State of Cybersecurity 2020: Research Report
State of Cybersecurity 2020: Research Report
State of Cybersecurity 2020: Research Report
STATE OF CYBERSECURITY
2020
September 2020
More than ever, companies are accepting that digital business is the way of the future.
Regardless of the industry, offering or customer base, digital tactics are needed to survive in a
dynamic and unpredictable environment. With this in mind, cybersecurity moves from a piece of
IT operations into an overarching business concern. From formal policies to specialized teams,
organizations are adopting the practices that will secure their new digital efforts, ultimately
moving towards a new framework that defines a modern mindset. This report examines the
state of cybersecurity as the world fully embraces digital transformation.
KEY POINTS
Digital operations drive new security approaches Security teams are expanding and becoming more
Satisfaction with current cybersecurity efforts seems high, specialized
with 36% of companies reporting they are completely satisfied The cybersecurity chain in a business now extends beyond the
and 43% reporting that they are mostly satisfied. However, IT team to include the entire workforce, upper management,
this sentiment is driven in part by an executive viewpoint, and and even the board of directors. Each of these areas has
it may not be sufficient for a function as critical as specific responsibilities when it comes to cybersecurity, and
cybersecurity. The shift to remote work is driving companies creating a cohesive structure to the security discussion is a
to re-examine their security practices, and this examination major challenge. Changes are also happening within the IT
should continue through to all parts of an IT architecture, function. The complexity of cybersecurity is driving demand
especially those pieces that have changed in recent years. for a range of specialized skills, and most companies are
upskilling internal resources and leveraging external firms in
Cybersecurity practices are becoming more formal order to ensure the proper mix of expertise.
As cybersecurity becomes less exclusive to the IT function, the
broad organization needs to consider the practices that will Cyber insurance is quickly becoming a business need
lead to a robust security posture. First and foremost is risk One of the main issues driving cybersecurity efforts is the
management, where companies must assess their data and growing impact that a breach can have on a business. As a
their systems to determine the level of security that each result, cyber insurance policies are becoming par for the
component requires. Another key process is monitoring and course, with 42% of companies currently holding a cyber
measurement, where businesses must constantly track insurance policy. Since this is a relatively new field,
security efforts and build new metrics that tie security activity determining the appropriate coverage is a challenge. This
to business objectives. Moving forward, these formal involves not only the basic cost structure and coverage
processes will likely coalesce around the zero-trust amounts, but also the initial work of determining a company’s
framework, which defines a mindset around ubiquitous security posture and the regulatory work of determining
verification that is needed in today’s distributed digital potential impacts across state or country borders.
environments.
Copyright (c) 2020 CompTIA Properties, LLC, All Rights Reserved | CompTIA.org | [email protected]
TOP TRENDS TO WATCH
The State of Cybersecurity
Improving
slightly
11% 9%
Staying
Approach to Cybersecurity Practices Getting the same
worse
Much more
formal
60% 2. Formal practices are bringing definition to a modern
security approach. For years, there has been an
understanding in the industry that security has moved away
from a secure-perimeter mindset. The modern security
approach has generally been defined by more advanced
technology, more detailed processes, and more
comprehensive education. Now, companies are formalizing
their approach to areas like risk management and threat
30% intelligence, with new frameworks emerging to structure best
practices.
8% Slightly more
formal
No change, 2% Approach to Cybersecurity Personnel
part of overall IT No change,
already formal Slightly more
specialization
Significantly more
specialization
3. Cybersecurity personnel are becoming much more
specialized. Continuing a trend that has been in place since
48%
businesses started installing CISOs, there is a major push for
specialization in the field of cybersecurity. Whether 37%
companies are focusing on internal resources or outside
partnerships, there is much more demand for targeted skill in
threat management, proactive testing, and regulatory
compliance.
