Managing Cybersecurity Through the Economic Downturn
Consider the economic downturn as part of a cyclical process. It puts everything in a better perspective. No longer is it something “happening” to us, but rather, an opportunity to expand and thrive in the aftermath of the slump.
It’s easy to apply this frame of mind to business operations, but why stop there? It is as applicable to cybersecurity. Wondering how? In this blog, we’ll answer that – outlining specific ways to manage cybersecurity through the economic downturn.
Start With a Strategy
Everything that you do in 2023 will set the tone for the years that follow. Each “right” turn you take builds a stronger cybersecurity posture. But knowing right from wrong depends on aligning your long-term information security and business strategies. Because of this, the first action you should take is to set a three-year vision to guide each decision and investment. This plan should be based on an updated Risk Assessment so that you know where your security gaps are. Doing so optimizes not only your information security program but also your organization’s resilience.
Start here > If you aren’t sure how to set up a three-year plan, you can align your information security program and controls with open, trusted frameworks like ISO 27001, NIST, CIS Controls, and ENISA. By leveraging these proven principles, you don’t have to reinvent security. Instead, you will have a formula that is tried and true – and works as a checklist for your plan.
Tip > One of the advantages of aligning your information security plan with a framework is that you can go to security vendors and have them supply a document that maps their product to the requirements. Doing this for each of your vendors will show you which security products integrate well to simplify operations (this reduces cost, too).
Continue to Make Sensible Investments
More than three-quarters (76%) of SMBs surveyed in a 2022 study were affected by at least one cyberattack in 2021, an increase from 55% who said the same in 2020. While an SMB’s costs related to these attacks vary based on the incident and its damages, it’s unlikely to survive completely unscathed.
With the tightening of budgets during an economic downturn, we have to assess the overall risk of pulling back on cybersecurity investments. In any year costly attacks threaten the viability of companies. And that fragility is only multiplied in uncertain financial times.
The benefits of making sensible investments aren’t limited to mitigating risks, but also adding value. We know that strong cybersecurity is a business enabler. By investing in it when your competitors are pulling back, you put into motion a differentiator that can help win a bigger percentage of the available business.
Tip > Consolidate your vendor list when choosing who to buy from. That could mean going from 20 vendors to 15. Advantages of this approach include saving time on management and vendor due diligence. By limiting your technology partners, you’re likely to get better pricing on a larger block of products and services, and licensing deals. However, this “downsizing” should never take precedence over selecting vendors that are the best fit for your cybersecurity.
Raise Your Bar on Efficiency
Are you currently capitalizing on your security investments? If the answer is ‘no,’ it’s probably because of the common problem of mapping out CapEx without fully preparing for the OpEx needed. And because the support for optimal deployment and tuning wasn’t there, you’re now not able to take full advantage of what you’re paying for.
Start here > Before considering additional security tooling investments, take stock of what you need to make the most of what is already deployed. This could include, training for administrators, and help with tuning or policy management.
Tip > Consider conducting a penetration test even if you’re confident in your security. By conducting a full test instead of scanning, you may find vulnerabilities that highlight necessary tuning. Even if you’re scanning every week and patching, there is always the chance that your scanner wasn’t configured properly and it might be missing non-standard ports.
One common example we find is configuration drift for SIEMs or any other type of log or event management. Generally, these products are well-configured out of the box. But over time, if no one feeds or cares for the solution, it becomes out of step with the organization’s requirements. Because of this, drift has three consequences: 1) security vulnerabilities, 2) inefficient resource utilization, and 3) reduced resilience and reliability. While SIEMs are a strong example of configuration drift, any and all security investments can suffer from its effects.
Focus on Resiliency & Staffing
Managing a cybersecurity program can mean keeping tabs on more than a hundred tasks that need to happen on a regular schedule. Be it annually, bi-annually, quarterly, monthly, weekly, or daily. At a management level, it’s a serious headache. But we can use that magical cybersecurity feature -- “single pane of glass” – to bring it all together in a master cybersecurity program task list or even an application (e.g., GRC platform, ServiceNow implementation, Asana, or Wrike) that will alert you to when something needs to be done.
Not only does this improve efficiency, but it codifies institutional knowledge into a single system. And during an economic downturn when employment feels uncertain, you can ensure that even if your team changes, all tasks are accounted for. Or, if you are short on staff, you know exactly what needs to be done without spending limited time on planning out priorities.
It’s well known that the average tenure of a CISO at a company is brief – about 18 months to be exact. At the end of their run, or any cybersecurity staff, you need to be sure you’re able to hand off work seamlessly. Because of turnover and the high costs of finding that *perfect* FTE, an increasing number of organizations have embraced fractional models. This allows them to fulfill either strategic or tactical needs at a set price without a major commitment. But to get these people up and running quickly – and to make the most of their paid time – requires a master plan that they can improve on and/or execute.
Don’t Forget Security Awareness
When things are tight, upper management looks for any extra weight that they can cut loose. Make sure one of those things isn’t Security Awareness Training. IT and Security teams can’t protect the whole company – it requires the efforts of every employee in the company.
Security Awareness Training is not a one day event every few years. It is part of an ongoing strategy. And this is because anyone who has access to an organization’s network and digital assets remains vulnerable. Taking the year off of investing in your Security Awareness Program could have serious downstream consequences.
Keep Your Chin Up
Managing through an economic downturn is hard on everyone. But the only way out of the storm is through it. And on your way through it, there’s no harm in taking some no-cost help, including our security rating and custom report. For more information, visit https://www.cadre.net/free-security-rating.