Introduction & Summary
As soon as the severity and impact of the COVID-19 pandemic materialized, ETR leveraged the expertise of its IT Decision Maker (ITDM) community to launch a real-time survey on the potential impacts the virus and ensuing work from home shift would have on the enterprise technology landscape. That survey launched on March 9th, 2020, and captured ~1,000 participants yielding findings on budget impacts, work from home trends, hiring freezes, stalled IT projects, and remote work security – just to name a few.
The topic has been a constant thread in ETR Insights’ research ever since but is dynamic and impactful enough to warrant continuous monitoring. Therefore, we recently conducted a flash survey at a regional information security conference to check in on the current state of remote work security. What we found was that most organizations still support the majority of employees in a remote or hybrid working model, with more than 70% of respondents stating that 50-100% of their company users remain fully or partially remote.
With the preponderance of users still working remotely, our survey next determined that organizations prioritize Identity Access Management tools like MFA and Privileged Account Management strategies to support their user-based security. When reviewing overall remote security, Endpoints landed as the highest-ranking priority with Network security coming in materially lower, a result that coincides with the proliferation of connected devices and increasing Cloud/SaaS workloads that remote work cultivates.
To deploy these security priorities, survey respondents rely on a “best of breed” approach that utilizes multiple vendors, with 47% citing this strategy. The outsourced strategy of hiring a Managed Security Service Provider (MSSP) came in at a close second, capturing 41%, and a surprisingly sparse number stated that using a platform approach with a single, primary vendor (Palo, Microsoft, Cisco, etc.) was their preferred strategy.
Going beyond vendor strategies, the survey respondents highlighted email Phishing training as their most important non-vendor approach (68%), with Penetration testing also receiving high results (45%), and outsourced employee education coming in the lowest with only 27% of responses. Lastly, our survey gauged the overall perception of remote security preparedness, where slightly more than 68% of respondents graded their organization’s maturity in remote work security positively
Results from the Flash Survey
The ETR Insights team attended a recent cyber security-focused conference where we completed a flash survey on the current state of remote work security. Twenty-two people (about 44% of conference attendees) were screened for relevant experience and applicable credentials and completed a flash survey on the current state of remote work security during the event. The focus of the survey was to gauge current remote and hybrid work percentages, the perceived state of security around remote work, as well as areas of priority, and vendor strategies.
We begin by gauging the overall state of remote versus in-office work where we see that the frequency of return to the office headlines does not accurately reflect the reality of most employers. Instead, the data shows that most people still work in remote or hybrid roles. In fact, 72% of respondents indicated that 50-100% of their organization’s employees remain hybrid or remote (see Figure 1). Only 9% stated having no remote work model versus 27% citing a 90-100% remote/hybrid environment.
With so many employees working outside of office walls, our next question focused on user-based security, asking the professionals at the conference which security features their organizations prioritized (see Figure 2 below).
The results showed that Identity Access Management (IAM) and its accompanying Multi-Factor Authentication (MFA) feature set, was the highest priority for user-based security, chosen by ~82% of respondents. Leading vendors like Okta / Auth0, Ping Identity, and larger platform security players like Cisco and Microsoft will applaud these results.
The second highest User-based security priority for our respondents was Privileged Account Management (PAM), where ETR data shows CyberArk remains the leader in what is becoming an increasingly competitive space, among notable and newer competition such as BeyondTrust, Thycotic, Centrify, and even HashiCorp Vault (to name only a few). Meanwhile, User Behavior Analytics (UBEA) and Micro-Segmentation features were cited as much lower priorities. While many security companies play in those areas, Varonis and Illumio (respectively) are often viewed as leading pure plays in those markets.
Continuing to dive deeper into how organizations are choosing to secure their organizations in the remote work era, we took a higher-level approach by asking which pillars of security were the highest priority overall. The results were surprising in that the User-based security pillar was chosen as the lowest priority (23%), with Endpoint security taking the lead position by a wide margin (47%), and Networking also coming in low at 29% of respondents. (See Figure 3).
After gathering data on security priorities, we moved into the methods companies utilize to deploy their remote work strategies. (Figure 4 below).
Here we see that a “best of breed” approach that employs multiple vendors specifically within their areas of core expertise is most often utilized by the survey respondents queried, with 47% citing this strategy. While often a more expensive approach, ITDM commentary from ETR Insights corroborates these findings and adds that a layered, “best of breed” defense has a much higher perception of relative security.
Not far behind, the outsourced strategy of hiring a Managed Security Service Provider (MSSP) was cited by 41%. ETR Insights commentary suggests that MSSPs provide a high level of security expertise without the added cost of attracting, managing, training, and retaining full-time employees. Another surprising result from this survey was the lower than anticipated selection of a platform approach to security. Despite the tremendous efforts Microsoft has made to push into the security market, combined with their overall dominating presence, there is still plenty of market share for pure-play security vendors to capture. Other vendors that offer platform security services include Palo Alto Networks, Cisco, and Fortinet (among others).
Looking beyond vendors & tools, the ETR research team polled our survey takers on what other management and operational programs their organizations rely on to bolster remote work security. (See Figure 5).
Capturing 68% of the total responses, Phishing training for email security was the highest-ranked, non-vendor-related strategy cited in this survey. Penetration Testing came in quite high with 45% of total responses, maintaining a Breach response playbook captured 32%, and outsourcing education and training for employees was the lowest-ranked response with only 27%.
Lastly, after updating the percentage of remote workers, the priorities, and the strategies, ETR was interested in gauging the overall perception of our respondent’s remote work security preparedness. In this question, we asked each survey taker to rank where their organization was currently situated within its overall remote work security journey on a scale from 1 to 10. (Figure 6).
As one would expect from security professionals tasked with securing work environments, the respondents were optimistic about their efforts. Slightly more than 68% of applicable respondents graded their organization’s maturity in remote work security positively, with a range between 7 and 10. In fact, the most often cited grade was a 10 out of 10, with 26% of respondents giving their organization a perfect score. On the opposite end of the spectrum, a worrisome 16% reviewed their maturity within the 0-2 range; meanwhile, the remaining 16% were self-graded “C-students” falling within the median 4-6 range.
Want to see more industry leading research on macro trends, marketplace analysis, and vendor-specific evaluations? Start your FREE TRIAL today.
Enterprise Technology Research (ETR) is a technology market research firm that leverages proprietary data from our targeted IT decision maker (ITDM) community to bring you actionable insights about spending intentions and industry trends. Since 2010, we have worked diligently at achieving one goal: eliminating the need for opinions in enterprise research, which are often formed from incomplete, biased, and statistically insignificant data. Our community of ITDMs represents $1+ trillion in annual IT spend and is positioned to provide best-in-class customer/evaluator perspectives. ETR’s proprietary data and insights from this community empower institutional investors, technology companies, and ITDMs to navigate the complex enterprise technology landscape amid an expanding marketplace. Discover what ETR can do for you at www.etr.ai