Beyond Boundaries - The Future of Cybersecurity in The New World of Work - Final - 081221

1
Beyond Boundaries: The Future Of

Cybersecurity In The New World Of Work
Get started
FORRESTER THOUGHT LEADERSHIP PAPER: A CUSTOM STUDY COMMISSIONED BY TENABLE | SEPTEMBER 2021
BEYOND BOUNDARIES: THE FUTURE OF CYBERSECURITY IN THE NEW WORLD OF WORK 2
Securing The New World Of the traditional network perimeter on unmanaged

Overview
Overview
devices. And while these changes are enabling

Work Requires A New Mindset
organizations to pivot their business operations and
improve employees’ experiences, they’re also setting
Current
Every business now stands at a crossroads where they must

the stage for increased risk.
Current
consider the lessons of fully remote work when designing their

State
future workforce strategy. The extent to which that strategy As organizations shift out of crisis mode and adjust to
incorporates in-office vs. remote work models is being hammered a new world of work that combines in-office and remote
State
Challenges
out in real time, but one thing is certain: There’s no going back to work models, CISOs and other information security
the way things were prepandemic. A recent survey conducted by leaders must: 1) reevaluate their approach to maintaining
Fortune in collaboration with Deloitte revealed that an astounding security in these highly dynamic and disparate
75% of CEOs expect their office spaces to shrink in the future due environments and 2) realign themselves to the business
Future State
to remote work.1 in order to effectively reduce risk. If cybersecurity

The pandemic response has accelerated the pace of strategies fail to keep pace with business changes,
technological adoption, with IT and security teams turning to today’s risk could become tomorrow’s reality.
Recommendations
cloud-based solutions, expanding their software supply chain,

and quickly rolling out tools for connectivity, collaboration, and
productivity — oftentimes without a thorough vetting process.
Employees en masse are now accessing sensitive intellectual
property and data outside the confines of both the office and
Appendix
FORRESTER THOUGHT LEADERSHIP PAPER: A CUSTOM STUDY COMMISSIONED BY TENABLE

SEPTEMBER 2021
Overview
Remote work is here to stay. Organizations shifted from

Overview
being largely in office to entirely remote in a blink of an

eye. Within the first few months of the pandemic, nearly six
Key Findings out of 10 organizations moved to a 100% work-from-home
Current State
model. Over a year into the pandemic, 78% still have some
Tenable commissioned Forrester Consulting portion of their employees working from home, roughly
to conduct an online survey of 426 security half report 50% or more working remotely, and 70% say
Challenges
leaders, 422 business executives, and 479 their organizations will have employees working from home
remote workers (i.e., full-time employees one or more days a week within the next 12 to 24 months.
working three or more days from home) as
The home network is now the corporate network.
well as in-depth telephonic interviews with
Future State
Over half of remote workers access customer data

six business and security executives. The
using a personal device, while 77% say they have six or
study explored how the operational shifts
more devices connecting to their home network. This
that large enterprises made in response to
presents a significant challenge for security teams: 43%
Recommendations
the pandemic will continue to transform the

of security leaders say they lack visibility into employee
way cybersecurity risk is managed in the
home networks and connected devices, and just 33%
foreseeable future. This study, conducted in
feel they have enough staff to adequately monitor their
April 2021, revealed five key takeaways:
organizations’ attack surfaces. There is some good news
for those security teams lacking manpower: 64% plan to
Appendix
add staff over the next 12 to 24 months.

SEPTEMBER 2021
Where opportunity knocks, attackers enter. Cyberattacks

Overview
of respondents note that their organizations experienced

Overview
proliferate as organizations’ attack surfaces continue to expand COVID-19-related malware or phishing attacks over the
far beyond office walls, to home office networks, personal past year, making it the number one mode of compromise.
devices, the cloud, and third-party partners. Ninety-two Other common means of attack included fraud, data
Current State
percent of executives report their organizations experienced breaches, ransomware, software vulnerabilities, malicious
5
a business-impacting cyberattack or compromise within the insider compromises, and the theft of intellectual property.
past 12 months — that is, one resulting in: the loss of customer,
Foundational investments in cybersecurity will be a
Challenges
employee, or other confidential data; interruption of

priority in this new world of work. Organizations will be
day-to-day operations; ransomware payout; financial loss
shoring up their defenses to support the next phase of their
or theft; and/or theft of intellectual property. And 70%
workforce model, boosting investments across the board.
were victims of three or more attacks. Sixty-seven percent
Future State
Eight out of 10 security leaders say they will be increasing

say these attacks targeted remote workers, and 74% say at
their spending for network and data security, while
least one attack resulted from vulnerabilities in systems put
roughly three-quarters will spend more on vulnerability
in place as a response to the COVID-19 pandemic.
management and cloud security. Endpoint security and
Recommendations
The pandemic opened the door for multiple forms of attack. credential/identity access management will also get a
With the shift to remote work, where employees are no budgetary boost, cited by 66% and 65%, respectively.
longer confined to the network with a static set of managed
devices, security policies and technologies that are focused
on perimeter-based attacks won’t cut it. Forty-three percent
Appendix

