Markets and Trends

The Five Phases of COVID-19 Aligned to Security Services

Enterprise security will encounter 5 phases in response to COVID-19's effects. Explore what CISOs need to know about these phases with IDC's Christina Richmond.
Pinterest LinkedIn Tumblr

Service providers have many names for the phases security service clients have and will encounter in the COVID-19 era. IDC consolidated and named these five phases into Reframe, Refresh, Recover, Rebound and Recreate and aligned them loosely to the IDC Security Services segments (see Table).

PhaseSecurity Services UtilizedSecurity Services Cannibalized or Budgets Offset
Reframe: (Urgent, crisis response, business continuity disaster recovery (BCDR), keep the business running at all costs)-Managed Security Services (MSS): new device configuration & management, managed secure access, managed VPN, DDoS protection
-Managed Detection and Response (MDR)
-Incident Readiness and Response (IR)
-Vulnerability testing & management
-Security Consulting: Secure Cloud Migration, Digital Transformation, Remote Work & Operations
-System migration advisory and large-scale systems integration (SI) delayed unless germane to the crisis
-Some advisory and SI budgeted repurposed
Refresh: (Anxious, look at finances, adjust the business to remain viable, stabilize operationally, begin thinking about future resiliency)-MSS, MDR and IR continue unabated
-Security Consulting: continues with cloud and DX migration but build out of remote work slows; security resiliency planning begins (incident playbook development & tabletop exercises)
-Continued delay of large systems integration (SI) and advisory
-Layoffs and headcount cuts begin
-Consideration of real estate consolidation
Recover: (Normalizing, operational improvement continue, recovery measures begin, begin thinking about how to accelerate the business in new directions)-MSS, MDR and IR continue unabated
-Managed Cloud Security growth escalates
-New security services emerge & begin to see startups reappear
-Edge computing and IoT security rise in importance as companies automate and orchestration key business functions and distribute network connectivity
-Security zero trust advisory and secure identity & data management services escalate as software defined infrastructures mature
-Security risk and privacy become critical benchmark services
-Delay of large-scale SI and advisory begins to wane
-Cost cutting continues (layoffs, real estate diminution)
-On premises MSS migration from MSSP leaders to network operations partnerships increases in speed
Rebound: (Committed, accelerate the business, begin to innovate)-MSS, MDR and IR continue unabated
-Managed Cloud Security growth escalates
-Delayed SI and advisory services return to scheduled deliveries
-Security zero trust advisory and secure identity and data management services continue
-Orchestration/automation security platforms flourish
-Some rehiring begins
-Fewer services are cannibalized
Recreate: (Hopeful, innovation and continue expansion with redefined priorities)-MSS, MDR and IR continue unabated
-Managed Cloud Security growth escalates
-Security zero trust advisory and secure identity and data management services continue
-Orchestration/automation security platforms flourish
Still fewer services are cannibalized

What follows is our current thinking about the security services that have been needed so far during the COVID-19 pandemic in its earliest days through to what these phases might look like as we move into the future.


COVID-19 was sudden and catastrophic and the world was forced to embrace change quickly. From a corporate security perspective this phase is mostly behind us. All of the security service providers IDC talked with were swamped in light of the crisis, but especially the managed security service providers (MSSPs). MSSPs saw requests for new device configuration and management, managed secure access, managed VPN, DDoS protection, Managed Detection and Response (MDR), Incident Readiness and Response (IR) and vulnerability testing & management.

Security consultants saw a great deal of work in the beginning of the crisis as well. CISOs of organizations which had already embraced the cloud didn’t “skip a beat”, to quote one CISO of a large bank. Other security executives that had cloud migration and digital transformation projects booked decided to accelerate them. Hence consultancies like the Big 4, Accenture, and Booz Allen Hamilton shared that project-based services for secure cloud migration, digital transformation and to enable remote work and operations ramped up precipitously in the beginning of the pandemic. Additionally, projects with a capital budget tied to them continued forward.

It wasn’t all good news in security services, however. One security analyst in the detect and respond arena stated “large ‘strategic’ projects will be canned, with a focus on optimizing and reducing waste in current systems.” What we’ve discovered is that many of these projects were delayed or the budget associated with them repurposed.


