podcasts Market Intelligence /marketintelligence/en/news-insights/podcasts/451-research-episode-50 content esgSubNav
In This List
Podcast

Next in Tech | Episode 50: InfoSec spending up, again…

Blog

Europe: 5 key OTT trends to watch in 2022

Blog

Broadcast deal market recap 2021

Podcast

Next in Tech | Episode 49: Carbon reduction in cloud

Blog

Volume of Investment Research Reports on Inflation Increased in Q4 2021

Listen: Next in Tech | Episode 50: InfoSec spending up, again…

Attitudes about security are evolving, but expectations about spending continue strong. Dan Kennedy, the lead analyst on the Information Security VotE study, is back to discuss the results with host Eric Hanselman. There is greater awareness of the realities of cloud security and organizations say that they’re buckling down to support remote work as a permanent change. It sounds like regulatory requirements are moving to expand their remit, but are they on target for things like open source?

Learn more about 451 Research
Click Here
Subscribe to Next in Tech
Subscribe

Transcript provided by Kensho

Eric Hanselman

Welcome to Next in Tech, an S&P Global Market Intelligence podcast where the world of emerging tech lives. I'm your host, Eric Hanselman, Principal Research Analyst for the 451 Research arm of S&P Global Market Intelligence. And today, we're going to be digging into the latest information on security budgets and outlook study results with Dan Kennedy, who heads up the study. Dan, welcome back to the podcast.

Daniel Kennedy

Thanks, Eric. A pleasure to be back. I know I was involved with one of the early ones, and it's gotten pretty big since then, from what I've seen.

Eric Hanselman

Yes. You were on the leading edge of the podcast. So -- well, and especially with a lot of the data that you've been shepherding throughout this process. We have been remiss in getting you back on. But you've got the latest in data.

And actually, I guess, before we get too far down the road, for those of our listeners who aren't familiar with the Voice of the Enterprise infosec study, what's its background and what's new in this addition?

Daniel Kennedy

Yes. So the Voice of the Enterprise for information security started way back in 2015. We had a data product back then that relied primarily on interviews of security professionals. And we want to add a survey component, sort of a high sample size survey to get more data. So we started going out 4 times a year with fairly large surveys. This year, we're going to go out about 8 times a year, smaller modular surveys, but same idea.

We continue to do the interviews. So we still do these in-depth interviews of CISOs and equivalent positions to give context to the sort of perception numbers we're getting in the surveys. And as information security is sort of a mile wide, the VotE product is as well. It covers all the things our security analysts cover from identity; SecOps; my own area, application security; network security, which you're very close to and so forth.

Eric Hanselman

Well, and the in-depth interviews, I guess what we see in the product which are actually the narratives, are one of my favorite parts, being able to actually see real response -- text responses or what the real responses from the actual interviews were always give such interesting color into perceptions. Because I think in information security, in a greater extent than maybe in some other disciplines, there's a lot of perception, there's -- that's all wrapped up in this. There's a lot of variation and understanding of the technology and the threat models. And it's really interesting to see sort of what those deeper insights look like.

Daniel Kennedy

I always imagine one of those split screens on a cable news television show with all the different people talking at once to the same question. And you start to see patterns that you wouldn't otherwise see. And as you say, perceptions are far and wide in security.

And it's interesting, as analysts, we're out talking to vendors, solving some fairly innovative problems. And for me, the conversations are very grounding in terms of the practical realities the security managers are facing, dealing with technical debt, legacy platforms, integrating new ideas. And so it's sort of a -- I don't know, an anchoring agent for not getting too far out over my skis in terms of listening to what's next in technology, but just being aware that whatever is next has to fit into what's already there in a meaningful way.

Eric Hanselman

You know, well, thinking about what's next, maybe there should be a podcast on that. It's like, yes...

Daniel Kennedy

It sounds like it could be a great title for a podcast, yes.

Eric Hanselman

Well, but joking aside, the point that you make, I think, is a really important one. It's just that we're steeped in the latest and greatest of everything. And the narratives are a great way to be able to actually get that vision into really what people are -- the issues they're dealing with on the ground.

Daniel Kennedy

Couldn't agree more with that statement.

Eric Hanselman

But as well as the narratives, there is also hard data in there and what survey results that we're pulling back. And one of the things when you're looking at data is that budgets are up yet again. What are your thoughts on what's driving them?