SEPTEMBER 2021
Quick Take
WHAT HAPPENED
Remote work, previously the province of a select few road
warriors and executives, became ubiquitous in response
to the pandemic.
HOW IT HELPED ATTACKERS
Organizations’ singular attack surface atomized virtually
overnight into a myriad of smaller and less-controlled
attack surfaces, many lacking security controls. Corporate
endpoint devices dependent on perimeter-based security
were taken outside of that perimeter while unmanaged
devices proliferated. This enabled a range of new attack
paths through which to penetrate corporate networks.
“Just a few months into being remote, we saw a massive
WHAT IT MEANT FOR SECURITY LEADERS
spike in the number of phishing emails, attempts to
The importance of aligning cybersecurity to business
penetrate the network. Our CISO probably put out an strategy was elevated through an increase in attacks, the
email a week on a new, innovative way that somebody need to rethink what’s considered an “asset,” the need to
was trying to get into the system.” reassess what’s being defined as a “vulnerability,” and the
need to keep employees productive and safe.
Senior VP and CISO, technology
SEPTEMBER 2021
Security And Business Leaders Report
Increased Risk Due To:
Changes Sparked By The Pandemic
Overview
Leave A Legacy Of Risk 80%

Moving business-critical
Current
Current State
In response to the challenges presented by the pandemic, functions to the cloud.

organizations migrated both business-critical and non-
State
business-critical functions to the cloud, while others added

to their portfolio of third-party partners to meet immediate
Challenges
software needs. These adjustments helped organizations 80%

to meet operational and technology needs, but they also Enabling a remote workforce.
heightened levels of risk. Eight out of 10 security and
business leaders indicate their organizations have more
Future State
exposure to risk today as a result of both moving to a

remote workforce model and migrating business-critical 61%
functions to the cloud in response to COVID-19-related Expanding our software
supply chain.
Recommendations
challenges. Six out of 10 report increased risk related to

expanding their software supply chain.
59%
Moving non-business-critical
Appendix
functions to the cloud.
FORRESTER THOUGHT LEADERSHIP PAPER: A CUSTOM STUDY COMMISSIONED BY TENABLE Base: Variable; security leaders and business executives with responsibility over cybersecurity/security
SEPTEMBER 2021 strategies and budgets implementing changes in response to the COVID-19 pandemic
Source: A commissioned study conducted by Forrester Consulting on behalf of Tenable, April 2021
Even The Best-Laid Plans Don’t 44%

Overview
of remote workers feel

36%
Necessarily Mean 100% Compliance cybersecurity restrictions
and policies make them
delay applying
updates to devices.
less productive.
Current
Current State
Most employees working from home recognize they

have a responsibility to protect their company’s data:
27%
State
81% of remote workers consider the task of ensuring admit to sometimes

that customer data is protected to be either somewhat ignoring or going around
Challenges
cybersecurity policies.
or very important. And for 63%, it’s important that they
guard their organization’s IP. But even with that, some
find their organizations’ security measures restrictive
or inconvenient. It therefore comes as little surprise
Future State
that no more than 34% of home workers strictly follow

their organizations’ security guidelines and measures,
including verifying their identity using multifactor of security leaders report a lack of visibility
62%
Recommendations
authentication, accessing company systems and data via into employee security practices.*
VPN only, not connecting via public Wi-Fi, and avoiding
the use of personal devices for work. And unless
employees are taking the right steps every time, your are, at best, only somewhat confident that
organization is open to risk. 56% employees are taking adequate measures to
protect their organization's data, IP, and systems.**
Appendix
FORRESTER THOUGHT LEADERSHIP PAPER: A CUSTOM STUDY COMMISSIONED BY TENABLE Base: 479 full-time employees working from home three or more days a week
SEPTEMBER 2021 *Base: 393 security leaders with responsibility over cybersecurity/security strategies and budgets at
organizations enabling a remote workforce
**Base: 426 security leaders with responsibility over cybersecurity/security strategies and budgets
Quick Take
WHAT HAPPENED
A plethora of new tools and systems were implemented
in haste, opening the door for misconfiguration, software
supply chain issues, and employee misuse.
HOW IT HELPED ATTACKERS
Third-party vendors and remote employees were ripe
for exploitation.
WHAT IT MEANT FOR SECURITY LEADERS
The need to reevaluate cybersecurity strategy to align
with the new realities of the workplace remains.
“The attack surface becomes every home

network, which we have zero control over.”
VP and CISO, business process outsourcing
and human capital management
SEPTEMBER 2021
One Home Office Equals Infinite Risk

Overview
Picture a home office. What do you see? A desk-chair-monitor setup, in a spare bedroom? What you may not picture is the myriad of
people and devices connecting to the very same home network that is linking your remote employee to your customer data, intellectual
Current State
property, and systems. Our study found that 98% of remote workers use at least one personal device for work every day. But that’s
just the tip of the iceberg: Remote workers have an average of eight devices connecting to their home network, including employer-
provisioned devices, personal devices, appliances, wearables, and gaming systems. And, on average, each remote worker has three
Challenges
Challenges
people in their household with devices connecting to the same home network. Six out of 10 security leaders indicate that the risk posed
by employee home networks and personal devices has increased since the beginning of the pandemic. Without the ability to understand
the device and the network, security leaders need to control user access.
Future State
71% “Did any of these business-impacting cyberattacks... ?”

