It's always easier to upgrade an organization's defenses when times are flush and money's no object. But try getting your CFO to fund a new cybersecurity project when the boom goes bust.
Good luck with that.
In the immediate past, the security function received ample investment to add staff and equip teams with the latest and greatest security tools. But when uncertainty clouds the economic climate, companies rein in overall spending, reduce head count, and back away from investment projects not deemed essential. This is also when CISOs get put to the test.
The security leaders of the organization don't have the luxury of sitting on their hands until the business cycle picks up again. Threat actors operate during good times and bad, and trust me, they will find –— and exploit — vulnerabilities that emerge from neglected defenses.
But for the foreseeable future, with the spigots closing shut, CISOs will need to find ways to do more with less.
Dealing With a New Reality
That sounds painful, but CISOs can handle the drill. Speaking as a former CSO, we're always under pressure to achieve more, especially when the cost of all that security overhead comes under scrutiny.
CISOs now find themselves operating in a new environment. In short, the new reality imposes a new discipline.
For starters, security departments need to learn to be leaner than in previous years as the C-suite directs them to squeeze more out of their current technology deployments. The new marching orders will challenge their skills as business managers, forcing them to step beyond their comfort zone as technologists, perhaps for the first time.
In practice, that may require them to reduce head counts while reviewing their security ecosystems to eliminate overlaps while amplifying supporting controls. They'll also need to demonstrate that the tools they're using are working as expected and that they're optimized by deploying the latest available intelligence.
Some CISOs might want to push back. But savvy CISOs will recognize they need to demonstrate that they can run a smart operation, just as smartly as the rest of the other departments in the business.
If you want your organization's security to be fit, then accept the oversight and invite the new rigor coming from your board. Do the necessary advance work and be prepared to defend your asset deployment. That is just sound business practice.
If you can explain how you're spending the company's dollars to secure the business and demonstrate that you're running an efficient operation, it pays off later on. When new threats do materialize and you make a case for a bigger budget, you'll be presenting to a more supportive and appreciative board.
When I was running cybersecurity at BT, I examined how we were set up and discovered that we had far more managers than doers. In other words, we were top-heavy with more tiers of management than was needed. So I restructured our operations to flatten the org chart, giving the employees more responsibilities and accountabilities across a broader base.
At first blush, that sounds as if I squeezed people harder than ever. But it was just the opposite. We were giving them broader, more enriched roles because the people that work in security have a real passion for what they do. All they ask is to be given the environment, the tools, and the data to do a great job. So my role was to promote that rationalization and make sure we were properly aligned to have the best-possible impact defending against attackers. And after expanding the responsibilities of the people in my security teams, guess what? They loved it.
Winding Up Stronger Long Term
Everyone has an innate immunity to change, but this is a moment where CISOs must step up to meet the challenge. With knowledge comes power: Not only will they learn a lot about the true capabilities of their own security organizations, but they'll also wind up more able to define future security strategy.
Gaining a clear idea about your attack surface is a fundamental prerequisite if you hope to marshal your resources against the types of attacks heading your way. Do you have the right overlapping controls? Have you got controls that have been around for a long time? If so, are they still delivering value or have they become expensive albatrosses? If so, get rid of them and lighten up the operational costs on your teams, so you can double down on the things that matter.
Next, consider what intelligence you have, and what you wish you had access to. If you're a CISO of a major financial institution, for example, might it be beneficial to know what threat intelligence other CISOs from competitor organizations are gathering? It might be counterintuitive to share information with rivals, but it's time to reframe our thinking around what's truly proprietary and what information we could all benefit from. Sharing threat intelligence through communities like Information Sharing and Analysis Centers (ISACs), Information Sharing and Analysis Organizations (ISAOs), and others is an effective way to bolster your defenses without having to start from scratch.
Elsewhere, have you made sure that your offboarding processes are working properly and limiting data access? Over the years, some employees may have aggregated access privileges that no longer make sense given their current jobs. That's a recipe for major trouble if they get compromised.
Do all this so if (and when) you're ordered to make cuts, you can talk from a position of knowledge, and also ensure you're getting the most out of your existing investments. Remember, security doesn't live in products; it lives in intelligence and your ability to access and put that intelligence to work. Having done the requisite analysis, you'll be talking in business terms back to your board. That's a language they will understand and it will set you up to be stronger in the long term.