The rapid spread of the COVID-19 pandemic has caused changes in societal life that is having a profound impact on the global economy. In the attempt to deal with the pandemic, governments around the world have instituted social distancing practices and stay at home advisories designed to slow, and ultimately stop, the spread of the virus. For corporations, operating in this environment brings new challenges that must be addressed as they attempt to keep employees, customers and partners safe, while also keeping business operations running.
Providing continuity in business operations in these times requires a heavy reliance on technologies that will support work from home employees, partners and customers all interacting with the business in different ways. As technologies like remote access VPNs, public cloud services, and in-home Wifi are put in place to support this new work environment, there is a broader attack surface and new vulnerabilities that potentially expose companies to new security risks. Organizations must plan for these risks by updating existing security policies, testing security controls to new threats, and implement incident response and readiness plans that must be implemented.
Near-Term Security Priorities Help Keep Security Services Spending Strong
These become the near-term security priorities for organizations as they attempt keep business operations running during the COVID-19 crisis. Subsequently, IDC expects spending on security related professional and managed services to remain strong.
Professional Security Services
In the area of professional security services, we believe spending in the near-term will increase in areas directly related to securing the new work environment. Developing overall security awareness programs for employees that are now conducing work from home is essential to protect against the expected increases in malware and phishing attacks.
Given the changes to existing IT architectures, conducting risk and vulnerabilities assessments will help understand the threats that organizations need to protect against. While these engagements are typically conducted in-person, they will now be conducted virtually. IDC has talked to many security services firms that are already conducting meetings such as these virtually.
IDC expects to see increased activity in vulnerability management solutions as testing the effectiveness of security controls in a changing IT environment takes on increasing importance. Vulnerability scanning, breach simulation and pen testing are all areas that will experience increase spending.
Lastly, and most importantly, establishing an incident response plan is now a business imperative to ensure resiliency. Even prior to the COVID-19 pandemic, IDC had begun to witness a change in the mindset of many organizations regarding response. Many organizations were spending most of their security budget on implementing solutions to mitigate threats rather than developing a comprehensive incident response plan. This thinking has changed, and IDC believes COVID-19 will help to highlight the importance of having incident response and resiliency plans in place for crisis situations.
Managed Security Services
In managed security services (MSS), IDC expects to see several developments due to COVID-19. Because of the nature of their contracts, managed security service providers (MSSPs) are typically shielded from downturns. However, MSSPs that serve a significant portion of small-to-medium sized enterprises will find their business most at risk as companies in this segment are the most negatively impacted by COVID-19.
The financial challenges represented by these existing contracts will be partly offset by increased demand for MSSP solutions from companies that need to augment their existing security operations staff. Managed services is the fastest growing segment of the security services market, and IDC does not expect the fallout from COVID-19 to change in this trend. It is difficult to predict what spending on security services will look for the remainder of 2020 and beyond as the situation with COVID-19 remains uncertain. However, IDC has developed a point of view based on security services spending leading up to the recession in 2008 and the years after. This analysis below looks at Global GDP, Global ICT spend, Global IT Services spend, and Global Security Services spend for the years 2006 through 2010.
Comparison of GDP, Global ICT Spend, Global IT Services Spend, Global Security Services Spend
| 2006 | 2007 | 2008 | 2009 | 2010 | |
|---|---|---|---|---|---|
| Global GDP | $60,720,488,421,950 | $63,259,518,020,148 | $64,399,690,013,189 | $63,278,666,091,537 | $66,036,387,107,063 |
| yr-yr change | 4.2% | 1.8% | -1.7% | 4.4% | |
| Global ICT Spend | $2,567,439,400,097 | $2,717,871,265,282 | $2,797,053,700,928 | $2,799,586,943,273 | $2,968,521,794,004 |
| yr-yr change | 5.9% | 2.9% | 0.1% | 6.0% | |
| Global IT Services Spend | $483,656,040,788 | $518,099,677,285 | $545,796,392,793 | $532,351,775,821 | $545,204672,909 |
| yr-yr change | 7.1% | 1.3% | -2.5% | 2.4% | |
| Global Security Services Spend | $17,134,000,000 | $20,242,000,000 | $23,825,000,000 | $27,958,000,000 | $32,594,000,000 |
| yr-yr change | 18.1% | 17.7% | 17.3% | 16.6% |
Source: GDP Data: https://www.worldometers.info/gdp/, IDC
As the table depicts, security services spend remained strong through the recession relative to total ICT and IT services spend. While it is difficult to compare the impacts of the current situation with COVID-19 with the recession of 2008, it does highlight the importance of security as a strategic priority to organizations relative to other areas of ICT.