Daniel Kennedy

In this pandemic period, I know folks are sick of -- probably sick of me talking about -- probably sick of us talking about it, but we're going to be feeling the effects for years to come on the security side. It's interesting as we sort of got knee deep into it. I went out in January of 2020, and I surveyed for budget intention, sort of advancers and decliners. How many -- what percentage of people responding to the survey are increasing their security budget and by how much? Who's taking their budget down a bit?

And I got these numbers in 2020. And they look just like the numbers before that, more people increasing budget, budget increase of 20% net. And then my results came out in January of 2020, and then February and March happened. I was like -- so I wasn't going to in front of...

Eric Hanselman

Everything you know is wrong.

Daniel Kennedy

Yes. I wasn't going to get in front of too many people with those numbers anymore. So I had to go back out. And it was probably the first time we did that, where we said we're going to reask this question right in the middle of this thing and see what changed in -- between 2 quarters. And a lot changed, yes. We went from somewhere over 80% of people increasing budget to 66%.

Eric Hanselman

As you would expect.

Daniel Kennedy

We saw a number of people say that they would decrease budget. We saw a budget go from -- it's still a net increase of 16%. And I kid with people in the other areas, I said, it's a lot of areas of technology that in the midst of this we'd be very happy to have an increase of 16%. And it was interesting. It was a tactical period. We saw people struggling to scale up VPN and remote access. We saw people sort of doing what they need to do to get people on. We saw people starting to realize they really didn't need the VPN to connect.

And there are a lot of implications to that. So we asked a 3-part question that you're -- about the VPNs. And we basically said, do you have adequate VPN capacity? Yes. Are your security controls in place when people access with a VPN? Yes. And then is everyone accessing what the VPN or do they have to? And it was like, "Uh, no." Do your security controls still work if they're not connected to the VP? No. And so the last...

Eric Hanselman

And [ surprise ], it's like woh oh.

Daniel Kennedy

So the last, I would say, 24 months has been spent sort of, especially within user conversations, convincing people that like -- and Liam Eagle did some great work that year on identifying right away that this was a permanent increased scale of remote work, and there's no way around that.

That everyone anticipates the investment made to pull this off has to be amortized over a period of [ 4 ] years and that employee attitudes towards this are changing. And frankly, senior management attitude towards it in many firms are also changing, that remote work is just considerably more acceptable. And so even beyond the pandemic, there's going to be an increased scale.

And so your advice then starts to become, to security managers, you really can't hold the line until people get back to the office. If a significant percentage of people aren't coming back to the office, at least full time, hybrid model is coming out. Hotel desks and coming in a couple of days a week or not at all or a percentage of people not having to come in. And is your security architecture set up for that? And I think in large part, people are finding out it isn't.

VPNs were sort of state-of-the-art 15, 20 years ago. They provide wide access and they provide wide access to an on-campus network. Well, wait a second, a lot of the resources you need are not on a campus network. There's no data center to go to, a lot of cloud-based resources and SaaS-based resources.

Is the sort of -- yes, is access model going to work or there's finer-grained access required? And you spend a lot of time with that, I know, discussing specifically zero trust network access, which really gets at that question. And we're seeing growth in at least a number of people closely looking at that technology as sort of an answer to this.

Eric Hanselman

It's still fairly early days, and I will utter the that hyper buzzy term, SASE, at the same time, secure access service edge. Yes, there's substantial interest in how you go about actually addressing these new models of work. But to your point, they're here to stay.

Daniel Kennedy

And great point on SASE. As much as a buzzword, just think of it philosophically, it's, okay, if my controls are not in place, now where can I put them? Can I align them with WAN connectivity? Can I -- where can I put them as part of a proxy? But I have to implement these things. Everything from DLP to web content control to CASB-type SaaS security solutions, where am I going to put them? If they're not going to be on -- when they're not on a VPN, what do I do with them?

So a lot of early-day architectural questions for security that -- solutions are emerging, people are looking. Early days, as you say. But the answers aren't quite there yet, but know that there is sort of this underlying issue that needs to be addressed. And we're seeing budgets respond to that. So last year, we saw budgets in security fully recover. The pandemic just looks like a blip, and then security budgets came all the way back. We're seeing even more positive numbers going into this year, something like 94% of the people we're talking to increasing their budget. The net average increase is around 30%, almost double what it was right in the middle of the pandemic.

So we're seeing a real reaction. Security -- it wasn't so security didn't already have some issues to deal with, ransomware and then every other piece affecting them. But we're seeing security and remote access tick up into the top 10 in many sort of strategic objectives for 2022 lists that we survey for.

