Shelter-in-Place orders launched many organizations into fully-remote operating models, without precedence or a playbook for doing so both quickly and securely. In fact, according to a recent Bugcrowd survey, 74% of security leaders at organizations that weren’t already remote-first reported feeling “rushed” in the onboarding or migration of online systems to support suddenly dispersed staff. And only 34% report feeling “very confident” in their organization’s ability to effectively track resulting changes to their internet-facing asset inventory.
No doubt these organizations and many like them were forced to make difficult decisions to avoid immediate business impact, but for 83% of respondents that believe that their organization is likely to continue remote operations, these decisions could have long-term consequences.
Good News and Bad News
As businesses adjust to COVID-induced changes, individuals around the world are struggling to do the same. Many have lost full-time employment, some are working more, and others are recycling bits of time previously spent on long commutes to engage in other meaningful activities. Members of our own global network of ethical hackers have experienced all of the above, with an astounding 77% stating that they’re now considering hacking full-time, according to a recent survey of the Crowd focused on the impact of COVID-19. Many haven’t wasted time in making the shift, as Bugcrowd saw a record 141% increase in vulnerability submissions over the previous quarter. Overall it seems the Crowd has more time and motivation to hunt than ever before.
But it must be said, that free time isn’t limited to those who use it for good. A proclivity towards spending time on personal interests is likely to be true on both sides of the moral divide, which may be why 51% of security leaders said they believe malicious attacks against their organization have indeed increased in recent months.
66% of security leaders say their executive team has raised concerns that the shift to remote work may negatively affect security posture. Per other survey responses, this may be due to fear of short-cut best practices in provisioning new online resources, an increase in attacks, a combination of both, or a variety of other factors. In any event, a loss of budget or resources would almost certainly exacerbate each of the above risk factors.
Fortunately, Bugcrowd found that only 22% of respondents reported loss of security headcount and 60% had no change. Similarly, only 14% reported a budget decrease, while the majority experienced ‘frozen’ budgets with more gates for executive review (32%), or no change to budget at all (36%). Now, you don’t need to be a math wiz to realize that those numbers don’t quite add up. Interestingly, 17% of security leaders reported a budget increase, with 18% also gaining more headcount than was lost. This could be a promising signal of organizations taking seriously new threats to the business.
Despite changes to priorities, budget, and resources, 80% of security leaders plan to conduct as many, or more security tests than planned prior to COVId-19 (32% and 48%, respectively), with 72% citing increased concern about threats as a top reason for doing so. For those with more budget that also plan to increase testing, 40% cited a COVID-related increase in demand for products and services as another key motivator.
Most security leaders recognize that attackers don’t care about budget cuts. If anything, news of business-wide belt-tightening can trigger increased interest from malicious attackers looking to take advantage of weakened defenses. This may be why 27% of security leaders that experienced budget loss actually plan to increase security testing frequency due to COVID-related threats, pulling budget from other security initiatives to cover costs.
Of course, shelter-in-place orders have impacted security suppliers just as much as buyers –changing how and when certain services can be rendered. For those security leaders that cited a reduction in testing, 52% pointed to a purely logistical constraint — inability to have testing performed by their usual in-person pen test provider.
As many businesses move to remote-first models, and build teams and infrastructure resilient to a reduction in in-person interactions, the barriers to engaging remote-first testing may begin to dissolve in kind. And while the impact of COVID-19 varies significantly across all organizations, one question in Bugcrowd’s study generated the greatest consensus across all security leaders surveyed:
Regardless of whether the organization started as remote prior to COVID-19, transitioned to this model, or plan to stay that way, and despite variations in budget, headcount, plans for security testing frequency, and more, an astounding 85% of respondents cited they would be more likely to engage remote testing options versus in-person alternatives, even after shelter-in-place restrictions are lifted. This number is especially poignant, considering 65% said that this would be a new model for their organization.
The Future of Work
Has COVID-19 permanently changed the nature of work? In a recent Gartner webinar, analyst Frank Marsala shared predictions for both short and long-term impact to several security segments. From opportunity to innovate within endpoint and cloud security, to a possible end of traditional firewalls, each prediction rang of the potential for remote work to continue indefinitely.
So what of organizations like Bugcrowd, whose products and services are, and always have been rooted in remote work? As evidenced in the last few months alone, skilled security professionals with time and talent to spare are increasingly turning to remote work options like crowdsourced security to augment or replace their existing sources of income. And with Bugcrowd’s investment in the technology that enables us to quickly match and manage these resources on-demand, organizations across every industry are seeing time to value in a matter of days. If nothing else, we believe the results of this survey show the future of work belongs to organizations that can operate remotely without sacrificing security. As for the future of security work specifically, we believe that belongs to the Crowd.
If you’re interested in hearing first-hand accounts of how Security Leaders are facing new challenges due to COVID-19, be sure to register for our latest webinar series — “Leading Through Disruption: How Security Leaders Are Shaping The Way During COVID-19.” Or, for more information on any of our platform products, including Pen Test, Bug Bounty, Attack Surface Management, and Vulnerability Disclosure, please visit our website, or contact us today!