Security Strategy for CISO's during Stagflation

While economists debate the technicalities of whether we are in a recession or not, the rest of us are left preparing ourselves for a downturn. With a wave of?tech layoffs?at the top of the newscycle, and?cybersecurity startups?caught up in that trend, is it any wonder that the “R” word is on everyone’s minds?

Spoke with CISOs and industry analysts to get their take on how security leaders should be preparing for a (perhaps already present) recession. Here, their top recommendations, but I’d be remiss to leave out the commentary that started the discussion: is a 2022 recession going to be different from anything we’ve seen before?

The world is certainly different from the Great Recession of 2007-2009, so the question seems fair.

In many ways, 2022 is very similar to previous downturns. We’re seeing security teams of all sizes face a tension between speed and security, and trying to plan for the future without a crystal ball.?

Yet 2022 is also a unique ‘soup’ of factors that make a looming recession a bit more threatening for security teams especially. During Covid, organizations opened themselves up to unprecedented levels of risk by moving their workforces to remote operations overnight, and let’s face it: most haven’t closed those gaps. Attackers are more motivated than ever before, and with cryptocurrency more accessible, it’s easier for them to monetize their criminal activity.

Even if a 2022 recession is never officially labeled, or turns out to be mild, preparing for an economic downturn should be a priority for every CISO or security leader, ideally in?advance?of that downturn.

1. Frame Your Organization’s Risk in Terms Other Leaders Will Understand

CISOs and security leaders are masters in identifying and predicting business critical risks, so a common pitfall they face is assuming other business leaders are thinking about risk in the same way. The truth is, CISOs need to be more prepared to speak about risk in terms that leaders in other functions will more easily relate to.?

One of the things that a security leader, needs to start pushing for is quantifying risk and showing how an incident?at this time specifically?results in an impact to the bottom line and the ability to operate. If that risk could be catastrophic, could be above risk tolerance. Because if you get hit now, when resources are scarce and it's enough to affect your bottom line… those are the languages that we need to speak to the business.

To do this effectively, you’ll need to collaborate with your fellow leaders, intentionally breaking down the silos between your functions. Here are a few examples of why this is critical.

The 2017 Equifax Breach and the Language of CFOs

Take the 2017 Equifax hack as an example.?This data breach was considered the largest identity theft cyber crime ever, exposing more than 30 million records.?

People would say that [Equifax] wasn't a big deal because ‘they could afford it.’ Now let's translate that into CFO terms. The fines alone were enough to wipe out net income for 18 months. Just in the fines. That's a very different message than, ‘Oh, it cost me a couple hundred million, but I make a billion.’ It's very different.?

The language of the CFO and the board is going to be like, “Shit! What would it look like functionally if they had no net income because of a security incident? On top of the increased regulations that are now an added pressure? Precedent for opening up civil lawsuits?” …

It's not just about, “Oh, I have a data breach and there's, you know, an average cost of $1.25 per record. The story is so much more comprehensive than that.?

You have to be able to speak the language of that.?

Security in the Language of the CMO: Protecting Reputation and Revenue?

Explore Your Organization to Communicate Risk More Effectively?

From an organizational perspective, as a security executive, there's two elements you have to stay on top of: What are the key initiatives, outside of security, that your organization is doing? And how can you map those back to what security is doing?

To communicate risk most effectively across your organization, it’s important that you understand the broader context of what other business functions are focused on. This will help you relate security priorities to business priorities, and help protect your team and budget from cuts.?

2. Evaluate Institutional Knowledge and Implement Safeguards

Faced with resource constraints, nearly every organization is at risk of losing institutional knowledge.?Most companies choosing to reduce their workforces will implement ‘peanut butter spread’ cuts across the board, which inevitably affect security teams, even when risk has been contextualized appropriately. Knowing that a recession could create the need to reduce their team, how can CISOs and security leaders prepare? Understand and evaluate institutional knowledge, and implement safeguards to prevent over reliance on it.?

Preserve Institutional Knowledge When Possible, but Have a Plan B

First, on understanding the value of institutional knowledge. The value that your security organization is bringing is not only the domain knowledge of how to operate the particular tool or even how to code in a particular language. It's that understanding of how you translate organizational objectives into a technical reality, right??

The moment that you are letting go of security people within the security organization, you're losing not only yes, sure, you're losing some technical capability that you may potentially be able to offset with an outside firm, but you're also losing that organizational knowledge.

Risk managers should never rely on one person or a small group of people for any one thing. So if there is a crux of institutional knowledge, where's your failover? You know, humans are humans. Something can happen. What is your plan B??

So, yeah, you don't want to let [institutional knowledge] go, but you need to plan for it leaving.?

You've got to start memorializing that knowledge and being strategic about it because people are not forever. You've got to start pushing it over, having some redundancy in that knowledge.?

A Simple Stress Test? Take a Vacation

3. Ensure Visibility of Your Infrastructure to See Opportunities to Reduce Costs

If you have to reduce your spend next quarter and you want to preserve your team, where would you cut? This question is difficult to answer if you don’t have a clear understanding of your cyber asset inventory, cloud usage, or other critical security resource questions.?

There may be ‘low-hanging fruit’ opportunities to reduce costs that you are simply blind to - resolving these blind spots?now?will ensure you are ready to make the best decisions for your organization?later.

Good Cloud Architecture: It Costs Money Because It Saves Money?