10 Belt-Tightening Tips for CISOs to Weather the Downturn4 Security Officers Share Strategies for Managing Budgets and Doing More With Less
The outlook for the economy includes room for optimism despite the economists who for months have prognosticated a downturn. Employment is strong in many sectors despite major layoffs in the U.S. tech sector. Last year, Silicon Valley let go of 140,000 employees, and so far in 2023, tech layoffs have hit more than 100,000 workers, according to Crunchbase.
So far, spending on cybersecurity has not been a major target of corporate cutbacks. Venture capitalist Alberto Yepez, who follows the market closely, predicts that cybersecurity spending in 2023 will be flat or even go up by 10% in some cases - a reason for celebration even if it's a flatter rate than in previous years. Yepez advises firms to follow the mantra of Microsoft CEO Satya Nadella, who in announcing layoffs of 5% of Microsoft's workforce last month said, "It's time to do more with less."
"Any technology, any automation will be well received," Yepez, managing director of Forgepoint Capital, tells Information Security Media Group. "We're willing to invest in order to do more with less. So I think that's the model that even entrepreneurs, at all sizes, need to be able to do that."
ISMG asked four chief security officers in a range of industries - Quentyn Taylor of Canon Europe, George Finney of Southern Methodist University, Niamh Muldoon of Fenergo and Marcin Szczepanik of Essar Oil - how they would do more with less. From those candid conversations, we compiled a list of 10 tips for belt-tightening in the current economy.
1. Look for ways to consolidate security tools.
A recurring theme among the CISOs was the cost of growing portfolios of security tools. While many companies have invested in best of breed solutions, software costs are a prime candidate for belt-tightening. Finney - CISO at SMU, a private college in Dallas, Texas - says he's looking at replacing about one-fourth of his software tools to "save money and become more effective." "We're taking a hard look at a lot of the tools that we use," Finney says. "Some tools come out, and they're awesome right out of the gate. Other tools, maybe they got acquired by other companies and aren't as good as maybe they used to be. Sometimes you see companies get acquired, and they increase the price by two times or three times because they think they can get away with it. So, all of those things, from an economic perspective, they're really forcing us to take a hard look at our entire security program."
Quentyn Taylor - senior director of information security at Canon, EMEA region - advises making sure you're using existing tools to their fullest. For example, smaller shops with a Microsoft E5 license can deploy a host of security products for little additional cost, he says.
"If you've already got the license for something, why not get it out there? Make sure that on your antimalware, if you've already got an EDR or XDR solution, do you have it properly deployed everywhere on every single server? So, stop looking at your more advanced tools and say, 'What have I got? Is my antivirus on every single machine? Have I got logging coming to a central location?' If you don’t have a SOC, there are open-source tools that are actually accepting logs. If you have the skill set internally, put together a log management solution," Taylor says.
Marcin Szczepanik, CISO of Essar Oil, says organizations should focus on the results they're getting, not the number of software products.
"These are the questions that you need to ask yourself when you're looking at your own maturity: 'Do you use your tools? Can you use them better? Can you integrate them better? And who will use that information provided by those tools?'" Szczepanik says.
2. Be prepared for vulnerabilities in IT operations.
While the cybersecurity team may emerged unscathed, the broader IT organization is typically a prime candidate for cutbacks, particularly in the wake of large-scale migrations to cloud and introduction of automation.
Attrition and hiring freezes, for example, could affect patching programs, Taylor says, adding that as the patching backlog grows, the business risks exposure to more vulnerabilities.
"It's the operational IT teams that you might want to keep an eye on to say, 'Are they still able to deliver the same level of quality that you would expect?'" Taylor says. "You can very easily have a situation where they haven't finished applying the last set of patches by the time the next ones come through, that maybe they're not able to apply the same level of diligence to firewall exchanges to decommissionings to migrations. So you end up with firewall rules left in place, pointing at places that they shouldn't be pointing at."
Taylor advises security leaders to monitor the metrics of patching programs and staffing demands, talk with their counterparts about the potential impact on security and agree on an acceptable level of risk for the enterprise.
3. Renegotiate contracts with your managed services vendors.
Some organizations are already relying on managed security vendors to handle various aspects of security operations. Finney says he increasingly relies on managed security partners to oversee aspects of security operations. In addition to reducing costs and consolidating vendors, Finney says he has found partners who have "skin in the game ... By doing that," he says, "they make my program more effective."
2023 is a prime climate for negotiating better deals with MSS firms, Finney says. "One of the biggest cost centers in security is just capturing all of the logs that you need to and managing all of those flows. That's really ripe for cost reductions, especially with the way that storage has gone down in cost so much lately, whereas, a lot of those licensing costs or management costs have stayed the same or gone up."
4. Take a hard look at your supply chain partners.
No matter how sophisticated your defenses are, you're only as secure as your weakest partner, which may very well be a supply chain partner, says Taylor.
