As signs of a global recession continue to linger, many businesses are still tightening their spending across the board. Though cybersecurity remains a critical concern for virtually every type of organization, even security leaders may need to watch their spending—while somehow still keeping pace with the latest threats and risk exposures.
Some leaders may instinctively just want to keep their heads down and tread water through the storm; but the challenges of the times offer a unique chance to transform your security organization. And building a world-class security program starts with you. Best of class CISOs will use this opportunity to prove their worth as a leader and deliver a better overall security program—one that’s both risk-based and responsive to changing business conditions.
The obvious challenge is that in a recession, most companies will become more conservative with funds. Even critical security upgrades may be subject to scrutiny. So be prepared to talk with your executive team about how security is doing its part. Frame the discussions around all the ways security is measurably driving business enablement—from helping to earn revenue, to establishing trust with customers, to facilitating implementation of new digital tools.
In support of demonstrating value toward justifying security budgeting going forward, focus your program objectives on three main areas of impact: resilience, cost management, and business agility.
Building Trust and Resilience
While historical data shows that economic downturns bring more cyberattacks, your discussions with other C-suite leaders about security budgeting should focus on demonstrating value rather than warning about potential risks. Avoid using “FUD” (fear, uncertainty, and doubt) about things like the cost of a successful ransomware attack or the fines from a compliance violation. These kinds of arguments make weak cases for budget requests.
Instead, CISOs should focus on building trust with other executives by showing how their program supports business enablement. You need to make detailed use cases for how security impacts the bottom line or how it directly contributes to customer retention (such as signing a client with strict regulatory requirements). Using positive messages reinforces the often overlooked fact that security creates its own unique and measurable value—it isn’t just another cost center being carried by the sales team.
Managing Costs and Complexity
Like any technology infrastructure, security can get bloated. Most existing architectures today have been built product-by-product, and over time, they have become exceedingly complex. Complexity is the enemy of security because it can obscure vulnerabilities while creating costly operational inefficiencies.
There’s an old saying in security: “We’re great at buying new products, we’re poor at implementing, we forget about optimizing, and we never remove.” Though many teams have fallen into the habit of adding on products, services, and subscriptions to cover new exposures and gaps as they appear, now is the time to reevaluate whether or not all these things still effectively serve their intended purposes. CISOs should use this opportunity to assess their existing security architecture and licensing.
Consolidation can help simplify your infrastructure to improve efficiencies, reduce costs, and shrink the organization’s attack surface. Additionally, it can help you maximize the value of existing staff. You’re probably not going to lay anybody off, since most security teams today are already understaffed. But infrastructure consolidation can also enable automation of more routine tasks—things like patch management. This frees-up your team for higher-impact activities, like threat hunting and active risk management. Get more from your people without adding headcount.
Boosting Business Agility
In uncertain times, change is the only constant. These changes might include shifting to new cloud-based tools that help the business save on licensing costs, or major organizational adjustments that come with mergers and acquisitions (M&As). A world-class security program is one that’s designed to enable dynamic business agility—keeping the organization safe and scalable at every turn.
A risk-based, agile security program can help business units rapidly respond to market demands while simplifying the user experience, ensuring productivity, and reducing overhead. This might include seamless adoption of the latest SaaS applications, securing hybrid work at-scale via zero trust network access (ZTNA), or connecting and protecting newly acquired offices with SD-WAN solutions.
An Opportunity to Transform Security
Periods of economic hardship come and go. I’ve weathered similar storms leading security teams through the dot-com bust of the early-2000s and the financial crisis of 2008. For CISOs, this is an opportunity to show that you are a true leader—an equal member of the executive team who is doing your part to manage the situation.
While the value of security is always grounded in preventing all the damage that comes with a breach (e.g., stolen data/IP, financial losses, legal/regulatory penalties, bad publicity), a world class security program is one that confidently contributes to the broader organization’s goals and activities. Focusing your plans on resilience, cost management, and business agility not only will help you build a more efficient program—it will ultimately help you deliver more effective security as well.