5% 9%
No change, No change,
using generalists already specialized
Copyright (c) 2020 CompTIA Properties, LLC, All Rights Reserved | CompTIA.org | [email protected]
MARKET OVERVIEW Market 2019 2020 Growth
In 2020, digital operations took on significantly more Application security 3,095 3,287 6.2%
importance as the world adjusted to the COVID-19 pandemic. Cloud security 439 585 33.3%
At a minimum, companies sent workers home when they
could and scrambled to make sure that their day-to-day Data security 2,662 2,852 7.2%
workflow could continue. In many cases, there was a Identity access 9,837 10,409 5.8%
complete reimagining of business offerings and customer management
experience, and these new efforts relied on the modern
paradigm of cloud and mobile infrastructure. Infrastructure 16,520 17,483 5.8%
protection
From a technology perspective, there were not many new
innovations that companies took advantage of as they shifted Integrated risk 4,555 4,731 3.8%
into pandemic operations. The mobile technology that management
enabled remote work and the cloud systems that provided
Network security 13,387 11,694 -12.6%
resiliency had been available for years. What changed was the
equipment
degree of reliance on these components and the strategic
shift towards using them for future strategy. This type of shift Other security software 2,206 2,273 3.1%
is a prime driver for new security activity, even without the
underlying technology models changing dramatically. Security services 61,979 64,270 3.7%
Consumer security 6,254 6,235 -0.3%
The COVID pandemic certainly introduced new elements to
software
the security equation. Remote work exposed vulnerabilities in
workforce knowledge and connectivity. Phishing emails Total 120,934 123,818 2.4%
preyed on new health concerns rather than previous financial Source: Gartner | Spending amounts shown in millions of U.S. dollars
tactics. These elements, though, only added complexity to a
fundamental problem: the nature of modern cybersecurity. more positive outlook—84% of executives felt completely
satisfied with their security posture, compared to 32% of IT
Over the past decade, CompTIA has described modern
staff and 28% of business staff. This disparity can lead to
cybersecurity as a three-part problem. First, there is the
issues when it comes to attacking the problem, which will be
traditional piece of technology, which has evolved from basic
explored in more detail later in this report.
firewall and antivirus to a full toolbox of options. Second,
there are processes that help maintain secure operations. Risk To understand the true scale of the problem, consider the
analysis and compliance management are examples of importance of cybersecurity. The topic is no longer an
processes that have become more critical for most firms. ancillary topic within IT operations. It is a critical business
Finally, there is workforce education. Human error remains function, on par with a company’s financial procedures. In that
the primary component of most security breaches, and the light, even “mostly satisfied” is likely insufficient. As the
level of knowledge needed by employees has greatly pandemic has accelerated many technology adoption plans, it
increased as a result of broader technology usage. has also accelerated the tactics needed for modern security.
The level of detail for each one of these areas leads to a highly Satisfaction with Company’s Security Posture
complex security landscape. What was once treated as a
component of IT operations has now become its own industry.
One place where this is reflected is in revenue projections.
Mostly
While Gartner estimates that total global spending on
satisfied
cybersecurity will reach $123.8 billion in 2020, they break that
spending down into multiple areas. Capital expense on
equipment will take a hit this year due to COVID cutbacks and 43%
shifts in strategy, but other areas are set to grow, especially Completely
the area of cloud security as more companies accelerate their satisfied 36%
cloud adoption. It’s also noteworthy that security services
account for nearly half the total, and there are certainly a
number of activities that fall into this bucket.
Quantifying security issues 35% As expected, the recent shift to a remote workforce during
Regulatory compliance 30% the COVID-19 pandemic has been the primary trigger for
revisiting security. While there are real security issues to
The attack landscape is certainly top of mind, with attack- consider with a remote workforce, those are only the starting
related concerns taking three of the top four spots. The point for issues created by a change in IT operations. After
variety of attacks has exploded from earlier days when companies begin evaluating cybersecurity based on a remote
malware and viruses were dominant. With more opportunity workforce, they should be sure to continue the work by
for financial gain and the addition of other motivations, the evaluating broader changes needed for expanded cloud
number of cybercriminals has also exploded. Finally, the adoption or exploration of emerging technology.
potential scale of cybersecurity breaches has gone from minor With remote workers as the primary driver, one of the
disruption to major threat to the business. primary changes to cybersecurity is naturally a focus on
Privacy takes the remaining spot in the top four. There is a education. This is a continuation of the trend from the past
clear tension between protecting data and using that data to several years of ensuring a higher level of cybersecurity
provide innovative services, and companies have to carefully awareness among the workforce. Other changes are more in
consider the real needs of their business model before making line with new IT tactics, such as focusing on incident response
decisions around privacy. Privacy concerns are likely to be a rather than assuming incidents are being blocked and shifting
focal point of regulatory activity in the future, an area which to proactive measures since there is no secure perimeter. Two
many companies may be underestimating. specific areas—process changes and dedicated resources—
deserve a closer look.