Eric Hanselman

Well, and I think the point that you were making earlier is at a focal point of this, which is people are finally starting to realize this is a new model. This is settled in. It's not something where just buying a big bag of VPN licenses is going to tide you over until everything comes back to the way it was. Now, in fact, organizations are looking to make those investments that can help their environments actually be sufficiently secured.

One of the other numbers of yours that I think is great is that the insight in terms of telemetry and this expectation that as we've lost telemetry, we're going to replace it. And the place we're going to replace it is the corporate endpoint. And I think people are coming to the point of realizing that, well, in fact, if a lot of work is getting done in places where you don't have a footprint, where you don't have that much of a presence, you've got to come up with some other way to be able to build these controls in, to get the telemetry you need and to operate effectively.

Daniel Kennedy

Yes. And I would say some of the attention around -- I mean, not to get into more buzzwords, but XDR is certainly around that issue, where it's -- you have the EDR plays, which were popular. In the past 36 months, it's certainly increased in usage. And then questions about, well, okay, we're getting data from other places, the network edge, which is still absolutely relevant, the cloud, how do we marry these things together? And so different solution sets are sort of under this XDR umbrella or entering that space.

But yes, that was a key data point. It's -- do you understand you're losing telemetry? And what does that mean for your sort of monitoring architecture? If you're not going to get it back, where are you going to go to get it kind of thing. That's a big question. There's a lot of little questions. I mean, even things down to, yes, how do you run a penetration test? Or what do vulnerability assessments cover now?

You've gone to -- when I was a CISO, we had a headquarters in Manhattan on Fifth Avenue and then we had 18 offices throughout the world, so branch offices. And I would think about how to -- what the security footprint for all those offices should look like in terms of their local regulatory structure and things like that. Yes, I don't envy CISOs today in a 10,000-person organization that's fully remote. You essentially have 10,000 remote offices and how does that work?

And so you start to talk to people who do tech support and other things. They're seeing things on networks that are not corporate devices, and they're having to troubleshoot things in view of the bandwidth problem. And wait a second, is someone playing a PS5 in the background? That might be the issue, stuff like that. So it's layers of new problems from that and a security perspective.

Eric Hanselman

Well -- and you uttered the other important word, which is cloud. Cloud has always been the, over generations of the study, a big concern. But I was interested to see that now respondents are identifying that they're getting more comfortable in cloud. Is this progress? Is this still -- are there still enough risks left exposed? What's your thought?

Daniel Kennedy

Yes. So it's a great point, Eric. When we started asking about cloud security, gosh, back in the INFOPRO days, we'd always get the answer to how are you securing it? Well, yes, the cloud provider will take care of that. It was always a very bizarre answer and it reflected a real lack of knowledge when we started to call console security, which is not actually security of the console but just the idea that the infrastructure you build, console [ on up ] in the cloud, is yours to own.

Eric Hanselman

So your responsibility model is...

Daniel Kennedy

The cloud provider is not going to -- yes, yes. And it's really -- it's not even shared. This is your responsibility and this is our responsibility, and you don't seem to understand the difference. And I'm still running into folks and some of the data you referenced that don't get that.

Now we ask about that question in a creative way. We say, how would you know your cloud-hosted application was breached, something you built on infrastructure-as-a-service? And we ask it in the survey and we ask it in the interviews. And the interviews are interesting because it really becomes like a tabletop exercise, which makes me laugh because it makes me think I'm the first person who asked the question, which is sort of funny when I'm talking to really senior security people.

Eric Hanselman

Wow. Yes, that's -- okay, a little head scratching there, but okay. Hey, well, this is -- it's the great thing about the study. We do get these kinds of insights.

Daniel Kennedy

Right. So -- and we're intentional in sort of spurring this thought process. And we get answers like, "Well, yes, I think AWS would alert me." And we can sometimes ask follow-ups, like how would they do that? What have you done to install security monitoring for your infrastructure built on the cloud?

And the encouraging thing is we're seeing a much greater percentage of people -- we've been good about asking the same question from 2015 now to 2022, the percentage of people saying our security monitoring that we've intentionally architected into our cloud footprint would be the first sort of canary in the coal mine, the first trip wire, a bad actor would hit. That will let us know about it.