of security leaders say they lack
(Percentage responding “Yes”)
high or complete visibility into
Recommendations
remote employee home networks.* Target remote workers. 67%

Involve an unmanaged personal
64% 62%
device used in a remote work
environment.
Result from VPN flaws or
lack this level of visibility misconfigurations. 54%
into remote employee-
Appendix
Result from home router flaws

owned devices.* or misconfigurations. 49%
FORRESTER THOUGHT LEADERSHIP PAPER: A CUSTOM STUDY COMMISSIONED BY TENABLE Base: 783 security leaders and business executives with responsibility over cybersecurity/security strategies and budgets at
organizations experiencing a business-impacting cyberattack within the past 12 months
SEPTEMBER 2021 *Base: Variable; security leaders with responsibility over cybersecurity/security strategies and budgets identifying elements
included in their organization’s attack surface
“Thinking about your organization’s workforce
strategy, how confident are you that your
It’s 9:00 A.M.
Overview
organization is taking steps to adequately protect

Do You Know Where Your Data Is? the following?”
(Showing “Very” or “Completely confident” responses)
Current State
What does this mean? It means that even if you set your
employees up with a laptop, PC, or other device when
you moved to a remote work model, chances are there’s
a significant amount of company data and information
48% 42%
Challenges
Challenges
being accessed via other devices. Fifty-three percent of

employees working from home access customer data from
a personal device; while 36% access financial records, and Intellectual Customer
property data
roughly three out of 10 access their company’s IP or other
Future State
confidential information. It’s no wonder that nearly three-

quarters of security leaders report their company data is
at greater risk since the onset of the pandemic.
Recommendations
73%
say the risk posed to
their organizations’ data
has increased since the
Appendix
onset of COVID-19.
FORRESTER THOUGHT LEADERSHIP PAPER: A CUSTOM STUDY COMMISSIONED BY TENABLE Base: 426 security leaders with responsibility over cybersecurity/security strategies and budgets
SEPTEMBER 2021 Source: A commissioned study conducted by Forrester Consulting on behalf of Tenable, April 2021
“It takes one human error in a spot which may or

may not be intentional and it’s game over, because
there's still much more focus on the perimeter than
there is on insider threats.”
Business information security officer, financial services

SEPTEMBER 2021
Rogue Implementation Can Come At A Cost

Overview
Unsanctioned applications are a significant threat vector for organizations. Seven out of 10 security leaders indicate that these apps
pose a greater risk to their organization than they did before the pandemic began; however, 60% of security leaders say they lack
Current State
a high level of visibility into unsanctioned applications. “IT-provisioned” doesn’t always mean “risk-free.” Information technology,
operational technology, and applications which are provisioned by IT all currently present elevated risks. Indeed, 74% of business and
security leaders attribute recent business-impacting attacks to vulnerabilities in systems or applications that were put in place as a
Challenges
Challenges
response to the pandemic.

Future State
Pose Greater Risk In The Wake Of COVID-19
72%
Non-IT-provisioned
Recommendations
applications
50% 48%
Information Operational 40%
technology technology IT-provisioned
Appendix
applications
Among those running business-critical functions in
the cloud, here’s who moved these functions to the
Cloud Proves Its Mettle As A Business
Overview
cloud in response to COVID-19:

Driver — And Along Comes The Risks Percentage of orgs.
running function in
the cloud/hybrid*
Current State
The COVID-19 pandemic highlighted the tremendous value of cloud

computing. Without cloud applications, tools, and services, it’s highly 54% 68%
Accounting and finance
unlikely that organizations across the globe would have been able to
pivot to remote workforce models and shift their business operations in a 46% 81%
Challenges
Challenges
matter of weeks. According to our survey, 42% of security leaders report Human resources
their organizations have moved business-critical functions to the cloud 31% 85%
as a result of the pandemic, while 36% have moved non-business-critical Information services
functions to the cloud. Notably, accounting/finance and human resources
Future State
30% 84%
were the business-critical functions most likely to be moved to the cloud Sales
in direct response to the pandemic — applications that are traditionally
hosted on-premises.
30% 37%
Facilities management
Recommendations
However, the very things the cloud enables, i.e., collaboration,

28% 86%
connection, and ease of information access, also make cloud assets Customer service
targets for malicious actors looking to exploit vulnerabilities. And for
many enterprises, these theoretical risks have become reality over the
28% 86%
Marketing
course of the past year: 62% of business and security executives say their
Appendix
organizations suffered business-impacting attacks involving cloud assets. 28% 82%

Purchasing
FORRESTER THOUGHT LEADERSHIP PAPER: A CUSTOM STUDY COMMISSIONED BY TENABLE Base: Variable; security leaders and business executives with responsibility over cybersecurity/security
SEPTEMBER 2021 strategies and budgets with business-critical functions in the cloud/hybrid
*Base: 789 security leaders and business executives at organizations that have moved, or plan to move,
business-critical functions to the cloud
Software Supply Chain Breaches

