How CISOs can do more with less in turbulent economic times

CISO Nicole Darden Ford has become accustomed to doing more with less since the COVID-19 pandemic suddenly upended her company’s workforce. “I got off a plane from India and saw all these people with masks at the airport in Washington, DC, and I wondered what was going on. I went straight to the office where my CEO and CIO explained our new reality: We were going into quarantine and we had less than a week to come up with a way for people to work remotely.”

This was at her previous company, a startup spinning out of a larger company and preparing for IPO while transitioning to the cloud. With “limited time and minimal resources,” she managed to pull it off. Now, as global vice president and CISO at the $7.8-billion industrial automation company Rockwell Automation, she’s prepared for the economic uncertainty being felt by businesses around the globe, some of which are Rockwell Automation clients.

Despite the appearance that cybersecurity is recession-proof, CISOs should be ready to do more with less as circumstances dictate, Darden Ford says. To do this, she advises CISOs to regularly assess and trim security waste, maximize resources, and mitigate risk across critical business resources — all while supporting digital transformation (which can also lead to more cost savings). “Where there is digital transformation, there is security transformation — the two go hand in hand,” she says.

CISOs must anticipate reductions

While recessionary indicators are all over the place, the World Economic Forum (WEF) reported that 62% of economists predict a global recession in 2023 to be somewhat likely (45%) or extremely likely (18%), while the International Monetary Fund predicts that one-third of the global economy will go into recession based on growth indicators, though it also suggests that any recession will likely be short-lived. Despite a multitude of mass layoffs in late 2022 and early 2023, the US job market is holding strong, according to the Bureau of Labor Statistics. That trend has been mirrored around the world, in countries including the UK, Canada, and Germany. But even good job news is making stock markets jittery about more rate hikes and will likely have little impact on future hiring freezes.  

Predicting a recession is especially difficult after the global economic impacts of the pandemic, a war in Ukraine, and other turbulent world events turned traditional predictors on their heads. But there are ways CISOs can anticipate and prepare for downturns that impact their spending. For example, forums and peer discussions can provide the most insight in what to prepare for, suggests Malcolm Harkins, an industry advisor who for more than 20 years worked at Intel, where he focused on financial IT before becoming director of information security and continuity.

“In the past six to seven months, I’ve had a lot of conversations with many peers, and they say that they have faced budget and staffing reductions, and that new purchases have been pushed out. Essentially, they are being told to do more with less. Until now, CISOs haven’t had to deal with that,” Harkins says.

Improve security investment efficiency and effectiveness

Recession or no recession, Harkins says CISOs should always approach information security and risk management as an economic efficiency. “I started as a finance person, so I always try to do more with less because I need to feel confident that I am getting return on this security investment,” he says. “So, I assess regularly. If I cannot prove efficiency or effectiveness gains, I kill off the spending or don’t spend it again in the new budget.”

Harkins advises CISOs to revisit their design goals the same way the business sets goals for revenue, net income, margin, and market share. For example, he contends that if security organizations focused on mitigating their most impactful vulnerabilities, they would save at least 30% of time and effort in patching against potential events of no material impact to their enterprises.

As an example, Harkins shares how, while at Intel, he had a design goal of ensuring “No materially significant impact to business continuity whether it be fire, flood, or cyber.” Then, in 2010, when a McAfee update caused a worldwide meltdown of Windows XP, Intel was still able to intake, process, and ship orders, and designers will still able to get their work done. Some non-critical endpoints couldn’t access the network for a few hours, which he says wasn’t a big loss.

Reduce duplication in security tools

Unfortunately, most security groups still struggle with basic system inventory and assessment, but asset identification has become more critical as CISOs are asked to do more with less. Knowing where to focus efforts can help identify and reduce security tools and services waste. “Defense-in-depth has really become expense-in-depth,” Harkins adds with a chuckle.

Reducing duplication of security tools is one area that can easily lead to innovation, Darden Ford says. For example, running lean in the cloud allows her team to provide more security for less upfront investment, which supports the larger organization’s digital transformation to the cloud. She feels that older platforms that didn’t start out as cloud-native but were retrofitted to the cloud have proven less effective than native-built tools for the cloud. She also warns against signing long-term vendor contracts that can lock you into a bad deal.

In one such case, Al Ghous inherited a costly multiyear contract with a large security platform provider when he was hired as CISO at SnapDocs, an innovative cloud-based mortgage closing platform. “After I evaluated the effectiveness of the security platform under contract, I realized that the team could only get 10% capability out of it. So, we started looking for alternatives and we are now running pilots ahead of our contract expiration date, paying special attention to coverage and cost-savings.”

SnapDocs is a cloud-native company, and his team is also finding cloud-native security tools more effective for their business model. He notes that the platform they want to replace did not start out as cloud-native but is retrofitted for the cloud like many of the established big platform plays are today. In fact, because so many security tools don’t effectively meet today’s complex business needs, Ghous is actively involved in identifying and funding security innovation through the CISO investment alliance, CyberFuture, formed by Elron Ventures and backed by CISOs from major companies including Airbnb, Caribbean Cruises, and HiBob.

CISOs should align with the goals of the CFO

“One of the key things we talk about in the alliance is making security dollars go farther, and what is the value-add,” Ghous says. “Even outside of the current macroeconomic situation, it is prudent for CISOs to align their organizational objectives with that of their businesses. Then the investment discussion becomes easier because, if you are supporting your company objectives through your security programs, things will adjust accordingly.”

He also suggests forming an alignment with the CFO by demonstrating security improvements and efficiencies while effectively supporting risk and compliance demands. He adds that in tightly regulated industries such as healthcare, finance, and government, compliance can be used as leverage to justify spending, so long as spending is prioritized around business objectives. Like Harkins, Ghous also says that regular assessments (at least annually) should be conducted against the effectiveness of tools and services with an eye toward continuous cost savings and waste reduction.

Do more with what you already have

Yaniv Toledano, VP global CISO at Pagaya Technologies, an AI-enabled credit analysis firm, cautions against unnecessary spending on new tools when existing tools can be consolidated, automated, and orchestrated to do more with less. In times like these, he adds, it’s important to focus meeting current needs by maturing the controls already in place so long as they can meet objectives.

“I started here two years ago during COVID-19, when Pagaya was in hypergrowth and partnering with some of the largest banks in the US who require strict adherence to the strongest cybersecurity and resiliency frameworks and demand we have the most mature security processes possible,” says Toledano. “In times of recession and budget constraints, the answer is to consolidate and orchestrate the tools we have in the most efficient way before spending more money on new solutions.”

Expect some consolidation of people, too, he adds, which is happening mostly through attrition. Toledano says that to retain his best people during lean times, he gives them some cool projects to keep them interested. One way is to involve them directly in cost-saving measures by assigning them to best-of-breed security research where they can pick a few security startups to study for future implementations with an eye on improving efficiency and effectiveness.

“Security professionals need to continuously evolve to stay excited about their work. Beyond doing more with what you have, you are also bringing innovation to life in a creative manner,” he says. “Even in a bad economy, we cannot cut off innovation.”