Professional Documents
Culture Documents
Beyond Boundaries - The Future of Cybersecurity in The New World of Work - Final - 081221
Beyond Boundaries - The Future of Cybersecurity in The New World of Work - Final - 081221
Beyond Boundaries - The Future of Cybersecurity in The New World of Work - Final - 081221
Get started
FORRESTER THOUGHT LEADERSHIP PAPER: A CUSTOM STUDY COMMISSIONED BY TENABLE | SEPTEMBER 2021
BEYOND BOUNDARIES: THE FUTURE OF CYBERSECURITY IN THE NEW WORLD OF WORK 2
future workforce strategy. The extent to which that strategy As organizations shift out of crisis mode and adjust to
incorporates in-office vs. remote work models is being hammered a new world of work that combines in-office and remote
State
Challenges
out in real time, but one thing is certain: There’s no going back to work models, CISOs and other information security
the way things were prepandemic. A recent survey conducted by leaders must: 1) reevaluate their approach to maintaining
Fortune in collaboration with Deloitte revealed that an astounding security in these highly dynamic and disparate
75% of CEOs expect their office spaces to shrink in the future due environments and 2) realign themselves to the business
Future State
model. Over a year into the pandemic, 78% still have some
Tenable commissioned Forrester Consulting portion of their employees working from home, roughly
to conduct an online survey of 426 security half report 50% or more working remotely, and 70% say
Challenges
leaders, 422 business executives, and 479 their organizations will have employees working from home
remote workers (i.e., full-time employees one or more days a week within the next 12 to 24 months.
working three or more days from home) as
The home network is now the corporate network.
well as in-depth telephonic interviews with
Future State
proliferate as organizations’ attack surfaces continue to expand COVID-19-related malware or phishing attacks over the
far beyond office walls, to home office networks, personal past year, making it the number one mode of compromise.
devices, the cloud, and third-party partners. Ninety-two Other common means of attack included fraud, data
Current State
percent of executives report their organizations experienced breaches, ransomware, software vulnerabilities, malicious
5
a business-impacting cyberattack or compromise within the insider compromises, and the theft of intellectual property.
past 12 months — that is, one resulting in: the loss of customer,
Foundational investments in cybersecurity will be a
Challenges
The pandemic opened the door for multiple forms of attack. credential/identity access management will also get a
With the shift to remote work, where employees are no budgetary boost, cited by 66% and 65%, respectively.
longer confined to the network with a static set of managed
devices, security policies and technologies that are focused
on perimeter-based attacks won’t cut it. Forty-three percent
Appendix
Quick Take
WHAT HAPPENED
Remote work, previously the province of a select few road
warriors and executives, became ubiquitous in response
to the pandemic.
HOW IT HELPED ATTACKERS
Organizations’ singular attack surface atomized virtually
overnight into a myriad of smaller and less-controlled
attack surfaces, many lacking security controls. Corporate
endpoint devices dependent on perimeter-based security
were taken outside of that perimeter while unmanaged
devices proliferated. This enabled a range of new attack
paths through which to penetrate corporate networks.
“Just a few months into being remote, we saw a massive
WHAT IT MEANT FOR SECURITY LEADERS
spike in the number of phishing emails, attempts to
The importance of aligning cybersecurity to business
penetrate the network. Our CISO probably put out an strategy was elevated through an increase in attacks, the
email a week on a new, innovative way that somebody need to rethink what’s considered an “asset,” the need to
was trying to get into the system.” reassess what’s being defined as a “vulnerability,” and the
need to keep employees productive and safe.
Senior VP and CISO, technology
FORRESTER THOUGHT LEADERSHIP PAPER: A CUSTOM STUDY COMMISSIONED BY TENABLE
SEPTEMBER 2021
BEYOND BOUNDARIES: THE FUTURE OF CYBERSECURITY IN THE NEW WORLD OF WORK 6
Security And Business Leaders Report
Increased Risk Due To:
Changes Sparked By The Pandemic
Overview
59%
Moving non-business-critical
Appendix
FORRESTER THOUGHT LEADERSHIP PAPER: A CUSTOM STUDY COMMISSIONED BY TENABLE Base: Variable; security leaders and business executives with responsibility over cybersecurity/security
SEPTEMBER 2021 strategies and budgets implementing changes in response to the COVID-19 pandemic
Source: A commissioned study conducted by Forrester Consulting on behalf of Tenable, April 2021
BEYOND BOUNDARIES: THE FUTURE OF CYBERSECURITY IN THE NEW WORLD OF WORK 7
cybersecurity policies.