"You tend to then completely forget about this whole sector of society who are not at this exact same level, and this is really worrying," he says. "Ignore those people at your peril because they form part of your supply chain. They form part of your supply chain's supply chain. Their machine, their systems can be used to attack you and your supply chain."
In addition to vetting suppliers for their cybersecurity practices, Taylor recommends taking the extra step of educating them and helping to strengthen their programs. "I really do believe in starting to look at your supply chain and your supply chain's supply chain and start to work out how I can take some elements of our education and some elements of our information and start to pass it down the chain to - hopefully, for the good of society - improve their information security."
5. Double down on cyber awareness training.
Employees are being bombarded with phishing emails and texts for a variety of scams, and attackers are targeting login credentials to gain access to data and carry out ransomware campaigns. Niamh Muldoon -CISO at software vendor Fenergo - says security leaders need to recognize that "it's about people, processes and technology, and thinking about clever ways of integrating security first into everybody's day-to-day roles."
An inexpensive way to build that culture is through regular employee recognition, she says. Recognize them "through a thank-you about how they've demonstrated security first - and celebrating that. The most obvious places to do that is maybe at your company all-hands and at your celebrations at social and sporting outings."
6. Focus on incident response and resiliency.
Security leaders advise applying some of the lessons learned from the early months of the pandemic to budget planning. Szczepanik, whose company supports the aviation industry, felt the impact immediately in March 2020, when global travel abruptly stopped and flights were canceled. With ransomware attacks rising at alarming rates and budgets on hold, he focused on updating the company's incident response and resiliency plans.
"We redesigned it completely and we did several tests of that incident response plan," Szczepanik says. "And that also prepared the business for what it may be like if the threats become real."
Essar Oil's new plan covered both IT and OT and included security teams, legal teams, communication, HR, finance and top board members - "if we had to make a decision on either paying a ransom or shutting the business down."
Szczepanik recalls some said the project was too complex and impossible to achieve. "But what I would say is: Nothing in life is perfect, and you just need to get on with it and do it," he says. "And once you do it, you will learn from what you could have done better, and you will improve it next time."
7. Beef up your email defenses.
During the early stages of the pandemic, Szczepanik says email defenses were his top-priority security investment - and he had to fight for the budget. Email, he says, is the most exploited attack vector by cybercriminals.
The company licensed new software focused on identifying email-based phishing threats, but he says that his team spent a considerable amount of time configuring the software to reduce risks even further.
"We did quite significant work on upgrading our email security, but not just buying it - reviewing every single policy, talking to the business about what needs to be done, what are they doing? How can we define those rules to prevent those initial attack vectors?" he says.
8. Introduce more automation of security processes.
Automation is another potential investment that can speed threat detection and response for organizations with limited resources in the midst of a hiring freeze. Finney says his organization has been implementing automated workflows for some time, and he is seeing results - a faster response to alerts and a reduction in support hours.
But he cautions that you can't move too quickly in rolling out automated tools because you've got to trust the data coming from the tools. "Automation can unnecessarily complicate a simple issue. Automation maybe makes it harder to troubleshoot if the automated tools are changing things and you don't have visibility into it," Finney says.
9. Look for projects that will reduce cyber insurance costs.
Another security-related cost that shows no signs of declining is cyber insurance. With cyberattacks intensifying, cyber insurance companies are raising their rates. Finney says cyber insurance has "essentially quadrupled for the same amount of insurance and deductibles have gone up." He says that insurance companies are rewarding organizations that invest in cybersecurity and risk management, which can be a challenge in lean times.
"I worry that if we're not continuing to invest in security, it's like 'Alice in Wonderland.' You've got to kind of run to stay in the same place," he says. "I think finding strategic ways of focusing your cyber program on what matters the most is what we've got to do."
10. Train and hire security specialists from within.
Finding and keeping skilled resources has been a challenge facing the cybersecurity industry for years. But what happens when key people leave and you can't replace them? One approach is to cultivate security talent with existing IT employees. Szczepanik points out that some of his team members have transferred in from IT infrastructure and support, and they have learned new skills through training programs.
"Training sometimes costs less than the recruitment process, going through the probationary period, going through the performance management with your new staff," he says, "If you can develop somebody within your team and they are willing to be developed, why wouldn't you do that?"
Think Long Term, Not Short Term
While organizations of all sizes are likely to feel the bite of an economic downturn, experts advise: Don't forget that economic conditions will change. It's OK to respond to short-term needs, but keep thinking long term. Finney points out that Patreon, an artist crowdfunding site, laid off its entire cybersecurity staff in the fall of 2022. That company, he says, will be hard-pressed to attract new talent if it ever decides to bring security back in-house.
In fact, major cuts in cybersecurity programs could lead to legal liabilities for companies and potential accusations of negligence in the wake of a data breach, he says.
"That could haunt you for a long time," Finney says.
The solution to good cybersecurity is not an unlimited budget, Szczepanik says. "The solution is to have somebody who knows how to use that budget, to have a team of individuals that not only can do the job, but they are passionate about this."