Perhaps the toughest of the phases, “Refresh” brought the most anxiety and cost-cutting to keep the business afloat. Organizations sought — and many are still seeking — to stabilize their operations, and some are beginning to think about future resiliency. Thankfully, we are beginning to see this phase in the rearview mirror.

Managed services continue to grow in this phase, as does migration to cloud. Service providers are still helping enterprises fix the bubble gum and Band-Aid approaches to securing remote workers, but most of the buildout is complete.

The security analyst we spoke with thought that “all hiring will be put on pause; this is just a standard move, so any open roles may be ‘open’, but with an approval level high enough that requests to fill those roles will be few and far between.” He also shared that “plans that were already in motion to reduce office space/make cuts/etc will be accelerated.”

Many security teams had crisis plans in place, but many did not. Our security analyst friend recommended that this was the phase in which “to have a lucid picture for your CxOs about what life support looks like at the Capex (capital expense) and Opex (operational expense) level, and what the path back from that looks like if you make mid- to long-term sacrifices (i.e. survival mode can mean you don’t get to / can’t support growth fast later on), and to take that to them proactively.”


In a recent Survey Spotlight, IDC suggests that there is a link between accelerated cloud migration and security; especially in security services. IDC is currently conducting a series of six surveys to outline the impact that COVID-19 is having on the technology industry. In the most recent results over 35% of respondents are equally migrating to cloud more aggressively and making changes to security systems and their security strategy due to digital transformation (DX) activities. To understand how to migrate to cloud and DX securely, enterprises engage consulting firms for guidance.  Net-new budget is not available in the pandemic hence there are delays of non-essential large-scale SI and advisory projects.

In addition to continued growth in the traditional MSS and MDR we will see an escalation in a newer area of MSS: Managed Cloud Security. In addition, IDC believes that new security services will emerge and that security startups will start to reappear. Because of the distributed nature of our new architectures Edge computing and IoT security will rise in importance and we will see automation and orchestration of key business functions proliferate. This will lead to security advisory services on Zero Trust and identity and data management services as software defined infrastructures perpetuate. And finally, risk and privacy — though never lost as a focus — will become critical benchmark services.

Cost cutting efforts will continue in this phase both with layoffs and real estate diminution in order to fund the business as it pulls out of very deep recession, but we think that the delay of large-scale SI and advisory services will begin to wane.

An interesting trajectory emerging in traditional MSS services where MSSP leaders strive to shift low margin, high effort device configuration, management and vulnerability testing to partners in network operations will increase in speed.


It’s hard to tell exactly what the new normal will look like but we can take a few guesses.

We agree with our security analyst friend that “pulling out of the pandemic will be slow and cautious for all sectors. Evidence will show that many of the projects businesses thought they needed to ‘be secure’ or to ‘do x’ didn’t happen, and they survived. As ever, availability will be king, followed by confidentiality, [and ultimately] followed by integrity. Another way of putting this is: COVID is a ‘shock to the system’ / force function for what really matters to survive first, then seek profitability.”

We believe that fewer services will be cannibalized as we rebound. There will be pent-up demand for security services attached to delayed projects but also as new infrastructure formats are realized such as container-based and serverless architectures, the use of microservices and Zero Trust. In the new software designed perimeter identity and data will replace old castle and moat security structures and vendor-agnostic orchestration/automation security platforms will begin to flourish.


At some point we will not only come back to normal but, as with all crisis and recovery, we will find silver linings, count our remaining blessings and innovate. As we develop software more rapidly and broaden platforms for threat visibility, IT service management (ITSM) and response it is possible we will begin to catch the glimmer of an uber security platform where all security tools, regardless of vendor or host, can live harmoniously. Will this be a cloud service provider? Time will tell.

Security will remain a bastion for retired military and computer science graduates, yet some 25-year career icons will retire taking some of the institutional memory so important to security with them.

Human nature dictates that as crisis behavior diminishes some of the lessons recede in our memories. Perhaps creating and practicing BC/DR and IR playbooks will diminish in popularity, but maybe, just maybe, service providers that have bundled these efforts into retainers will see muscle memory prevail.

The coronavirus (COVID-19) pandemic is impacting the global economy at nearly every level. Anticipate market challenges, keep business moving, and forsee what recovery could look like with IDC’s extensive COVID-19 research and advice.

Program Vice President, Security Services