CISOs and security leaders are masters at identifying and predicting business-critical risks, so a common pitfall they face is assuming other business leaders are thinking about risk in the same way
This is an exclusive article series conducted by Santosh Vaswani, Editor at CIO News with Kapil Bareja, Advisory Board Member at Cyber Security Tribe
While economists debate the technicalities of whether we are in a recession or not, the rest of us are left preparing ourselves for a downturn. With a wave of tech layoffs at the top of the news cycle and cybersecurity startups caught up in that trend, is it any wonder that the “R” word is on everyone’s minds?
I spoke with CISOs and industry analysts to get their take on how security leaders should be preparing for a (perhaps already present) recession. Here are their top recommendations, but I’d be remiss to leave out the commentary that started the discussion: is a 2023 recession going to be different from anything we’ve seen before?
The world is certainly different from the Great Recession of 2007–2009, so the question seems fair.
In many ways, 2023 is very similar to previous downturns. We’re seeing security teams of all sizes face a tension between speed and security while trying to plan for the future without a crystal ball.
Yet 2023 is also a unique ‘soup’ of factors that make a looming recession a bit more threatening, especially for security teams. During COVID, organisations opened themselves up to unprecedented levels of risk by moving their workforces to remote operations overnight, and let’s face it: most haven’t closed those gaps. Attackers are more motivated than ever before, and with cryptocurrency becoming more accessible, it’s easier for them to monetize their criminal activity.
Even if a 2023 recession is never officially labelled or turns out to be mild, preparing for an economic downturn should be a priority for every CISO or security leader, ideally in advance of that downturn.
- Frame Your Organization’s Risk in Terms Other Leaders Will Understand
CISOs and security leaders are masters at identifying and predicting business-critical risks, so a common pitfall they face is assuming other business leaders are thinking about risk in the same way. The truth is, CISOs need to be more prepared to speak about risk in terms that leaders in other functions will more easily relate to.
One of the things that a security leader needs to start pushing for is quantifying risk and showing how an incident at this time specifically results in an impact on the bottom line and the ability to operate. If that risk could be catastrophic, it could be above risk tolerance. Because if you get hit now, when resources are scarce and it’s enough to affect your bottom line, those are the languages that we need to speak to the business.
To do this effectively, you’ll need to collaborate with your fellow leaders, intentionally breaking down the silos between your functions.
Here are a few examples of why this is critical:
The 2017 Equifax Breach and the Language of CFOs
Take the 2017 Equifax hack as an example. This data breach was considered the largest cybercrime involving identity theft ever, exposing more than 30 million records.
People would say that Equifax wasn’t a big deal because ‘they could afford it.’ Now let’s translate that into CFO terms. The fines alone were enough to wipe out net income for 18 months. Just in the fines. That’s a very different message than, ‘Oh, it cost me a couple hundred million, but I make a billion.’ It’s very different.
The language of the CFO and the board is going to be like, “Shit! What would it look like functionally if they had no net income because of a security incident? On top of the increased regulations that are now an added pressure? Precedent for opening up civil lawsuits?” …
It’s not just about, “Oh, I have a data breach, and there’s, you know, an average cost of $1.25 per record.” The story is so much more comprehensive than that.
You have to be able to speak that language.
Security in the Language of the CMO: Protecting Reputation and Revenue
Explore Your Organization to Communicate Risk More Effectively
From an organisational perspective, as a security executive, there are two elements you have to stay on top of: What are the key initiatives, outside of security, that your organisation is taking? And how can you map those back to what security is doing?
To communicate risk most effectively across your organisation, it’s important that you understand the broader context of what other business functions are focused on. This will help you relate security priorities to business priorities and protect your team and budget from cuts.
- Evaluate Institutional Knowledge and Implement Safeguards
Faced with resource constraints, nearly every organisation is at risk of losing institutional knowledge. Most companies choosing to reduce their workforces will implement ‘peanut butter spread’ cuts across the board, which inevitably affect security teams, even when risk has been contextualised appropriately. Knowing that a recession could create the need to reduce their team, how can CISOs and security leaders prepare? Understand and evaluate institutional knowledge, and implement safeguards to prevent over-reliance on it.
Preserve Institutional Knowledge, When Possible, but Have a Plan B
First, understand the value of institutional knowledge. The value that your security organisation is bringing is not only the domain knowledge of how to operate a particular tool or even how to code in a particular language. It’s that understanding of how you translate organisational objectives into technical reality, right?
The moment that you are letting go of security people within the security organisation, you’re losing not only some technical capability that you may potentially be able to offset with an outside firm, but you’re also losing that organisational knowledge.
Risk managers should never rely on one person or a small group of people for anything. So if there is a crux of institutional knowledge, where’s your failover? You know, humans are humans. Something can happen. What is your plan B?
So, yeah, you don’t want to let [institutional knowledge] go, but you need to plan for its departure.
You’ve got to start memorialising that knowledge and being strategic about it because people are not forever. You’ve got to start pushing it over, having some redundancy in that knowledge.
A Simple Stress Test? Take a Vacation
- Ensure Visibility of Your Infrastructure to See Opportunities to Reduce Costs
If you have to reduce your spending next quarter and you want to preserve your team, where would you cut? This question is difficult to answer if you don’t have a clear understanding of your cyber asset inventory, cloud usage, or other critical security resource questions.
There may be ‘low-hanging fruit’ opportunities to reduce costs that you are simply blind to; resolving these blind spots now will ensure you are ready to make the best decisions for your organisation later.
Altruistic Cyber Architecture: It Costs Money Because It Saves Money
CIO News, a proprietary of Mercadeo, produces award-winning content and resources for IT leaders across any industry through print articles and recorded video interviews on topics in the technology sector such as Digital Transformation, Artificial Intelligence (AI), Machine Learning (ML), Cloud, Robotics, Cyber-security, Data, Analytics, SOC, SASE, among other technology topics