or very important. And for 63%, it’s important that they
guard their organization’s IP. But even with that, some
find their organizations’ security measures restrictive
or inconvenient. It therefore comes as little surprise
Future State
authentication, accessing company systems and data via into employee security practices.*
VPN only, not connecting via public Wi-Fi, and avoiding
the use of personal devices for work. And unless
employees are taking the right steps every time, your are, at best, only somewhat confident that
organization is open to risk. 56% employees are taking adequate measures to
protect their organization's data, IP, and systems.**
Appendix
FORRESTER THOUGHT LEADERSHIP PAPER: A CUSTOM STUDY COMMISSIONED BY TENABLE Base: 479 full-time employees working from home three or more days a week
SEPTEMBER 2021 *Base: 393 security leaders with responsibility over cybersecurity/security strategies and budgets at
organizations enabling a remote workforce
**Base: 426 security leaders with responsibility over cybersecurity/security strategies and budgets
Source: A commissioned study conducted by Forrester Consulting on behalf of Tenable, April 2021
BEYOND BOUNDARIES: THE FUTURE OF CYBERSECURITY IN THE NEW WORLD OF WORK 8
Quick Take
WHAT HAPPENED
A plethora of new tools and systems were implemented
in haste, opening the door for misconfiguration, software
supply chain issues, and employee misuse.
HOW IT HELPED ATTACKERS
Third-party vendors and remote employees were ripe
for exploitation.
WHAT IT MEANT FOR SECURITY LEADERS
The need to reevaluate cybersecurity strategy to align
with the new realities of the workplace remains.
Picture a home office. What do you see? A desk-chair-monitor setup, in a spare bedroom? What you may not picture is the myriad of
people and devices connecting to the very same home network that is linking your remote employee to your customer data, intellectual
Current State
property, and systems. Our study found that 98% of remote workers use at least one personal device for work every day. But that’s
just the tip of the iceberg: Remote workers have an average of eight devices connecting to their home network, including employer-
provisioned devices, personal devices, appliances, wearables, and gaming systems. And, on average, each remote worker has three
Challenges
Challenges
people in their household with devices connecting to the same home network. Six out of 10 security leaders indicate that the risk posed
by employee home networks and personal devices has increased since the beginning of the pandemic. Without the ability to understand
the device and the network, security leaders need to control user access.
Future State
64% 62%
device used in a remote work
environment.
Result from VPN flaws or
lack this level of visibility misconfigurations. 54%
into remote employee-
Appendix
FORRESTER THOUGHT LEADERSHIP PAPER: A CUSTOM STUDY COMMISSIONED BY TENABLE Base: 783 security leaders and business executives with responsibility over cybersecurity/security strategies and budgets at
organizations experiencing a business-impacting cyberattack within the past 12 months
SEPTEMBER 2021 *Base: Variable; security leaders with responsibility over cybersecurity/security strategies and budgets identifying elements
included in their organization’s attack surface
Source: A commissioned study conducted by Forrester Consulting on behalf of Tenable, April 2021
BEYOND BOUNDARIES: THE FUTURE OF CYBERSECURITY IN THE NEW WORLD OF WORK 10
“Thinking about your organization’s workforce
strategy, how confident are you that your
It’s 9:00 A.M.
Overview
What does this mean? It means that even if you set your
employees up with a laptop, PC, or other device when
you moved to a remote work model, chances are there’s
a significant amount of company data and information
48% 42%
Challenges
Challenges
73%
say the risk posed to
their organizations’ data
has increased since the
Appendix
onset of COVID-19.