We're getting a lot less -- a much lower percentage of people misunderstanding the entire cloud model and saying the cloud provider would tell me. Because the cloud provider, they're going to tell you about things in their own infrastructure and they're going to try to prevent you from hurting yourself. We saw that famously with the S3 bucket example of AWS, where they offer a lot of flexibility, but they started to offer new defaults that were more secure, more indicators such that you couldn't misconfigure them as easily as you could in the past. So they want to provide guardrails. They want to provide you guidance. But they also want to give you the flexibility to do what you're trying to do on their platform. So ultimately, you're still responsible, and we're seeing a better understanding of that.

And we're seeing an erosion of the percentage of people who say there are security requirements that would prevent them from using -- from hosting something in the cloud. And that's gone down significantly. When I first came into this, people would always cite, "Well, compliance and security are major inhibitors to the cloud." And I, as a security person, I want to know exactly what that meant. What does that mean, you can't do it because of security. So as a security person, it was kind of an irritating response. And that's why we started asking these questions back in 2015. What specifically do you mean by that?

And we got a better answer around there is a lack of understanding of what's available, a product ecosystem both on the cloud provider side and the third-party side had to catch up. But now here in 2022, we're at a much different spot than we were in 2015, and the data that we just captured and released closely reflects that fact.

Eric Hanselman

Well, knowledge and understanding are percolating through and that's good. Well, we see this broadly in a lot of the general client interactions as well. Gives us at least hope, if not strong warm feelings about what that progress looks like.

Daniel Kennedy

You know security always feels bolted on, but that might not be an appropriate place for it to sit. Things have to become fully viable, a full reality, and then there's a lot of consideration about how to better secure the architecture of the offering. But I've watched this routine go on for years now with -- in another areas, think about mobile and other aspects of technology. And we're going to see it in other areas as well.

Eric Hanselman

Well, we're -- good that we're making progress. And it is one of those things that, again, we see all of the cutting-edge capabilities out there, but those are things that take a while to get integrated into the operational mindset and the capabilities of the rest of the world. So yes, good to see there's progress. As far as the broad study goes, what are the things that organizations should take away from this addition to the study? And what do you think are some of those top line pieces that are the more useful perspective?

Daniel Kennedy

It's interesting. I mean for the cloud study, certainly the sophistication around what really are the security concerns and where are sort of third-party platforms making inroads. So think cloud security posture management, cloud identity entitlement management, some of these new pieces coming out, these new categories, where do they fit in? And we're sort of identifying implementation usage. So for end users, that's really a source of benchmarking data, where are you with your security program compared to other folks.

Other takeaways, it's interesting. I still see sort of divides. And I ask about top concerns and the biggest citations for cloud security are data residency, compliance issues and auditability, which is very related to client issues, the ability to audit your platform and the shared responsibility again. And after all those things, then we get into concerns around sensitive data and identity access control.

And yet in the top ways people are addressing their concerns, the most cited thing is identity management, authorization, data security plays in, monitoring. It feels like some of the sort of regulatory regime issues with cloud are not fully realized yet. And what I mean by that is I haven't seen regulatory controls really catch up to the way modern applications are architected and developed. And I'm going to be interested to see how that plays out.

So whenever I get a list of security concerns that starts with a handful of things that may be a little more difficult to address by technology, and then I see a chart of what we're actually doing and it doesn't exactly match, that delta becomes interesting to me. And so I'm interested to see how the cloud providers react and even how state -- in our country, state and federal regulatory controls catch up to the way sort of applications are now developed. I don't think that's been fully realized yet.

Eric Hanselman

Well, I think the current administration, fortunately enough, is pushing greater cybersecurity awareness and seems to be pushing that out. I was noticing that the NSA is now going to have a much greater role in national security in the defense realm, taking what CISA has been doing in the commercial sector and starting to push that out. And the SEC, I guess, is also looking to push breach notification to network operators in more sophisticated ways, or if nothing else, at least more timely ways and start to get involved in the process. So there's, I guess, a little more regulatory awareness that's creeping in there.

Daniel Kennedy

I would certainly say it's a reality that the security managers are dealing with. And certainly, our friends in the U.K. a couple of years ago were hit pretty hard by some of the breach notification requirements and penalties associated with them. But yes, it's going to be an interesting area as it sort of fully emerges with the way infrastructure-as-a-service works in the cloud, the way applications are hosted. And it's interesting, some of the language used by regulators still feels locked into old models of IT architecture. So it's going to be interesting to see as they sort of cover that delta, what controls come out of that.

But you raised some very good points, and CISA has certainly made some very important inroads in sort of advising folks and making suggestions around policy. We saw the SBOMs prominently mentioned in an executive order earlier last year, software bill of materials.

