
them
fail
but
it
is
rare.
Generally,
people
who
play
with
firewalls
tend
to
be
security
savvy.
So,
if
they
make
a
mistake,
for
example
opening
up
a
hole
for
a
vendor
or
for
an
audit
and
then
not
shutting
it
down,
that
is
generally
when
they
are
overworked.
Corporate
email
and
personal
email
relies
on
common
security
awareness
and
intelligence,
and
the
lowest
common
denominator
usually
wins.
Malicious
actors
can
go
and
find
the
CFO
administrative
assistant’s
Facebook
page,
find
out
who
their
kids
are
and
what
school
they
go
to,
then
easily
craft
an
email
that
will
make
the
CFO
think,
“Hey,
my
secretary
just
asked
me
to
contribute
to
her
son’s
scholarship
fund
on
GoFundMe.”
People
naturally
want
to
trust
and
playing
on
that
trust
is
so
easy
to
do
and
to
make
it
look
good.
Especially
in
this
Covid-19
world
while
most
of
us
are
working
from
home,
you
drop
your
guard
a
little
bit
because
you
are
in
unfamiliar
surroundings.
You
are
in
that
home
setting
rather
than
that
work
setting.
That
is
what
scares
the
tar
out
of
me
about
email.
What
are
your
thoughts
on
industry
talent?
If
you
have
got
a
great
team,
each
member
usually
does
one
thing
well.
Even
if
you
have
already
got
the
technology
in
place,
can
one
person
take
care
of
firewall,
compliance,
intrusion
detection,
threat
intelligence?
Can
they
execute
on
multiple
things?
Each
of
these
takes
time,
and
if
each
member
has
to
take
care
of
three
of
them,
how
are
they
actually
going
to
get
each
done
well?
Our
biggest
customer
was
bringing
in
three
new
technologies
simultaneously.
Each
technology
takes
six
months
to
get
right.
They
tried
to
go
it
alone
with
vendor
products
and
failed.
When
they
came
to
us
they
said,
“We
missed
a
breach,”
because
either
their
SIEM
or
SOAR
were
not
tuned
properly,
or
they
never
got
our
end
point
fully
deployed.
What
is
the
answer
to
a
perceived
talent
shortage?
I
am
not
sure
how
much
of
a
shameless
plug
this
should
be,
but
a
different
way
to
deal
with
the
staffing
issue
depending
upon
where
you
are
is
to
rely
on
third
parties
who
may
have
more
people.
One
of
our
key
selling
advantages
is
that
because
we
deal
with
thousands
of
customers,
I
can
take
that
really
good
smart
security
person,
and
maybe
she
can
look
at
a
bank
in
the
morning
and
hotel
chain
in
the
afternoon
and
a
web
front
the
next
day.
So,
we
provide
variety.
We
provide
something
always
challenging
to
our
talent.
Complacency
hopefully
never
sets
in
and
I
have
got
the
staffing
capabilities
to
have
a
person
work
on
a
project
three
months
to
avoid
burnout.
That
is
really
difficult
to
do
unless
you
are
a
Fortune
100
company.
“You
drop
your
guard
a
little
bit
because
you’re
in
unfamiliar
surroundings.”
Sam
McLaneHead
of
Security
Engineering,
Arctic
Wolf
Cyber
security
and
people
Challenges
when
building
teams
When
it
comes
to
building
out
your
security
operations
team,
what
is
your
biggest
challenge?
There
are
two
main
issues
that
faced
the
cyber
security
community
in
building
teams
during
the
pandemic
–
a
perceived
shortage
of
talent
and
insufficient
budget.
Skilled
workers
The
lack
of
skilled
workers
that
culturally
align
with
your
organization
is
often
cited
as
a
“pain
point”
for
security
teams.
What
are
you
doing
to
win
the
war?
As
nearly
half
of
the
community
perceived
a
shortage
of
talent,
it
is
important
to
consider
what
companies
were
doing
to
acquire
talent
during
the
pandemic.
More
than
one
in
five
respondents
reported
implementing
mentor
programs.
Another
20
percent
saw
interns
as
the
answer,
with
nearly
10
percent
reported
engaging
with
universities
to
procure
employees.
It
was
not
all
change,
however,
as
just
under
two
in
five
noted
that
they
were
simply
going
to
maintain
current
behaviors
and
activities
to
move
forward.
Also
read:
Automating
enterprise
cyber
security
report
Security
approach
Defense
in
depth
vs.
industry
consolidation
Is
“defense
in
depth”
the
answer
or
do
enterprises
desire
more
consolidation
across
their
“point
solutions”?
There
was
a
marked
shift
in
industry
thinking
from
November
2019
to
June
2020
around
the
concept
of
defense
in
depth.
There
was
been
a
10
percent
composite
swing
from
the
concept
of
industry
consolidation
to
defense
in
depth.
Industry
frameworks
Do
you
leverage
any
of
the
following
industry
frameworks?
The
industry
craves
standardization
as
so
indicated
by
the
continued
increased
use
of
industry
frameworks.
Hacker
sophistication
In
2020,
the
state
actor
hacker
space
was
becoming
ever
more
crowded.
Unemployed
cyber
security
talent
was
a
new
and
looming
threat.
Dovetailing
with
cyber-criminal
sophistication
and
collaboration
was
a
brand-new
wide-open
threat
landscape.
This
all
put
increased
pressure
on
cyber
security
professionals.
About Author
" title="