Overview
Have An Expansive Impact 46%

52%
Just
have complete or
high visibility into
Current State
The pandemic was far from the only anxiety-inducing of security leaders say these partners.*
event that caused organizations to rethink their their organizations have
an elevated exposure to
approaches to cybersecurity this past year. The risk through third-party
SolarWinds attack cast a harsh light on software supply vendors since the onset
Challenges
Challenges
of the pandemic.
chain vulnerabilities and gaps in product security
processes and oversight. And while roughly half of
security leaders report increased risk exposure via
third-party vendors, few have adequate visibility into
Future State
the partners they rely on. Among the surveyed leaders,

65% attribute recent cyberattacks to compromises in
79%
of security and business execs
third-party software vendors, underscoring the need for feel it’s more important to
Recommendations
have greater visibility into their

greater visibility into vendors’ security practices. organizations’ software vendors
in light of recent attacks.**
Appendix
Base: 426 security leaders with responsibility over cybersecurity/security strategies and budgets
FORRESTER THOUGHT LEADERSHIP PAPER: A CUSTOM STUDY COMMISSIONED BY TENABLE *Base: 410 security leaders with responsibility over cybersecurity/security strategies and budgets identifying
SEPTEMBER 2021 third-party vendors/partners as part of their organization’s attack surface
**Base: 848 security leaders and business executives with responsibility over cybersecurity/security strategies
and budgets
“We have to consider now the supply chain attacks and

other threats that we’re seeing in our environment.
We’re in the process of performing a deep-dive
assessment around supply chain attack risk, so we
know all of the areas, technologies, and software that
could be susceptible to that type of risk.”
Senior VP and CISO, retail

SEPTEMBER 2021
Quick Take
WHAT'S HAPPENING
Organizations are rethinking their investments
in people and technology to secure the new world
of work.
HOW IT HELPS ATTACKERS
As new workers and new technologies are brought
up to speed, attackers will be able to exploit
inexperienced workers and blind spots.
WHAT IT MEANS FOR SECURITY LEADERS
“We typically maintain a running 24- to 36-month Security leaders need a seat at the table when it
comes to adopting new technologies. It’s necessary
roadmap for information security. We pretty much threw
for them to work with business executives in order
that out. And because so many of the risks in our risk to establish new risk profiles and new business
register had changed so significantly, we said anything continuity and disaster response plans to prepare
that we were planning on doing in 2019 or early 2020 for what’s next.
is irrelevant at this point.”
SEPTEMBER 2021
The New World Of Work Will Require best practices to carry forward — as well as those
Overview
practices best left in the rear-view mirror. Further, the

Organizations To Reevaluate The Risk
reevaluation of policies and procedures needs to be
Landscape as dynamic as the workforce models, technologies,
Current State
and business goals they serve.

The work-from-home model is not going away, even as
organizations emerge from crisis mode and begin planning their
workforce strategies: 70% of business and security leaders who
Challenges
are currently enabling remote work say their organizations will

have at least some portion of their workforce working remotely “Do we have a plan if we face a
one or more days a week over the next 12 to 24 months. Twenty-
similar situation in the future? Based
Future
Future State
four percent of these leaders report they’ve already made a

permanent move to remote work; 68% will make it official over on what we saw the first time around,
State
the next two years. what were the things that we had to
With the rise of cloud services, the expansion of the software implement immediately to lock down
Recommendations
supply chain, and the evolution of workforce strategies, the

attack surface for organizations is expanding, and traditional
and ensure things were in place? And
perimeter security is dead. As organizations recalibrate the question then becomes, what
their cybersecurity approach to support their post-pandemic could we do differently?
workforce strategies, it will be important to reevaluate their
Appendix
decisions made as part of the 2020 crisis response and identify President and CEO, US, IT consulting

SEPTEMBER 2021
The Next Phase Of Cybersecurity Strategy Is A Work In Progress

Overview
As enterprise security and business leaders turn their eyes forward, 70% feel their business continuity and disaster response (BC/DR)
strategies are well-positioned to meet future workforce needs. Just 52%, however, think they’re well-prepared when it comes to aligning
Current State
their cybersecurity approach with their workforce strategy.

But the lessons learned through the pandemic, around organizational exposure to heightened risks and threats to data security in
this new world of work, are reflected in the BC/DR strategies enterprises will take forward. Business and security leaders report that
Challenges
cybersecurity, data privacy, and supply chain visibility will be a more central part of their BC/DR plans as they develop the next phase
of their workforce strategy.
Future
Future State
State
“How have the following areas

of focus in your organization’s
Recommendations
BC/DR plans shifted to support

its workforce strategy moving
forward?”
(Showing “Somewhat” or “Significantly 83% 77% 53%
more important” responses) Cybersecurity Data privacy Supply chain
risk management
Appendix
and visibility
FORRESTER THOUGHT LEADERSHIP PAPER: A CUSTOM STUDY COMMISSIONED BY TENABLE Base: 848 security leaders and business executives with responsibility over cybersecurity/security strategies
SEPTEMBER 2021 and budgets
“For each of the following technology categories,
how will your organization’s investments change
Foundational Investments In Cybersecurity
Overview
over the next 12 to 24 months to support its

