In aiming to understand how and why investments in cybersecurity had grown, a global survey was conducted of more than 900 senior IT decision makers. This Technology Decision Making report shows how pandemic has affected the cybersecurity industry and the priorities of CISOs across nine countries in the Americas, Europe and Asia. Here in the Middle East, as IT stakeholders prepare to make their cases for 2022 budgets, the same challenges are likely to arise.

About 60% of those surveyed expect to see a boost to their security budgets in the next financial year because of the changes in IT environments made necessary by lockdowns. We should make note of two things regarding remote working. The first is that it did not, by itself, create security problems. It merely threw new light on existing issues.

CISOs are condemned to retreat from long-term strategy in favour of short-term, piecemeal tactics

And second, while lockdowns may become a thing of the past at some point, hybrid work is here to stay. So, we cannot merely keep our heads down until the storm has passed, only to sail on as before. We must address our security holes and plug them to prepare for the hybrid reality ahead of us.

A major pain point that has arisen from the complexities of new technology stacks is the difficulty in managing identity security. The discipline known as privileged access management PAM was poorly understood before the pandemic. Back then, the risks of incursion were much lower because endpoints were actively monitored within a well-defined perimeter, and many mistakes in configuration and policy went unpunished.

Most investments are targeted at known problem areas, such as those found after an attack has already happened

In the absence of corporate firewalls and other safeguards, it is significantly easier for a malicious party to access privileged accounts. It is therefore vital that privilege models based on zero-trust make their way to the top of the priority list for implementation in 2022.

91% of those surveyed believe their security budget is adequate, a strong indication that line of business is beginning to grasp the scale, intensity, and flexibility of the threat landscape. But the research also shows that most investments are targeted at known problem areas, such as those found after an attack has already happened. Fear of auditors and regulators – a concern widely reflected in the Middle East – appears to be a further motivator, with one in four citing the threat of fines as a key inspiration for action.

Fear of auditors and regulators, a concern widely reflected in the Middle East, appears to be a further motivator

Being confronted with the expense of one’s own cyber incident is an understandable motivator. But Middle East firms looking to compete in 2022 have an opportunity to learn from headlines. The missteps – and horror stories – of others should be enough to illustrate the need for a holistic strategy that closes gaps before they can be exploited. PAM is one of the strongest examples in the industry of proactive strategy being employed to prevent the need for reactive firefighting.

More than a third of our respondents reported having presented investment proposals that were rejected because the threat did not instil the right level of fear, or because the solution had insufficiently clear ROI.

One in four is citing threat of fines as a key inspiration for action

So CISOs are condemned to retreat from long-term strategy in favour of short-term, piecemeal tactics. The study shows that most CISOs are ready to road-test new technologies and approaches, but just 17% believe their organisation’s decision makers grasp the true nature of the threat landscape and are willing to invest accordingly.

While most CISOs are ready to road-test new technologies, just 17% believe their organisation grasps the threat landscape and are willing to invest accordingly.