One final issue to note is the problem of quantifying security Changes to the Cybersecurity Approach
issues in relation to the overall business. Previous CompTIA
research has examined the use of security metrics. When IT Focus on incident response 46%
was a tactical activity and security was primary a defensive
component, most companies used the simple metric of Focus on education 43%
whether a breach had happened or not. Today, the strategic
nature of cybersecurity demands more measurement, and Focus on process changes 40%
there are several different metrics being explored by security Use new metrics 36%
teams, such as the number of systems with current patching,
the percentage of employees that have been through training, Expand technology tools 36%
or the number of flaws found by external audits.
Create dedicated resources 35%
Beyond the use of metrics, the strategic nature of
Explore cyber insurance 33%
cybersecurity is driving new approaches. As with any shift in
thinking, there are barriers in the way of adopting a new Shift to proactive measures 32%
mindset around cybersecurity. The top two hurdles are the
belief
Copyright (c) 2020 CompTIA Properties, LLC, All Rights Reserved | CompTIA.org | [email protected]
BUILDING BETTER CYBERSECURITY PROCESSES for assessing and improving network resiliency.
One takeaway from the main trends listed at the beginning of Moving forward, one practice that will likely see increased
this report is that companies are taking cybersecurity more adoption is governance, risk management and compliance
seriously. However, this doesn’t mean that they now have (GRC). This is a less technical area, relying more on process
security as a higher priority. For most companies, security has knowledge and an understanding of the regulatory
been a high priority for years, with cloud adoption highlighting environment. With debate over digital regulations set to spike
the fact that a new approach is necessary. The recent change in the near future, it will be important to stay up to speed on
is that companies are starting to understand what to do about the changing requirements for doing business in the future.
cybersecurity and are building more formal practices around
The risk management part of GRC is an area that is new for
this critical area.
many businesses. Back in the secure perimeter days,
Before diving into the most popular practices, it is worth companies didn’t have to worry about which data carried the
mentioning the least popular one. A zero-trust framework is most risk. Everything was placed inside the secure perimeter
based on the concept of verifying every single access request and treated equally. Today, applications and data are
rather than assuming that anything is safe. In a way, it adds a essentially secured on an individual basis, and the costs of
new twist to the secure perimeter problem; not only are premium security for every component are prohibitive.
activities taking place outside the perimeter, but companies Companies need to take a more granular approach and
should also not trust what is inside. Although comprehensive quantify specific risks against the costs of protection and
zero-trust architectures are not yet common, the framework mitigation.
provides an overarching approach that captures the tenets of
Small companies are lagging their larger counterparts in
modern security.
several areas of risk management, but most notably in the
Cybersecurity Practices in Place area of data classification. This continues a historic trend of
small companies underestimating the value of their data, and
there is ample opportunity here for an outside expert to guide
Security monitoring 58%
a firm through the exercise of data classification.
Incident
detection/response
46% Areas of Focus for Risk Management
Large 58%
Business continuity 43% Use of cloud computing Mid-sized 45%
Small 46%
Workforce
43% 50%
assessment/education Classification of data 44%
27%
Penetration testing 42%
49%
Data warehouses 44%
Threat intelligence 41% 33%
Copyright (c) 2020 CompTIA Properties, LLC, All Rights Reserved | CompTIA.org | [email protected]
THE CYBERSECURITY CHAIN The Wide Range of Cybersecurity Functions
Building a comprehensive plan has several challenges. For the Although outside firms are not common as the focal point for
top levels of an organization to move past the belief that all security activity, they are a key component of overall
“security is good enough,” they must be properly educated on security operations. Eight out of ten companies with an
the nature of cybersecurity and the appropriate strategy and internal SOC also utilize external resources as part of their
metrics. This requires security professionals to connect the cybersecurity strategy. In fact, 79% of all firms that use
security landscape to business objectives, including the risk of outside resources use more than one firm for their security
attacks, the impact of attacks, and the tradeoffs involved with needs. This speaks to the high degree of specialization taking
mitigation. place in the security industry. Few companies have the means
or the desire to build a comprehensive set of security
Another challenge occurs at the lower levels, where the work
resources. For CIOs, CISOs, and other individuals in charge of a
is getting done. Cybersecurity has clearly moved away from
SOC, the first order of business is determining which skills
being a side concern of the overall IT infrastructure plan.
should be included in the SOC and which skills will be
There is an incredible amount of complexity introduced by the
outsourced.
shift to more proactive tactics, the changing regulatory
environment, and the need to educate the entire workforce.