Will Be A Priority workforce strategy?”
(Showing “Marginally” or “Significantly increase investment”
responses)
Current State
For many organizations, the pandemic has highlighted the need

to bolster security across all threat vectors. And with enterprises 83%
Cloud-based productivity tools/software
stepping up their investment in cloud-based productivity,
82%
collaboration, and connectivity tools over the next 12 to 24 months, Network security
Challenges
investment in security measures is projected to keep pace. Two-thirds

80%
or more of security leaders plan to increase investment in network, Data security
data, cloud, and endpoint security. Sixty-five percent will be putting 78%
Future
more money toward access management technologies, while 77% will

Future State
Cloud-based collaboration tools/software

increase spending on vulnerability management solutions. Security 77%
State
leaders also plan to beef up their teams to better monitor and secure Vulnerability management/risk-based vulnerability management
their organizations’ attack surfaces: 64% of those lacking staff plan 74%
Recommendations
Cloud infrastructure and platforms

to increase their ranks within the next 12 months; another 32% are
planning to increase headcount within the next 24 months. 74%
Cloud security
66%
Endpoint security
Appendix
65%
Credential management, identity access
management, privileged access management
Recommendations Expand your management of risk beyond software flaws

Overview
and device compliance.

There was a time when it was sufficient for all remote employees
Organizations must reevaluate the very notion of risk to
to log in to your organization’s systems using a VPN and a strong
Current State
adequately protect the enterprise. That means better

password. However, legacy enterprise security architecture wasn’t
understanding and vetting of vendors in the supply
initially built to withstand the amplified risk of the modern, internet-
chain, consistently evaluating third-party and contractor
powered environment. Given the propensity of attacks targeting
access to enterprise data, and continuously scanning
remote workers, security teams can no longer rely on strategies
Challenges
for unmanaged assets connecting to the corporate

rooted in a “trust but verify” approach. Hanging your security hat on
network. In short: Organizations need to rethink whether
this model leaves your organization’s network, data, and systems
trust deserves a place in their digital systems. Visibility
vulnerable to both external attackers penetrating the perimeter and
Future State
and insights into the overall risks surrounding software

to malicious insiders in positions of “trust.” Adopting a Zero Trust
vulnerabilities will also help better prioritize your
Model, where no one is trusted and everything must be validated,
vulnerability management processes based on other
requires continuous evaluation of users and their permissions.
business/IT environmental factors. This means viewing
Recommendations
In order to secure the business — in an environment where the

Recommendations
employees within the context of risk. Limit the risk of

perimeter has disappeared, and the attack surface continues to
insider threats and simple employee mistakes that
expand — you must:
jeopardize enterprise data, while designing excellent
end user experiences that don’t force employees to
Appendix

SEPTEMBER 2021
circumvent security policies. For a remote worker, depending on your Perimeter-based methods no longer apply; it's time for
Overview
technology to get work done, a poor user experience may be one of a Zero Trust Model.
your greatest risks in the future of work. Let’s face it — neither your employees nor your
Current State
organization’s data is permanently coming back to

Invest in adaptive user risk profiles that dynamically change.
the office. It’s time to adjust accordingly. The simple
With the rise of hybrid work, it will become even more difficult for method of ensuring data access via VPN simply won’t
organizations to protect enterprise data as employees constantly work anymore. Enterprises now must continuously
move from their homes to the office, connect to public Wi-Fi at the
Challenges
monitor and verify every attempt to request access

local coffee shop, and access enterprise information on their mobile to corporate data at all levels, whether that happens
devices while commuting. These changing conditions will require through a device, app, user, or network attempting
organizations to take a much more adaptive approach to evaluating connection. Without this level of security, visibility, and
Future State
how users are configured and managed. Establishing risk profiles segmentation, attackers can leverage vulnerabilities
that are able to adjust security measures, based on changing in the environment, move laterally, and infect other
conditions, behaviors, or locations, is essential to protecting data in enterprise assets, such as what is seen with ransomware.
Recommendations
Recommendations
the future of work. These profiles should include behavior data to Malicious actors can easily move between vulnerable
identify whether or not an employee is truly who they say they are, employee endpoints and unmanaged consumer devices
i.e., users should be verified from the way they hold their device, to corporate assets. In most cases, you will need multiple
swipe a touchscreen, etc. This granular level of behavioral analytics levels of authentication to enable employees’ access
will greatly improve security.
Appendix

SEPTEMBER 2021
to corporate info — something they have (e.g., certificate, device While a simple two-factor authentication, combined
Overview
compliance check, etc.) and something they are (e.g., fingerprint or with a device compliance check and the security team’s
other biometrics). Passwords are a poor user experience, and most ability to continuously monitor these tools, is not entirely
employees will simply write them down rather than remember them. sufficient, it will eliminate a majority of enterprise risks and
Current State
So again, a poor user experience will breed insufficient security. get you started on the way toward true Zero Trust. Finally,
tie this back to endpoint device risk wherever possible
Start your Zero Trust journey with a few simple steps.
to give more risk context to your other security controls.
Organizations are often under the assumption that achieving Zero
Challenges
For example, prioritize security alerts in your endpoint

