As interest rates rise and profits slow in Canada and the U.S., a number of chief executive officers (CEOs) are telling managers — including infosec leaders — to cut spending. One of the latest is Patreon, a platform for content creators, which said five of the 80 people laid off this month were from its application security team.
The company maintains application security won’t be compromised. But examples like this raise the question of what chief information security officers (CISOs) should do when told their budget has to be trimmed.
They can consolidate the number of tools they deal with and rationalize some processes, says Tony Buffomante, Illinois-based global head of cybersecurity and risk services at Wipro.
“It’s not uncommon to have up to 60, 70, 80 tools. Things like vulnerability assessment tools, compliance tools or identity and access management tools.”
Switching from best-in-class to a suite that offers a number of tools may not only save money but also may help in reporting because log data is consolidated.
But, he added, IT security departments that don’t have a good handle on all their tools and where their data resides “are really struggling right now to prove their value.”
To be prepared for the ups and downs of business cycles, infosec leaders need an agile operating model, Buffomante said.
“There are certain processes that organizations need to execute to either maintain compliance or mitigate risks. We’re seeing organizations that have an agile operating model are able to pivot those resources. They have automated a number of processes, have implemented things like governance-risk compliance technologies that can automate assessments of their environment and third parties, and take the human element out of 60 per cent of the equation. They are also pivoting some of their spend to make sure it’s aligned with the most strategic business priorities — implementation of cloud, for example — and reducing some of the lower-risk activities.
“But that entails that the organization really has a handle on what are the most critical assets, the crown jewels, the highest risk areas. Those organizations that have done a good job identifying that and have an agile model have been able to dial up and dial down the spend” where necessary.
Wipro is an international IT consulting and services firm that surveys its customers twice a year about their needs. “A topic that continues to come up with our clients under the current headwinds … is how they should they be thinking about their cyber investments?
“Our CISOs and other security practitioners are really struggling.”
“We’re starting to see a little bit of a slowdown on cyber transformation programs,” he added. “That concerns me because the pace of business continues to change [and] the pace of technology adoption continues. What we want to make sure is the maturing of cyber programs continues to keep pace with business and technology updates. Otherwise we start to open up to undue risk.
“We’re certainly not advocating increasing budgets in this economic time. We’re advocating a balanced approach where [the organization] can see shifting some priorities in the security organization to better align with the business strategy.” That would allow “a better articulation of the return on investment from a risk reduction standpoint, and an ability to drive customer trust and potentially enter new markets.”
Forrester Research recently argued that security leaders’ response to a recession will depend on the type of organization they work for: High-growth, moderate-growth, no-growth or negative-growth (that is, the firm’s revenue is declining).
Security leaders in high-growth firms should align their programs with customer obsession, while those encountering turbulence will need to emphasize value, Forrester suggests.
Regardless of the state of the company, it adds, security requirements and policies will need to be linked to customer and regulatory requirements. There will be opportunities to consolidate security applications, including outsourcing some functions.
However, some infosec staff may have to be cut. In that case, Buffomante says, infosec leaders have to see which services align with the business and add value and can’t be eliminated. There should be a recommendation that goes to the board so it accepts any changes may come at the cost of a higher level of risk.
Some of that may be mitigated by turning to lower-cost managed service providers and automation of some tasks.
The way layoffs are handled can cause “angst and disgruntlement” among staff, he added, increasing the insider threat. That means IT staff have to increase monitoring for this type of threat, particularly among staff who have elevated access to systems.