Copyright (c) 2020 CompTIA Properties, LLC, All Rights Reserved | CompTIA.org | [email protected]
BUILDING CYBERSECURITY SKILLS Even when companies believe that certain skills are relatively
strong, there is a desire for further improvement. The
With so many cybersecurity skills needed for robust consistency in the number of companies looking for significant
operations, companies need to be methodical in their improvement does not necessarily correlate to the current
approach to skill building. The process starts with foundational strength of that skill; rather, it is likely a statement of
knowledge. Cybersecurity specialists have traditionally come familiarity. Companies know more about network security, so
from an IT infrastructure background; while there are now they know exactly which areas need improvement. They know
direct paths into cybersecurity job roles, those paths still less about application security, so they simply know there’s a
feature training in basic areas. Networking, server long way to go. Across the board, the number of companies
administration and endpoint devices are the top three areas looking for significant improvement has risen substantially
that companies cite as prerequisites before pursuing specific since CompTIA’s similar research in 2018.
security skills. Improvement Needed across a Broad Set of Skills
Building on this foundational skill set, there are a wide range
of IT security skills that contribute to success. Some skills have Data security 46% 48%
been in practice for quite some time. Network security and
endpoint security are examples of skills that have long been Network security 47% 47%
part of a security strategy. Correspondingly, most companies
view those skills as relatively current among their internal Data analysis 46% 46%
resources.
Threat knowledge 47% 45%
Moving up the skill stack, there are some skills that have
become more important as cloud and mobility have become
Identity management 44% 47%
ingrained into IT operations. Consider the examples of identity
management and application security. These fall in the middle
Application security 49% 42%
of the pack, and even then the level of skill may be overstated.
In the case of identity management, a company may be
handling identity on their firewall but not utilizing a Endpoint security 45% 45%
comprehensive identity and access management (IAM) tool to
verify identity across multiple environments. Regulatory landscape 46% 41%
Finally, there are skills that are emerging as important parts of Cryptography 41% 44%
security monitoring and proactive tactics. Examples include
data analysis, threat knowledge and the regulatory landscape. Moderate improvement Significant improvement
In the case of data analysis, companies are likely thinking only
about more basic practices that have been in place for some In order to expand their skill set, companies are turning to
time, rather than more advanced practices using massive data several different tactics. The primary focus is internal,
sets or machine learning algorithms. The other two skills fall to whether it is training employees, bringing new specialists on
the bottom of the list. board, or certifying the current workforce. Outside partnering
is a less common option, but nearly four out of ten companies
Skills Viewed as Current within Internal Resources still say they are exploring the use of new partners, likely
Small Mid-size Large expecting those partnerships to fill a specific niche.
Copyright (c) 2020 CompTIA Properties, LLC, All Rights Reserved | CompTIA.org | [email protected]
CYBERSECURITY INSURANCE The most common coverage areas that companies consider in
a policy are the areas most closely related to a security
One of the more recent additions to the cybersecurity toolbox breach: restoring the data and determining what went wrong.
is cybersecurity insurance. Cyber insurance as a concept is From there, policy details depend on a holistic understanding
relatively straightforward—as with other forms of insurance, of cybersecurity, such as knowing how third parties could lead
companies pay premiums to ensure protection against the to a security breach, or deep knowledge of breach impact,
downside of cyber attacks. What makes cyber insurance such as the loss of revenue while a breach is being repaired.
interesting are the circumstances driving adoption and the
Common Areas of Cyber Insurance Coverage
details of the policies.