Security Service Providers are Seeing Myriad Impacts from COVID-19
In conversations with security service providers regarding COVID-19 impact, we’re hearing themes that run the gamut and create a near-term zero-sum gain in IDC’s security services forecast. Areas of professional security services, such as large consulting engagements to securely move systems like HR or finance, are stalled, while securing digital transformation and cloud migration projects are accelerating with the need for an entirely internet-based workforce.
Managed Security Service Providers and Managed Detection and Response (MDR) providers tell us that business is booming both in the manage/monitor arena and on the response side. This makes sense as company employees can’t go into security operations centers without a mobile disaster plan in place and are scrambling for assistance from providers that do have this in place.
What to Expect from COVID-19
In the very near term, and if COVID-19 is a short-lived anomaly to our workforce, MSS will possibly see hockey stick growth. But in the mid-term to longer term it is much more likely both that MSS will also see a zero-sum gain. Those companies that need the critical services of an MSSP or MDR provider will be offset by the smaller and midmarket firms that declare insolvency and renege on existing contracts.
The zero-sum gain in the US security services forecast is borne out from a different perspective in the recent IDC COVID-19 Impact on IT Spending Survey (March, 2020). The 100-person respondent pool from enterprises of 1000 employees or more was asked to indicate their level of expectation for the control of COVID-19 within the U.S. on a four-level scale:
- Very Optimistic, will soon be under control
- Cautiously optimistic, will come under control but take longer
- Pessimistic, will be very difficult to control
- Don’t know, too many factors to consider
At the macro level, the very optimistic (50%) believe more strongly than the cautiously optimistic (32%) that the impact will be very large to the economy with GDP taking at least a 5% hit. When we pull back the layers of the onion in security spend specifically, we see a different story. In a series of questions posed to industry participants, respondents were asked to compare their organization’s originally budgeted Q2 (April to June 2020) IT spending plans to how they think their actual spending on security products and services will be affected due to COVID-19.
Worldwide the split between increase and decrease of spend was close: 38% think spend would decrease in security; 32% believe it would increase; and 28% say there would be no impact. In the U.S. those ratios become even closer; 39% predict a decrease and 37% forsee an increase. Roughly a quarter of the respondents believe there will be no impact. Interestingly, averaging the very optimistic and cautiously optimistic responses yield similar ratios.
COVID-19 Impact on Security Spending
| Worldwide | US | Optimistic* | |
|---|---|---|---|
| Decrease Spend on Security Products & Services | %38 | 39% | 38% |
| Increase Spend on Security Products & Services | 32% | 37% | 36% |
| No impact to Spend on Security Products & Services | 28% | 23% | 25% |
* Averaged responses from “Very Optimistic, will soon be under control” and “Cautiously optimistic, will come under control but take longer.”
IDC’s security services team has published a broad view of short, mid and long-term impacts to the security services market from anecdotal conversations with providers (see “COVID-19 Implications for Security Services”, April 2020, Doc# US46192319), and in coming days expects to restate the forecast (see “Worldwide and U.S. Comprehensive Security Services Forecast, 2019–2023“, May 2019, Doc# US44976419) for the U.S. to support the needs of all corporate stakeholders that are now interacting with an employee base that is working from home.
The coronavirus (COVID-19) pandemic is impacting the global economy at nearly every level. Anticipate market challenges and keep business moving with IDC’s extensive COVID-19 research and advice.
Curtis Price, Program Vice President, Infrastructure Services, also contributed to this piece.
