5 Big Mistakes CISOs Should Avoid During a Downturn
Whether or not the economy is headed for recession, budgets are tightening. It’s time for security executives to be supremely well prepared.
No one can know how rough the headwinds facing the U.S. economy will become in 2023. The broad consensus among economists is that the nation is heading for recession. Of course, some prognosticators have predicted a soft landing for the U.S., but they are not in the majority.
While economists are often wrong in predicting recessions, a much more reliable indicator was clearly flashing red earlier this month: the yield curve, or the difference in yields between long-term and short-term bonds. The gap between 10-year bond yields and those maturing in three months was the biggest since 2000, signaling that growth in the future will be much slower than it is today.
All this uncertainty puts executives in a tight spot. They need to remain nimble—possibly facing reduced budgets, even for cybersecurity—while regulatory pressures and cybercrime continue to increase. A downturn is a difficult time to reduce security spending and an easy time to make a mistake in lowering an organization’s readiness.
Compare and prescriptively improve your IT risk metrics against your industry peers.
To help CISOs be prepared for whatever happens over the year ahead, Focal Point reached out to a handful of veteran security leaders who’ve witnessed their share of economic highs and lows over their careers, asking them about the mistakes security executives typically make during tough times.
Following are the common errors they advised organizations to avoid.
Mistake 1: Inadvertently trimming security functions
When IT staff gets cut, often security operations needlessly face the axe too. Falling victim can be essential tasks such as running routine backups and ensuring people are appropriately provisioned to resources.
“A big swath of businesses counts the security budget as part of the IT budget, and in that sense, some part of security will be dealt blows,” says Wim Remes, managing director at Damovo Security Services EMEA.
It’s a big mistake to cut blindly and let people in the trenches deal with the fallout.
The cuts can be indiscriminate and poorly targeted. “It’s a big mistake to cut blindly and let people in the trenches deal with the fallout,” warns David Elfering, a cybersecurity specialist and senior vice president at Marsh, a global insurance broker and risk adviser.
In the face of staff cuts and reorganizations, security leaders should understand which security functions affected staff perform and make sure those functions will still be conducted following any changes.
Mistake 2: Continuing to spend on outdated tools
Security investments often have the worst kind of momentum: Legacy tools that don’t provide the value they once did often remain on the books for years in the form of outdated licenses, subscriptions, and maintenance contracts. Tools can include old vulnerability scanners that outside services have replaced or security-point solutions that newer suites provide.
In its 2023 security and risk planning guide, global market-research firm Forrester says it’s always productive to trim single-point security products and legacy on-premises tools. The approach is especially prudent during a market downturn. Forrester advises organizations to decrease or even avoid point tools such as data loss prevention, user behavioral analytics, managed security services providers, and other legacy security controls.
Michael Farnum, CTO at Set Solutions, adds that when budgets are tight, it’s not a good time to withdraw from providers. Instead, it’s an excellent time to reach out to vendors and figure out how their product roadmaps sync with your strategy. “During the pandemic economic downturn, I found that vendors concentrated on development efforts and began to develop more platforms,” he says. “That presents an opportunity for CISOs to consolidate their security stack.”
Mistake 3: Failing to mitigate insider threats
With rising inflation, economic uncertainty, and an increasing number of layoffs, there’s a higher risk of upset employees. In fact, insider threats often come from employees who’ve been terminated and want revenge.
During downturns, there are often layoffs, so now is the time to check: When an employee leaves, is his or her access removed everywhere?
In September, an IT admin let go from his job at a financial services company based in Hawaii pled guilty to illegally disrupting his former employer’s systems for several days. According to the U.S. Department of Justice, the former admin used his old credentials to access configurations and deny access to the company’s website and email.
Insider threats like these can strike anytime, not just during economic downturns, and they can be incredibly damaging. Consider cases such as the Twitter employee convicted of taking bribes to provide private Twitter user information to the Kingdom of Saudi Arabia or the former U.S. Army helicopter pilot and civilian contractor who accepted bribes from the Chinese government to provide information about the defense contractors where he worked.
Mitigating insider threats during a downturn largely depends on having capabilities in place to monitor user activity and remove access when work status changes. “During downturns, there are often layoffs, so now is the time to check: When an employee leaves, is his or her access removed everywhere, including the VPN and external cloud and mobile apps?” asks John Pescatore, director of emerging security trends at SANS Institute.
Organizations also need to strengthen their ability to detect abnormal system activity and track the flow of sensitive data, according to the experts we interviewed.
Mistake 4: Spending on hot security trends while neglecting security basics
With limited resources, security leaders often try to fix their security gaps with the latest shiny new thing in technology. “During a downturn, CISOs and organizations risk taking their eye off the ball,” says Martin Fisher, director of information security and chief information security at Northside Hospital in Atlanta.
The real story is that most companies have underspent on security—by a lot—over the last half-decade.
“Instead of focusing on the key capabilities their program needs—which are usually basic, boring, and unsexy but crucial—they somehow think they can overcome the budget issues by focusing on the ‘new hotness,’ ” says Fisher. For example, they implement a new open-source software package with a new feature that adds some value, but then spend less time investing in the essentials, such as tabletop exercises or conducting incident-response reviews. Fisher thinks downturns are often times when organizations inadvertently open themselves to poor decision-making.
Pescatore of SANS argues that tight economic environments call for ensuring that the basics are in place. In addition to monitoring anomalous network behavior and effectively provisioning and deprovisioning access to resources, other focus areas include endpoint security, configuration management, device vulnerability management, and attack surface management—all of which can reduce risk to an organization.
Mistake 5: Losing focus on security strategy
Security leaders often get so intent on putting out everyday fires that they neglect the overall security strategy.
“Organizations often make the big mistake of not always having an idea of their security spending,” says Elfering at Marsh. “They don’t know where the budgets go, what it supports, and what is essential and aligned with the business strategy.”
It’s important to be able to quickly adjust the budget, because you don’t know when you’ll be asked to find ways to improve. “What can you live without?” asks Elfering. “That’s a decision you should always be ready to make.”
Of course, it’s not all about cuts, even in belt-tightening times, according to Forrester. The research firm recommends increasing spending in supply chain security, endpoint detection, incident response, and attack surface management.
In its report, the firm also advised organizations to pay special attention to securing customer-facing areas that drive revenue and be sure to keep modernizing the security program over time through efforts such as zero trust.
In many organizations, security should rightfully not get cut. “Unfortunately, the real story is that most companies have underspent on security—by a lot—over the last half-decade,” says Remes at Damovo Security Services EMEA. “We now see companies that have compounded, for example, 15% underspend every year for multiple years, and many now cut their spending further.” Remes says the result is relatively predictable for these unfortunate companies: “They’ll get hacked.”
While it’s unlikely that security spending will take the full brunt of budget cuts if a recession strikes, security leaders should be prepared to make some hard decisions. Ultimately, when companies skimp on security, they eliminate a critical area that’s vital to their future success.