FORRESTER THOUGHT LEADERSHIP PAPER: A CUSTOM STUDY COMMISSIONED BY TENABLE Base: 426 security leaders with responsibility over cybersecurity/security strategies and budgets
SEPTEMBER 2021 Source: A commissioned study conducted by Forrester Consulting on behalf of Tenable, April 2021
BEYOND BOUNDARIES: THE FUTURE OF CYBERSECURITY IN THE NEW WORLD OF WORK 11
Unsanctioned applications are a significant threat vector for organizations. Seven out of 10 security leaders indicate that these apps
pose a greater risk to their organization than they did before the pandemic began; however, 60% of security leaders say they lack
Current State
a high level of visibility into unsanctioned applications. “IT-provisioned” doesn’t always mean “risk-free.” Information technology,
operational technology, and applications which are provisioned by IT all currently present elevated risks. Indeed, 74% of business and
security leaders attribute recent business-impacting attacks to vulnerabilities in systems or applications that were put in place as a
Challenges
Challenges
72%
Non-IT-provisioned
Recommendations
applications
50% 48%
Information Operational 40%
technology technology IT-provisioned
Appendix
applications
FORRESTER THOUGHT LEADERSHIP PAPER: A CUSTOM STUDY COMMISSIONED BY TENABLE Base: 426 security leaders with responsibility over cybersecurity/security strategies and budgets
SEPTEMBER 2021 Source: A commissioned study conducted by Forrester Consulting on behalf of Tenable, April 2021
BEYOND BOUNDARIES: THE FUTURE OF CYBERSECURITY IN THE NEW WORLD OF WORK 13
Among those running business-critical functions in
the cloud, here’s who moved these functions to the
Cloud Proves Its Mettle As A Business
Overview
matter of weeks. According to our survey, 42% of security leaders report Human resources
their organizations have moved business-critical functions to the cloud 31% 85%
as a result of the pandemic, while 36% have moved non-business-critical Information services
functions to the cloud. Notably, accounting/finance and human resources
Future State
30% 84%
were the business-critical functions most likely to be moved to the cloud Sales
in direct response to the pandemic — applications that are traditionally
hosted on-premises.
30% 37%
Facilities management
Recommendations
The pandemic was far from the only anxiety-inducing of security leaders say these partners.*
event that caused organizations to rethink their their organizations have
an elevated exposure to
approaches to cybersecurity this past year. The risk through third-party
SolarWinds attack cast a harsh light on software supply vendors since the onset
Challenges
Challenges
of the pandemic.
chain vulnerabilities and gaps in product security
processes and oversight. And while roughly half of
security leaders report increased risk exposure via
third-party vendors, few have adequate visibility into
Future State
Base: 426 security leaders with responsibility over cybersecurity/security strategies and budgets
FORRESTER THOUGHT LEADERSHIP PAPER: A CUSTOM STUDY COMMISSIONED BY TENABLE *Base: 410 security leaders with responsibility over cybersecurity/security strategies and budgets identifying
SEPTEMBER 2021 third-party vendors/partners as part of their organization’s attack surface
**Base: 848 security leaders and business executives with responsibility over cybersecurity/security strategies
and budgets
Source: A commissioned study conducted by Forrester Consulting on behalf of Tenable, April 2021
BEYOND BOUNDARIES: THE FUTURE OF CYBERSECURITY IN THE NEW WORLD OF WORK 15
Quick Take
WHAT'S HAPPENING
Organizations are rethinking their investments
in people and technology to secure the new world
of work.
HOW IT HELPS ATTACKERS
As new workers and new technologies are brought
up to speed, attackers will be able to exploit
inexperienced workers and blind spots.
WHAT IT MEANS FOR SECURITY LEADERS
“We typically maintain a running 24- to 36-month Security leaders need a seat at the table when it
comes to adopting new technologies. It’s necessary
roadmap for information security. We pretty much threw
for them to work with business executives in order
that out. And because so many of the risks in our risk to establish new risk profiles and new business
register had changed so significantly, we said anything continuity and disaster response plans to prepare
that we were planning on doing in 2019 or early 2020 for what’s next.
is irrelevant at this point.”
VP and CISO, business process outsourcing
and human capital management
FORRESTER THOUGHT LEADERSHIP PAPER: A CUSTOM STUDY COMMISSIONED BY TENABLE
SEPTEMBER 2021
BEYOND BOUNDARIES: THE FUTURE OF CYBERSECURITY IN THE NEW WORLD OF WORK 17
The New World Of Work Will Require best practices to carry forward — as well as those
Overview
the next two years. what were the things that we had to
With the rise of cloud services, the expansion of the software implement immediately to lock down
Recommendations
decisions made as part of the 2020 crisis response and identify President and CEO, US, IT consulting
As enterprise security and business leaders turn their eyes forward, 70% feel their business continuity and disaster response (BC/DR)
strategies are well-positioned to meet future workforce needs. Just 52%, however, think they’re well-prepared when it comes to aligning
Current State
cybersecurity, data privacy, and supply chain visibility will be a more central part of their BC/DR plans as they develop the next phase
of their workforce strategy.
