Business leaders are speculating about the potential impact of a looming recession. The concerns about how an economic downturn could impact cybersecurity programs are real. Without the benefit of a crystal ball, experienced CISOs and security leaders must remember there have been challenging times before. CISOs and security leaders are not new to budget cuts or the need to justify investments without tangible top/bottom line returns.
The difference this time is that most security professionals are facing increasing scrutiny from regulators, lawyers, customers and shareholders. Stakeholders want assurance that we have the right levels of visibility, protection and response capabilities – regardless of the economic challenges being faced. Here are a few considerations for navigating challenging times and budget pressures under the spotlight of stakeholder scrutiny.
Focus on a robust risk management program
There may be more risk tradeoffs during tough times, so it’s important to have the right framework to drive visibility and risk-based decision making. This includes risk identification, common taxonomy aligned to enterprise risk and treatment of risk. Just like math students, security professionals need to be able to show their work and demonstrate how they came up with the answer or decision. The key takeaway here: It may be acceptable to delay an investment or accept a gap. Just ensure the business is making informed decisions by understanding the tradeoffs and potential options to reduce the risks as much as possible.
Prioritize third-party risk
When companies look to decrease expenses, they often turn to managed or outsourced services. It’s important to assess critical vendors and identify the risks as part of that decision – both initially and in perpetuity. Remember, during tough times, there could be additional reliance on vendors that may create additional risks. In addition, vendors could end up taking shortcuts or making their own risk tradeoffs during challenging times. Identifying those risks early and often is particularly important so exposure can be limited, if necessary.
Know and prioritize attack surfaces
Understanding what attackers can see about an organization’s environment is critical. This includes external IP space, cloud environments and external assets. Additionally, being able to prioritize those assets becomes even more critical in challenging times because certain tradeoffs may be necessary around layered controls. This is important for prioritizing configuration and vulnerability remediation activities, as well. Visibility of critical assets and data is essential to prioritizing security efforts. The good news here is that access to relatively low-cost, automated services that constantly scan and test our environment for exposures is available to help prioritize focus.
Maximize existing investments
Upon entering a new environment, it’s important to assess what toolsets are in place and how they are being used. It’s not uncommon to see that significant investments have been made in platforms where less than half of the capabilities were leveraged. And upon meeting with a solution partner, it’s a good idea to ask about the existing solutions that aren’t being leveraged before the potential partner recommends additional solutions.
It’s also important to look for ways to integrate new or existing solutions to further automate workflow. For example, when it comes to vulnerability identification capabilities, it’s important to attempt to integrate them into existing IT systems (DevOps platforms, ticketing systems, etc.) to maximize usage and value. Requiring IT or application partners to log in to separate systems or tools is never ideal.
Lastly, when considering an investment in new or innovative solutions, think about how the capabilities can expedite the value of existing investments. Keep in mind that existing investments could be the low-hanging fruit of cost savings. Make sure they’re being used to their full potential and automated as much as possible.
Security awareness is still essential
Creating a culture of security and empowering users to act as an extension of the security team is no small endeavor. However, it has become increasingly more important because criminals and bad actors seek to exploit human vulnerabilities as much as they target technical ones. Enabling users to act like a security professional – regardless of their role – is a best practice, regardless of economic conditions.
Now is a good time to conduct real-time training such as phishing/vishing tests, distribute engaging videos and remind employees how to identify and report suspicious activity. The more awareness can be personalized with relevant topics like travel security, home internet threats and identity protection, the more likely the message will resonate and be applicable in a workplace scenario.
The key takeaway here is that threat actors tend to prey on end users more during global events such as pandemics, recessions and natural disasters. Positioning security as everyone’s responsibility is another tool that can help stop social engineering, impersonations and other exposures.
The uneasiness of a potential economic downturn is real, but it’s neither unprecedented nor unmanageable. Focus on risk management and third-party risk, understand and prioritize your attack surface, maximize existing investments and continue to focus on user awareness. By doing this, it’s possible to weather the storm, satisfy stakeholders and protect the bottom line.