Trust is an arduous, uphill journey. And while it doesn’t happen detection and response (EDR) solution that are based on
overnight, there are a few tactical steps you can take today to start vulnerability risks. It is critical to found your Zero Trust
building a better Zero Trust strategy. First off, it requires mastering policies on a strong understanding of point-in-time risk for
Future State
the basics of Zero Trust and understanding what key assets the endpoints when balancing security with user productivity
organization is trying to protect, with data sitting at the top of the and access controls on your homeworker devices.
list. Identifying where data lives, its criticality, and who has access
Recommendations
Recommendations
lays the groundwork for a broader trust foundation about who can
and/or should access that data, from where and when, and how to
monitor and secure it. Take this inventory, and then make a list of
all the large enterprise risks that could jeopardize critical assets.
Oftentimes, organizations start with identity and device management.
Appendix

SEPTEMBER 2021
“I’d say the first big architectural change that we’re

making is the adoption of a Zero Trust network
architecture. It’s the realization that there is no perimeter;
there is no on-network, off-network. It’s about providing
the right folks with access to data from anywhere
and ensuring that the folks that are not authorized
can’t get access to it, wherever it is.”

SEPTEMBER 2021
Methodology Demographics
Overview
In this study, Forrester conducted an online survey of 426 security

NUMBER OF EMPLOYEES ROLE
leaders, 422 business executives, and 479 remote workers, as well as
Current State
in-depth telephonic interviews with six business and security executives, 20,000 or more 9% Security 32%
to examine cybersecurity strategies and practices at large enterprises in 5,000 to 19,999 36% Business 32%
the US, the UK, Germany, France, Australia, Mexico, India, Brazil, Japan,
1,000 to 4,999 55% Remote worker 36%
and Saudi Arabia. The study was fielded in April 2021.
Challenges
ENDNOTES
JOB LEVEL: SECURITY JOB LEVEL: BUSINESS
Future State
1
Source: Lance Lambert, “Work-from-home isn't going away: Only 4% of CEOs plan to add office
space,” Fortune, February 4, 2021 (https://fortune.com/2021/02/04/work-from-home-isnt-going- Senior-most IT Senior-most
away-say-ceos/). 29%
or security decision- 25% business leader
maker
Senior risk/compliance
32%
VP in IT leader
Recommendations
36%
or security
Executive in line of
26%
Director in IT business or function
39%
or security
Board member 14%
Appendix
Appendix
FORRESTER THOUGHT LEADERSHIP PAPER: A CUSTOM STUDY COMMISSIONED BY TENABLE Note: Percentages may not total 100 because of rounding.
SEPTEMBER 2021 Base: 426 security leaders and 425 business executives with responsibility over cybersecurity/security
strategies and budgets and 479 remote workers working from home three or more days a week
ABOUT FORRESTER CONSULTING

Overview
Forrester Consulting provides independent and objective research-based consulting to help leaders
succeed in their organizations. Ranging in scope from a short strategy session to custom projects,
Forrester’s Consulting services connect you directly with research analysts who apply expert insight
to your specific business challenges. For more information, visit forrester.com/consulting.
Current State
© Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited.
Information is based on best available resources. Opinions reflect judgment at the time and are
subject to change. Forrester®, Technographics®, Forrester Wave, RoleView, TechRadar, and Total
Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of
their respective companies. For additional information, go to forrester.com. [O-00059404]
Challenges
Project Director:
Future State
Heather Vallis,
Director & Principal Market Impact Consultant
Recommendations
Contributing Research:
Forrester’s Security & Risk research group
Appendix
Appendix

SEPTEMBER 2021
Additional Data
Overview
“How many times did your organization experience a business-impacting cyberattack or compromise within
Current State
the past 12 months?”

“For the purpose of this survey, ‘business-impacting’ relates to a cyberattack or compromise that resulted in: a loss of customer, employee,
or other confidential data; interruption of day-to-day operations; ransomware payout; financial loss or theft; and/or theft of intellectual property.”
Challenges
SAUDI UNITED UNITED

AUSTRALIA BRAZIL FRANCE GERMANY INDIA JAPAN MEXICO ARABIA KINGDOM STATES
(N = 76) (N = 74) (N = 109) (N = 120) (N = 72) (N = 57) (N = 94) (N = 57) (N = 87) (N = 102)
NONE 8% 8% 7% 7% 11% 7% 4% 2% 10% 10%

Future State
1 9% 8% 4% 7% 15% 25% 0% 18% 22% 21%
2 13% 5% 7% 6% 11% 9% 5% 12% 17% 19%

Recommendations
3 14% 11% 9% 6% 13% 9% 10% 14% 9% 20%
4 26% 28% 33% 18% 19% 21% 19% 21% 13% 15%
5 OR MORE 29% 39% 39% 57% 29% 30% 62% 33% 29% 17%
Appendix
Appendix
Note: Percentages may not total 100% due to rounding.

FORRESTER THOUGHT LEADERSHIP PAPER: A CUSTOM STUDY COMMISSIONED BY TENABLE Base: Varies; security leaders and business executives with responsibility over cybersecurity/security strategies
SEPTEMBER 2021 and budgets
Additional Data
Overview
Current State
“Did any of these cyberattacks... ?”