Future
Future State
State
and visibility
FORRESTER THOUGHT LEADERSHIP PAPER: A CUSTOM STUDY COMMISSIONED BY TENABLE Base: 848 security leaders and business executives with responsibility over cybersecurity/security strategies
SEPTEMBER 2021 and budgets
Source: A commissioned study conducted by Forrester Consulting on behalf of Tenable, April 2021
BEYOND BOUNDARIES: THE FUTURE OF CYBERSECURITY IN THE NEW WORLD OF WORK 19
“For each of the following technology categories,
how will your organization’s investments change
Foundational Investments In Cybersecurity
Overview
leaders also plan to beef up their teams to better monitor and secure Vulnerability management/risk-based vulnerability management
their organizations’ attack surfaces: 64% of those lacking staff plan 74%
Recommendations
66%
Endpoint security
Appendix
65%
Credential management, identity access
management, privileged access management
FORRESTER THOUGHT LEADERSHIP PAPER: A CUSTOM STUDY COMMISSIONED BY TENABLE Base: 426 security leaders with responsibility over cybersecurity/security strategies and budgets
SEPTEMBER 2021 Source: A commissioned study conducted by Forrester Consulting on behalf of Tenable, April 2021
BEYOND BOUNDARIES: THE FUTURE OF CYBERSECURITY IN THE NEW WORLD OF WORK 20
circumvent security policies. For a remote worker, depending on your Perimeter-based methods no longer apply; it's time for
Overview
technology to get work done, a poor user experience may be one of a Zero Trust Model.
your greatest risks in the future of work. Let’s face it — neither your employees nor your
Current State
how users are configured and managed. Establishing risk profiles segmentation, attackers can leverage vulnerabilities
that are able to adjust security measures, based on changing in the environment, move laterally, and infect other
conditions, behaviors, or locations, is essential to protecting data in enterprise assets, such as what is seen with ransomware.
Recommendations
Recommendations
the future of work. These profiles should include behavior data to Malicious actors can easily move between vulnerable
identify whether or not an employee is truly who they say they are, employee endpoints and unmanaged consumer devices
i.e., users should be verified from the way they hold their device, to corporate assets. In most cases, you will need multiple
swipe a touchscreen, etc. This granular level of behavioral analytics levels of authentication to enable employees’ access
will greatly improve security.
Appendix
to corporate info — something they have (e.g., certificate, device While a simple two-factor authentication, combined
Overview
compliance check, etc.) and something they are (e.g., fingerprint or with a device compliance check and the security team’s
other biometrics). Passwords are a poor user experience, and most ability to continuously monitor these tools, is not entirely
employees will simply write them down rather than remember them. sufficient, it will eliminate a majority of enterprise risks and
Current State
So again, a poor user experience will breed insufficient security. get you started on the way toward true Zero Trust. Finally,
tie this back to endpoint device risk wherever possible
Start your Zero Trust journey with a few simple steps.
to give more risk context to your other security controls.
Organizations are often under the assumption that achieving Zero
Challenges
the basics of Zero Trust and understanding what key assets the endpoints when balancing security with user productivity
organization is trying to protect, with data sitting at the top of the and access controls on your homeworker devices.
list. Identifying where data lives, its criticality, and who has access
Recommendations
Recommendations
lays the groundwork for a broader trust foundation about who can
and/or should access that data, from where and when, and how to
monitor and secure it. Take this inventory, and then make a list of
all the large enterprise risks that could jeopardize critical assets.
Oftentimes, organizations start with identity and device management.
Appendix
Methodology Demographics
Overview
in-depth telephonic interviews with six business and security executives, 20,000 or more 9% Security 32%
to examine cybersecurity strategies and practices at large enterprises in 5,000 to 19,999 36% Business 32%
the US, the UK, Germany, France, Australia, Mexico, India, Brazil, Japan,
1,000 to 4,999 55% Remote worker 36%
and Saudi Arabia. The study was fielded in April 2021.
Challenges
ENDNOTES
JOB LEVEL: SECURITY JOB LEVEL: BUSINESS
Future State
1
Source: Lance Lambert, “Work-from-home isn't going away: Only 4% of CEOs plan to add office
space,” Fortune, February 4, 2021 (https://fortune.com/2021/02/04/work-from-home-isnt-going- Senior-most IT Senior-most
away-say-ceos/). 29%
or security decision- 25% business leader
maker
Senior risk/compliance
32%
VP in IT leader
Recommendations
36%
or security
Executive in line of
26%
Director in IT business or function
39%
or security
Board member 14%
Appendix
Appendix
FORRESTER THOUGHT LEADERSHIP PAPER: A CUSTOM STUDY COMMISSIONED BY TENABLE Note: Percentages may not total 100 because of rounding.