Eric Hanselman

Software bill of materials, for those of our...

Daniel Kennedy

Yes, spell it out. Certainly a way to sort of address open source supply chains. And I do good with people, I -- from an open source security perspective, when I started as an application developer, it was whether or not to use an open source package. Now I think for applications, the meaningful measurement is the percentage of the application that is open source. It's just -- it's a programming constant, if you will, that it is going to be included.

So how do you then manage that piece of it in terms of, is this code written by other folks, how do you keep it up to date, how do you contain issues? You saw Log4j make some waves at the end of last year. Everyone is using the same package and if there's a problem within that package, that can be very impactful. And impactful from a vendor management standpoint as well, how many of your vendor tools are using that library and what's their fixed time line.

Eric Hanselman

Well, software supply chain management.

Daniel Kennedy

Exactly. Exactly.

Eric Hanselman

Yes. It's -- one of those things where I think your point about shifting from the technology exclusively to a greater understanding about how the organizational controls start to come into this. And again, with any luck, regulatory requirements will start to mature. Auditors certainly are getting more capable and better versed in a lot of these things. So those things will actually start to take the form of hopefully some more sophisticated guidance as this goes forward.

Daniel Kennedy

Absolutely. And you asked about takeaways, the other takeaway I have is looking at sort of the current state of security controls and the sort of planned future state. And the one delta I see is that the most common approach currently is security tools and services that are sort of included default in the cloud subscription. But the most cited planned answer is additional third-party security tools and services. So theoretically, if these plans pan out, we're seeing a slightly different cloud architecture than we do today with a much greater third-party footprint from a security perspective.

And what that -- it's interesting. There's sort of a push and pull that happens there even in the market now. We have cloud functions, especially visibility functions, that were provided by third parties. But you always have a chance that a cloud provider will then recognize this as a very common function, potentially something that's inhibiting users from using the cloud service fully, and they can kind of subsume that as a feature. They can decide they're going to offer it by default or with a very low additional cost, sort of taking away a piece that was part of the third-party ecosystem. Third parties, they're always sort of racing out in front of that.

Eric Hanselman

Well, they've got strong motivations, the cloud providers do, to remove any roadblocks. And security, of course, is one where a lot of those exist.

Daniel Kennedy

Absolutely. And I think where third parties get in trouble specifically is their solution. I hate to say it's not cloudy enough, but what I mean by that is it's not at all scaling, it doesn't scale with the same speed as the rest of the cloud components. It adds onerous requirements, agents, other pieces that involve manual setup.

And so the fastest way to get a cloud provider to address things is to start to generate a lot of problems around what they think is a necessary service. Then they will sort of turn the barge a little bit and start to address those things, and they could kind of remove a market or commoditize a function. And for a third party, then they have to sort of stand in front of that and always be offering sort of a service that's sort of a step ahead of what the cloud providers want to do themselves.

Eric Hanselman

Yes. Well, and it's getting to that position of being able to both help organizations, take the controls that are familiar and bring them into that cloudy world in ways that are cloud-efficient and effective.

Daniel Kennedy

It's a great point. I included a narrative in the report I just published where a security manager was saying that -- not going to be critical, but what I think is an interesting viewpoint, which is I'd like to use the same tools I have on prem, which is something I've heard for half a decade now. And it's just -- it's not really that, it's I want the capabilities of the mature security architecture that was built over here.

It's not the same tools necessarily. It's certainly not implemented the same way, but it's a monitoring capability, an asset inventory capability, the ability to create reporting as they want or do prevention as they want. So -- and that -- we've been talking about it a long time. But that has not settled yet. This cloud ecosystem is still building up very quickly.

Eric Hanselman

Well, as with many things about next-generation technology, wow. Well, thanks for all of the background, Dan. This is great. We'll encourage our users to take a look at the data. And of course, a lot of the research is going to be spilling out of a lot of this. But thanks for being back on the podcast.

Daniel Kennedy

Oh, my pleasure. Any time.

Eric Hanselman

And that's it for this episode of Next in Tech. Thanks to our audience for staying with us. I hope you'll join us for our next episode, where we will be talking about technology M&A, talking about actually a lot of the technologies that are merging and swirling together. And we hope you'll join us then because there is always something Next in Tech.

No content (including ratings, credit-related analyses and data, valuations, model, software or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor's Financial Services LLC or its affiliates (collectively, S&P).