Where is Cyber Security Headed in 2021?
December 7, 2020
25 min read
Our first set of predictions and trends for 2021 really started back in March 2020 when we developed our Pandemic Security Model. We talked about how organizations and businesses would react from a security perspective as we moved along the WHO pandemic scale.
Since the pandemic has dominated every aspect of our lives, it has also become the core focus of many businesses and their decision making as well. This will continue into and through 2021.
As a result, predicting where the pandemic will go provides a good indicator of where businesses will go as it relates to cyber security.
Our predictions assume that the pandemic will begin to subside and that we will enter a Post Pandemic phase in the second quarter of 2021.
With vaccines on the way, we think that this is the general consensus among most experts out there.
Security services will be the new toilet paper — scarce
Because of the pandemic, companies have either grown rapidly — like Zoom — while others have disappeared — think Carnival in the cruise industry.
The demand for security services to support the high growth companies has been enough to offset the loss in demand from organizations negatively impacted by the pandemic. Security demand was very high even before the pandemic occurred and has only continued to swell because of it.
When the pandemic subsides, high growth companies will require more security services than they did previously while demand grows from industries such as hospitality, retail, and others that enter rapid-growth stages as they build up again with normal demand.
With an already large existing shortage of cyber security resources before the pandemic, along with a rise in the prices of security services, it’s going to be difficult to find enough security resources going into the new year. Expect to see an average of 2 or 3-month delays for many professional and managed service providers by the second quarter of 2021. Even if you can find appropriate security resources, expect to pay a lot for them.
Most talent programs will fail to meet the growing need
There are all kinds of funding and grants being rolled out in the US for cyber security apprenticeship programs to bring more professionals into the industry.
While the intent is good, the focus on “apprenticeships” won’t be enough to ready professionals. Business engagement with apprenticeship programs is often low, as organizations don’t have enough time to spend on making apprenticeships valuable, especially if they’re giving to more than they’re receiving from the apprentices.
Breaches will continue to surge
Not a shocker here.
Breaches will continue to wreak havoc on organizations as they struggle to engage cyber security services and qualified talent. Even as employees come back to work onsite, there will still be many that are working from home, making networks for the common organization highly distributed.
This, coupled with the fact that organizations will still have immature security practices and will face the task of quickly rebuilding from the pandemic, will lead to continued security breaches across organizations in all industries.
Consolidation in the security services industry
As the demand for cyber security services continues to swell, you will continue to see investor demand to acquire and consolidate cyber security companies in the coming year and likely over the next couple years.
While acquisitions and consolidations aren’t a bad thing, it’s something to keep in mind in terms of the services an organization signed up for. Organizations should keep an eye out on the level and quality of the services after an acquisition or consolidation.
What Organizations Can Do
So what can organizations do to ensure their security objectives are met and they have access to security talent and services?
We’ve compiled a few suggestions:
Read our pandemic security progress model white paper
This model illustrates considerations both before, during and after a pandemic. Our Pandemic Progress Model provides some food for thought along with tactical and strategic advice for how to move forward once the pandemic is over.
Perform a best practice assessment
The pandemic has changed the core of how many organizations operate. If you haven’t performed an assessment against your organization’s new normal, do it sooner than later.
An assessment will help you understand your current state and will make it easier for you to make informed decisions going forward. This insight will help your team build resource and budget requirements early for approval from management.
Set expectations with management
Projects will take longer, cost more, and will likely be slow to start.
If your organization had an assessment performed in 2018 for $30K, don’t assume that it will still cost $30K in 2021. If you’re planning to conduct an assessment in the new year, plan for it early to get it done on time.
Lead times and costs are going to be different, moving forward. There’s a tremendous demand for services, and the costs for security services has increased as well. Security projects also take more time when they’re conducted virtually. If there are situations where teams must travel on-site, there’s more red tape and costs associated with it, as well as considerations with which resources would want to travel.
As you plan security projects through 2021, make sure to communicate timelines and costs with management to avoid any unwanted delays or surprises.
Book services early for 2021
If you want security work done in 2021, plan to put in requests and start conversations early in the year, or even at the end of 2020 to get work done in the new year.
If businesses return to normal by the second quarter next year, there will be a huge surge in demand for available cyber security resources from the second quarter all the way through 2021.
Your organization may want to consider engaging a provider in managed services, especially if you anticipate that you may need dedicated security resources for multiple years. Engaging in a managed service will ensure that you have resources available during this security resource drought.
Establish incident response retainers
Some of the rarest cyber security resources right now are those who specialize in incident response and forensics. These people are in high demand because breaches will only continue to grow and explode in the current landscape.
To help with this, it makes sense to sign up for an incident response retainer now and pay for these services upfront. This ensures that you will have access to these security resources in the future if you need them.
Be open to hybrid talent development approaches
There are many unique talent development programs, we are naturally partial to one of our own making — CyberForward — but there are others as well that are seeking to rapidly develop professionals and quickly make them ready to work.
There is also the great work of NIST NICE and other programs that are seeking to make the way people work in a security program more efficient.
Be open to new ways of doing things in your security program to help get work done more efficiently and effectively.
Times are far from normal, which means continuing to innovate will be crucial to success in almost every situation. There are many companies and groups working hard to innovate but be open to participating in new talent development approaches to bring them to fruition.