Rising interest rates, ominous economic headwinds, and fears of a looming recession signal a turbulent year ahead. The era of cheap money has come and gone, and many companies are shifting from a hyper-growth model to a path to profitability with a sustainable growth model. Weekly layoffs, especially in the technology sector, are a worrying sign, and security leaders and practitioners must have a plan in place.
As the saying goes, "hope is not a strategy," so security leaders should prepare for the worst and hope for the best. Here are five recommendations for managing a security operation during uncertain economic times:
- Align the security program with the business. If the company’s 2023 strategy starts with what new security controls the team plans to invest in, it’s time to align goals with business outcomes. Your business constantly evolves, and so should the organization’s cybersecurity strategy. If there’s no real plan for 2023's goals and objectives, engage with business partners. For public companies, SEC filings can help, especially 10-Ks, which outline the risks to the business. Engage with the risk committee that prepares this content. These risks offer CISOs a blueprint for the company's concerns and what CISOs need to mitigate. Has the company aligned its limited resources to the top risks? Shift the conversation from technology investments to risk mitigation the business cares about. Technology implementations are more likely to get cut than a control for strategic risk mitigation.
- Take advantage of the opportunity and portray an image as a business leader. As we saw in 2020, at the start of the pandemic, crisis presents opportunity. Many security leaders stepped up and guided their organization's business continuity efforts and their shift to remote work. Today’s economic headwinds present CISOs with another opportunity to gain trust and become seen as business leaders. Many CISOs are chief information security officers in name only, and not seen as actual C-Suite executives. Stay proactive, reach out to the CFO and gain an understanding of any potential constraints heading into next year. CISOs don't want to wait until next year to find out if it’s coming. Understand the likelihood and scope of potential austerity efforts so the team can plan for them.
- Maximize existing investments. Seek to maximize the company’s current portfolio, even if the CFO doesn't ask for expense reductions. If the CFO asks to delay new spending, use that time to double down on existing implementations and make them more effective. Re-evaluate the team’s current investments: Are they still aligned with risks that need mitigation? Are they effective at mitigating those risks? Has the team deployed unnecessary overlapping controls? Are controls fully implemented? Can the team shift from a best-in-breed solution to an effective platform play? Avoid "expense in depth," the multilayered approach to ensuring minimal return on a security investment. Vendors need to earn their money. Renewals aren't annuities and aren't guaranteed. Use the looming recession to drive renewal prices down.
- Assess the ability of leading suppliers to deliver. We rightly focus on the cybersecurity risks of our supply chain, but has the team assessed the company’s top vendors’ ability to deliver in an economic downturn? Identify high-risk suppliers, including startups that cannot raise the requisite capital to continue operations and even cybersecurity unicorns with inflated valuations in limbo, unable to IPO, and looking to get bought by private equity. If the security teams plans to invest in new vendors, inquire about their burn rate, which measures the amount of time a company has before it runs out of money. Use sites such as Crunchbase, IT-Harvest, and Pitchbook to learn more about vendors and their funding. Be on the lookout for an executive exodus. If the head of customer success departs, it isn't a good sign.
- Perform a health check on the company’s insider risk program. As companies lay off employees, the likelihood of insider risks from disgruntled employees rises. These risks come from both the terminated employees and employees who remain dissatisfied with the direction of the business. Does the security team have the appropriate logging and alerting to detect anomalous activity? Can they catch and prevent exports of customer data from solutions like Salesforce? Can the team see downloads of intellectual property from SharePoint or Google Drive? Are HR, IT, and security organizations prepared to conduct timely en masse off-boarding? It’s critical to have timely revocation of access, especially for privileged users or employees with access to sensitive data.
How deeply the current economic factors will impact cybersecurity budgets and jobs remains an open question. However, it’s better to have a playbook and not need it than to not have one at all.
Rick Holland, chief information security officer, vice president strategy, Digital Shadows, a ReliaQuest company