The current coronavirus pandemic is a concern for families and communities and over the next few months we will face continued uncertainty. At a business level it is worrying for many executives and employees who find their business exposed to the consequences of the virus. WA has been asked by our network for our opinion on the potential impact of COVID-19 on security expenditure and this article goes some way towards providing our perspective.
Forecasting pandemics is hard. In Nate Silver’s book, “The Signal and the Noise – The Art and Science of Prediction”, he eloquently explains why epidemiologists have failed to predict when a new outbreak will occur and how quickly it will infect. Part of the challenge is that large outbreaks are rare, have unique characteristics, and data is sparse. The danger is that by using incomplete data we extrapolate and either widely overestimate the spread of a new virus or vastly underplay it. In the opening chapter, “A catastrophic failure of prediction”, we are offered an insight into how governments and financial institutions failed to recognise, or chose to ignore, the signals that were pointing to a financial market collapse in 2008 and a resulting recession. Even after the crash happened, many experts failed to calculate the fiscal package that would be required to set the economy back on the right course. Economics is a challenging discipline and predicting how a complex system of systems will react to a shock is a very difficult science, or art form, depending on your perspective. Forecasting how COVID-19 will impact the economy and subsequently security expenditure is hard but there are insights we can use to gain a perspective.
In our opinion there are 4 main factors that impact the size and rate of security investment. Alongside Economic performance, the three other key factors that move the investment needle are Regulation, Risk & Threat and Security Maturity. The following analysis relates to Cyber Security.
Generally economic performance or growth has had a limited role in cyber security market growth. Our analysis shows that providing the economy is stable and growing moderately, the rate of investment in cyber security doesn’t change dramatically between an economy growing at 1% or at 5%. However, economic shocks do have an impact and the financial crisis in 2008 is one example. COVID-19 is likely to be another one. A quick scan of a CSIS (Center for Strategic Analysis and International Studies) article on the initial impact on China suggests that exports fell 17.2% in January and February and analysts are now forecasting a contraction of the Chinese economy in Q1. Opinion differs on the eventual global impact; the OECD suggests a global reduction of 0.5% from the current baseline whilst other economists are forecasting no growth in in 2020 or worse. Until the pandemic has run its course and the effect of fiscal policies are clear, it is difficult to know just how significant the economic impact will be.
Looking only at past economic performance to understand the impact of a shock in 2020 isn’t sufficient. As the old adage goes, past performance is not indicative of future performance and this is true of cyber security. Since the last recession the underlying dynamics of security have changed. Regulation in the form of NIST, the NIS directive and GDPR has firmly placed the responsibility for protecting infrastructure and data with operators and enterprises. If advanced cyber security capabilities were a nice to have for some industries in 2009, they are now essential if organisations want to avoid fines and a poor reputation. Equally, the cyber threat has evolved, and governments and enterprises are now more focused on evaluating and monitoring risk and putting the right preventative measures in place. No executive wants to be involved with the next Equifax or Travelex incident or be the headline for the next WannaCry crisis.
The cyber security industry has also matured and so have business models. Pre 2008 cyber investment was usually part of a capital expenditure project including the procurement of firewall and IPS/ IPD appliances. In 2020 SaaS business models mean services are increasingly based on an annual cloud-based subscription model that is hardwired into IT budgets. At a time of crisis, it is less likely that annual subscription contracts or managed services that are tied to regulatory requirements will be dropped versus a significant capital expenditure project.
What does this mean for cyber security expenditure? It depends on the circumstance of each customer, including the critical nature of the service that’s being delivered, the business model and the current customer risk. Questions organisations should consider when calculating the likely impact are listed below.
Is the product or service critical to regulatory compliance?
Is the product or service a subscription-based contract or part of a new capital expenditure project?
Will the financial performance of the customer be significantly impacted by the current crisis? If your customer base is closely aligned with the transportation sector, then your business is likely to be more exposed to an economic downturn in the short term.
Balanced against the above are several further consequences of the pandemic that will impact cyber security. Unfortunately, the first of these is the actions of individuals and criminal networks that are looking to exploit the uncertainty. There are several COVID-19 phishing scams aimed at tricking people into sharing data or pushing malware. Organisations need to be aware of the threat and ensure worried employees remain vigilant to well disguised phishing attempts.
The second consequence relates to the increase in homeworking. Many organisations are set-up to provide workers with occasional remote access to networks through a VPN but have not planned for all staff to work remotely which may result in the use of unsecured wifi networks and increasing use of personal devices. Challenges such as the use of unencrypted communications, default password settings and poor firewall configuration at home increases vulnerabilities. Ensuring that remote working is secure will be a CISO priority over the next month.
WA’s position is that the cyber security industry is more resilient to economic shocks than it was in 2008/9 but investment will slow as trade stalls, business priorities shift, and capital expenditure is delayed. It will be a difficult period. Longer term, the outlook for cyber security expenditure remains positive and the industry is likely to see an upwards spike to correct delays to expenditure. The speed of this correction will depend on how fast economies recover and will differ by customer segment.
WA has looked extensively at the impact of economic shocks on the security industry in our ongoing analysis. If any security organisation requires free advice on how the current crisis is likely to impact future demand for their products or services then please contact us at info@westlandsadvisory.com