SEPTEMBER 2021 Base: 426 security leaders and 425 business executives with responsibility over cybersecurity/security
strategies and budgets and 479 remote workers working from home three or more days a week
Source: A commissioned study conducted by Forrester Consulting on behalf of Tenable, April 2021
BEYOND BOUNDARIES: THE FUTURE OF CYBERSECURITY IN THE NEW WORLD OF WORK 25
Forrester Consulting provides independent and objective research-based consulting to help leaders
succeed in their organizations. Ranging in scope from a short strategy session to custom projects,
Forrester’s Consulting services connect you directly with research analysts who apply expert insight
to your specific business challenges. For more information, visit forrester.com/consulting.
Current State
© Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited.
Information is based on best available resources. Opinions reflect judgment at the time and are
subject to change. Forrester®, Technographics®, Forrester Wave, RoleView, TechRadar, and Total
Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of
their respective companies. For additional information, go to forrester.com. [O-00059404]
Challenges
Project Director:
Future State
Heather Vallis,
Director & Principal Market Impact Consultant
Recommendations
Contributing Research:
Forrester’s Security & Risk research group
Appendix
Appendix
Additional Data
Overview
“How many times did your organization experience a business-impacting cyberattack or compromise within
Current State
4 26% 28% 33% 18% 19% 21% 19% 21% 13% 15%
5 OR MORE 29% 39% 39% 57% 29% 30% 62% 33% 29% 17%
Appendix
Appendix
Additional Data
Overview
Current State
TARGET REMOTE
Future State
WORKERS/EMPLOYEES 73% 72% 65% 66% 56% 72% 69% 57% 68% 71%
WORKING FROM HOME.
RESULT FROM
VULNERABILITIES IN
Recommendations
SYSTEMS AND/OR
APPLICATIONS YOUR 70% 75% 70% 78% 71% 64% 74% 86% 72% 75%
ORGANIZATION PUT IN
PLACE IN RESPONSE TO
THE COVID-19 PANDEMIC.
RESULT FROM A
Appendix
THIRD-PARTY SOFTWARE 59% 68% 76% 72% 63% 72% 59% 63% 58% 59%
Appendix
Appendix
VENDOR COMPROMISE.
Additional Data
Overview
Current State
“What impact do these changes have on your organization’s exposure to cyber risk?”
(Showing “Somewhat” or “Significantly more exposure to cyber risk” responses)
Challenges
ENABLE(D) REMOTE
Future State
WORKFORCE/
84% 84% 80% 73% 76% 82% 80% 89% 78% 83%
EMPLOYEES WORKING
FROM HOME
Recommendations
MOVE(D) NON-
BUSINESS-CRITICAL
Appendix
Appendix
84% 84% 80% 73% 76% 82% 80% 89% 78% 83%
FUNCTIONS TO
THE CLOUD
Base: Varies; security leaders and business executives with responsibility over cybersecurity/security strategies
FORRESTER THOUGHT LEADERSHIP PAPER: A CUSTOM STUDY COMMISSIONED BY TENABLE and budgets implementing changes in response to the COVID-19 pandemic
SEPTEMBER 2021 Source: A commissioned study conducted by Forrester Consulting on behalf of Tenable, April 2021
BEYOND BOUNDARIES: THE FUTURE OF CYBERSECURITY IN THE NEW WORLD OF WORK 29
Additional Data
Overview
Current State
Additional Data
Overview
Current State
“Which of the following types or sources of information do you access with the personal devices you use for work?”
Challenges
CUSTOMER DATA 51% 55% 64% 50% — — 59% 54% 37% 67%
FINANCIAL RECORDS 43% 38% 23% 36% — — 40% 35% 28% 35%
Recommendations
Appendix
Appendix
Additional Data
Overview
Current State
“What level of security staffing do you have to monitor your organization’s attack surface/vectors?”
Challenges
STAFF TO ADEQUATELY
29% 12% 44% 31% 29% — 39% — 30% 41%
MONITOR OUR ATTACK
SURFACE/VECTORS.
Recommendations
Appendix
Appendix
Additional Data
Overview
Current State
“What challenges does your organization face, or do you anticipate it will face, when supporting a remote workforce?”
Challenges
LACK OF VISIBILITY
Future State
Additional Data
Overview
Current State
“To what degree do you follow or use each of the following security measures and guidelines your organization
may have in place around remote work?”
(Showing “Strictly follow” or “Use” responses)
Challenges