Challenges
SAUDI UNITED UNITED

(N = 70) (N = 68) (N = 101) (N = 112) (N = 63) (N = 53) (N = 90) (N = 56) (N = 78) (N = 92)
TARGET REMOTE
Future State
WORKERS/EMPLOYEES 73% 72% 65% 66% 56% 72% 69% 57% 68% 71%
WORKING FROM HOME.
RESULT FROM
VULNERABILITIES IN
Recommendations
SYSTEMS AND/OR
APPLICATIONS YOUR 70% 75% 70% 78% 71% 64% 74% 86% 72% 75%
ORGANIZATION PUT IN
PLACE IN RESPONSE TO
THE COVID-19 PANDEMIC.
RESULT FROM A
Appendix
THIRD-PARTY SOFTWARE 59% 68% 76% 72% 63% 72% 59% 63% 58% 59%
Appendix
Appendix
VENDOR COMPROMISE.
Note: Percentages may not total 100% due to rounding.

FORRESTER THOUGHT LEADERSHIP PAPER: A CUSTOM STUDY COMMISSIONED BY TENABLE Base: Varies; security leaders and business executives with responsibility over cybersecurity/security strategies
SEPTEMBER 2021 and budgets at organizations experiencing a business-impacting cyberattack within the past 12 months
Additional Data
Overview
Current State
“What impact do these changes have on your organization’s exposure to cyber risk?”
(Showing “Somewhat” or “Significantly more exposure to cyber risk” responses)
Challenges
SAUDI UNITED UNITED

(N = 69) (N = 69) (N = 102) (N = 105) (N = 70) (N = 51) (N = 85) (N = 53) (N = 77) (N = 92)
ENABLE(D) REMOTE
Future State
WORKFORCE/
84% 84% 80% 73% 76% 82% 80% 89% 78% 83%
EMPLOYEES WORKING
FROM HOME
Recommendations
SAUDI UNITED UNITED

(N = 70) (N = 70) (N = 102) (N = 113) (N = 66) (N = 51) (N = 90) (N = 55) (N = 80) (N = 92)
MOVE(D) NON-
BUSINESS-CRITICAL
Appendix
Appendix
84% 84% 80% 73% 76% 82% 80% 89% 78% 83%
FUNCTIONS TO
THE CLOUD
Base: Varies; security leaders and business executives with responsibility over cybersecurity/security strategies
FORRESTER THOUGHT LEADERSHIP PAPER: A CUSTOM STUDY COMMISSIONED BY TENABLE and budgets implementing changes in response to the COVID-19 pandemic
Additional Data
Overview
Current State
“Approximately how many total devices connect to your home network?

Please include devices used by your entire household in your count.”
Challenges
SAUDI UNITED UNITED

(N = 85) (N = 44) (N = 44) (N = 36) * * (N = 61) (N = 47) (N = 81) (N = 53)
Future State
1 TO 5 14% 18% 11% 14% — — 18% 32% 31% 34%
6 OR MORE 86% 82% 89% 86% — — 82% 68% 69% 66%

Recommendations
Appendix
Appendix
*Note: Bases are too small to show data.

FORRESTER THOUGHT LEADERSHIP PAPER: A CUSTOM STUDY COMMISSIONED BY TENABLE Base: Varies; full-time employees working from home three or more days a week
Additional Data
Overview
Current State
“Which of the following types or sources of information do you access with the personal devices you use for work?”
Challenges
SAUDI UNITED UNITED

(N = 77) (N = 40) (N = 44) (N = 36) * * (N = 58) (N = 46) (N = 67) (N = 49)
Future State
CUSTOMER DATA 51% 55% 64% 50% — — 59% 54% 37% 67%
FINANCIAL RECORDS 43% 38% 23% 36% — — 40% 35% 28% 35%
Recommendations
Appendix
Appendix

FORRESTER THOUGHT LEADERSHIP PAPER: A CUSTOM STUDY COMMISSIONED BY TENABLE Base: Varies; full-time employees working from home three or more days a week using personal devices for
SEPTEMBER 2021 work
Additional Data
Overview
Current State
“What level of security staffing do you have to monitor your organization’s attack surface/vectors?”
Challenges
SAUDI UNITED UNITED

(N = 45) (N = 41) (N = 48) (N = 59) (N = 38) * (N = 56) * (N = 44) (N = 49)
WE HAVE ENOUGH SECURITY

Future State
STAFF TO ADEQUATELY
29% 12% 44% 31% 29% — 39% — 30% 41%
MONITOR OUR ATTACK
SURFACE/VECTORS.
Recommendations
Appendix
Appendix

FORRESTER THOUGHT LEADERSHIP PAPER: A CUSTOM STUDY COMMISSIONED BY TENABLE Base: Varies; security leaders with responsibility over cybersecurity/security strategies and budgets
Additional Data
Overview
Current State
“What challenges does your organization face, or do you anticipate it will face, when supporting a remote workforce?”
Challenges
SAUDI UNITED UNITED

(N = 44) (N = 37) (N = 44) (N = 53) (N = 38) * (N = 53) * (N = 40) (N = 43)
LACK OF VISIBILITY
Future State
INTO EMPLOYEE HOME