Cost of restoring data 56%
There has always been a tangible risk to cyber attacks. What
has changed recently is the inevitability of an attack. In the old
way of thinking, companies felt comfortable investing in their Cost of finding root cause 47%
defenses with the hope that they could keep a breach from
occurring. Now, it is widely accepted that breaches cannot be Coverage for third party incident 43%
avoided. The fact that breaches are commonplace takes cyber
insurance past the tipping point for adoption. Ransomware response 42%
Copyright (c) 2020 CompTIA Properties, LLC, All Rights Reserved | CompTIA.org | [email protected]
RESEARCH METHODOLOGY OTHER RESOURCES
This quantitative study consisted of an online survey fielded to RESEARCH
workforce professionals during August/September 2020. A
CompTIA publishes 20+ studies per year,
total of 425 businesses based in the United States participated
adding to an archive of more than 100
in the survey, yielding an overall margin of sampling error
research reports, briefs, case studies,
proxy at 95% confidence of +/- 4.9 percentage points.
ecosystems, and more. Much of this
Sampling error is larger for subgroups of the data.
content includes workforce analyses,
providing insights on jobs, skills, hiring
As with any survey, sampling error is only one source of
practices, and professional development.
possible error. While non-sampling error cannot be accurately
calculated, precautionary steps were taken in all phases of the CompTIA Research Library
survey design, collection and processing of the data to
minimize its influence.
CompTIA is responsible for all content and analysis. Any LEARNING | CERTIFICATION
questions regarding the study should be directed to CompTIA CompTIA is the leading provider of
Research / Market Intelligence staff at [email protected]. vendor-neutral education and skills
CompTIA is a member of the market research industry’s certifications for the world’s IT
Insights Association and adheres to its internationally workforce. CompTIA has four
respected code of research standards and ethics. certification categories that test different
knowledge standards, from entry-level to
expert, in cloud computing, mobility,
ABOUT COMPTIA Linux, networking, security, help desk
and technical support, servers, project
The Computing Technology Industry Association (CompTIA) is
management and other mission-critical
a non-profit trade association serving as the voice of the
technologies.
information technology industry.
CompTIA Certification and Resources
With approximately 2,000 member companies, 3,000
academic and training partners, 100,000-plus registered users
and more than two million IT certifications issued, CompTIA is COMMUNITIES | COUNCILS
dedicated to advancing industry growth through educational
CompTIA member communities and
programs, market research, networking events, professional
councils are forums for sharing best
certifications and public policy advocacy.
practices, collaborative problem solving,
and mentoring. Discussions frequently
revolve around the types of technology
trends covered in this report.
CompTIA Communities
PHILANTHROPY
As the leading charity of CompTIA,
Creating IT Futures is taking on the tech
workforce challenge through research,
program development and partnering.
The foundation creates on-ramps for
more people to prepare for, secure and
succeed in IT careers.
Creating IT Futures
Copyright (c) 2020 CompTIA Properties, LLC, All Rights Reserved | CompTIA.org | [email protected]
APPENDIX
Hurdles for changing approach to IT security Desire to Improve Threat Understanding Differs
Belief that current security is “good enough” 48% Depending on Security Satisfaction
Completely Mostly Adequate/ Completely Mostly Adequate/
Prioritization of other technology initiatives 39% satisfactory satisfactory unsatisfactory satisfactory satisfactory unsatisfactory
Nature of Discussion in Cybersecurity Chain Most Firms Blend Internal and External Resources
65%
Use of external resources Use of internal resources
Comprehensive plan 54%
with internal SOC with external SOC
42%
Use third Use internal Use internal
29% parties on an 50% resources resources with
General guidelines with basic buy-in 36% ongoing basis 41%
with general specialized
44%
IT skills security skills
5%
Isolated discussions 7% 30% 45%
8% Large
14%
Mid-sized 19%
1% Do not Use third Do not have
No overarching strategy Small
3% use third parties on an internal
7% parties occasional basis resources
Types of Third Party Firms Used for Cybersecurity Typical Third Party Credentials/Affiliations
Part of Information Sharing and Analysis
48% 48%
Organization (ISAO)
44%
41% 41%
SSAE 16 SOC1, SOC2, or SOC3 41%
Firms with general IT Firms focused Firms focused on Firms offering technical
services exclusively on overall security business services
cybersecurity (including physical
NERC compliance 31%
security)
Prerequisite Knowledge for Cybersecurity Roles Actions to Improve Effectiveness of Security Resources
Networking 59% Focused secuity reporting structure 46%
Copyright (c) 2020 CompTIA Properties, LLC, All Rights Reserved | CompTIA.org | [email protected]