38% 41% 42% 45% 54% — 41% — 44% 36%
NETWORKS AND
CONNECTED DEVICES
Recommendations
Appendix
Appendix

FORRESTER THOUGHT LEADERSHIP PAPER: A CUSTOM STUDY COMMISSIONED BY TENABLE Base: Varies; security leaders with responsibility over cybersecurity/security strategies and budgets at
SEPTEMBER 2021 organizations enabling a remote workforce
Additional Data
Overview
Current State
“To what degree do you follow or use each of the following security measures and guidelines your organization
may have in place around remote work?”
(Showing “Strictly follow” or “Use” responses)
Challenges
SAUDI UNITED UNITED

(N = 85) (N = 44) (N = 44) (N = 36) * * (N = 61) (N = 47) (N = 81) (N = 53)
I HAVE TO VERIFY MY IDENTITY

Future State
TWO OR MORE DIFFERENT WAYS

WHEN LOGGING ON TO ACCESS 29% 43% 32% 36% — — 23% 38% 43% 34%
MY ORGANIZATION’S SYSTEMS/
APPLICATIONS.
I AM NOT ALLOWED TO
Recommendations
USE PERSONAL DEVICES TO

18% 16% 18% 31% — — 28% 11% 19% 17%
ACCESS MY ORGANIZATION’S
DATA/SYSTEMS.
I AM NOT ALLOWED TO CONNECT
TO MY ORGANIZATION’S SYSTEMS 21% 20% 16% 25% — — 20% 23% 17% 19%
VIA PUBLIC WI-FI.
Appendix
Appendix
I CAN ONLY CONNECT TO

Appendix
MY ORGANIZATION’S SYSTEMS 15% 5% 9% 6% — — 18% 13% 11% 25%

VIA VPN.
FORRESTER THOUGHT LEADERSHIP PAPER: A CUSTOM STUDY COMMISSIONED BY TENABLE Base: Varies; full-time employees working from home three or more days a week
34

Beyond Boundaries - The Future of Cybersecurity in The New World of Work - Final - 081221

Uploaded by

Copyright:

Available Formats

You might also like

Beyond Boundaries - The Future of Cybersecurity in The New World of Work - Final - 081221

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Beyond Boundaries - The Future of Cybersecurity in The New World of Work - Final - 081221

Uploaded by

Copyright:

Available Formats

1

Beyond Boundaries: The Future Of

Securing The New World Of the traditional network perimeter on unmanaged

devices. And while these changes are enabling

Every business now stands at a crossroads where they must

consider the lessons of fully remote work when designing their

to remote work.1 in order to effectively reduce risk. If cybersecurity

cloud-based solutions, expanding their software supply chain,

FORRESTER THOUGHT LEADERSHIP PAPER: A CUSTOM STUDY COMMISSIONED BY TENABLE

Remote work is here to stay. Organizations shifted from

being largely in office to entirely remote in a blink of an

Over half of remote workers access customer data

the pandemic will continue to transform the

add staff over the next 12 to 24 months.

FORRESTER THOUGHT LEADERSHIP PAPER: A CUSTOM STUDY COMMISSIONED BY TENABLE

Where opportunity knocks, attackers enter. Cyberattacks

of respondents note that their organizations experienced

employee, or other confidential data; interruption of

Eight out of 10 security leaders say they will be increasing

FORRESTER THOUGHT LEADERSHIP PAPER: A CUSTOM STUDY COMMISSIONED BY TENABLE

Leave A Legacy Of Risk 80%

In response to the challenges presented by the pandemic, functions to the cloud.

business-critical functions to the cloud, while others added

software needs. These adjustments helped organizations 80%

exposure to risk today as a result of both moving to a

challenges. Six out of 10 report increased risk related to

functions to the cloud.

Even The Best-Laid Plans Don’t 44%

of remote workers feel

Most employees working from home recognize they

81% of remote workers consider the task of ensuring admit to sometimes

that no more than 34% of home workers strictly follow

“The attack surface becomes every home

One Home Office Equals Infinite Risk

71% “Did any of these business-impacting cyberattacks... ?”

remote employee home networks.* Target remote workers. 67%

Result from home router flaws

organization is taking steps to adequately protect

being accessed via other devices. Fifty-three percent of

confidential information. It’s no wonder that nearly three-

“It takes one human error in a spot which may or

Business information security officer, financial services

FORRESTER THOUGHT LEADERSHIP PAPER: A CUSTOM STUDY COMMISSIONED BY TENABLE

Rogue Implementation Can Come At A Cost

response to the pandemic.

Pose Greater Risk In The Wake Of COVID-19

cloud in response to COVID-19:

The COVID-19 pandemic highlighted the tremendous value of cloud

However, the very things the cloud enables, i.e., collaboration,

organizations suffered business-impacting attacks involving cloud assets. 28% 82%

Software Supply Chain Breaches

Have An Expansive Impact 46%

the partners they rely on. Among the surveyed leaders,

have greater visibility into their

“We have to consider now the supply chain attacks and

Senior VP and CISO, retail

FORRESTER THOUGHT LEADERSHIP PAPER: A CUSTOM STUDY COMMISSIONED BY TENABLE

practices best left in the rear-view mirror. Further, the