As signs of a global recession continue to linger, many businesses are still tightening their spending across the board. Though cybersecurity remains a critical concern for virtually every type of organization, even security leaders may need to watch their spending—while somehow still keeping pace with the latest threats and risk exposures.
Some leaders may instinctively just want to keep their heads down and tread water through the storm; but the challenges of the times offer a unique chance to transform your security organization. And building a world-class security program starts with you. Best of class CISOs will use this opportunity to prove their worth as a leader and deliver a better overall security program—one that’s both risk-based and responsive to changing business conditions.
The obvious challenge is that in a recession, most companies will become more conservative with funds. Even critical security upgrades may be subject to scrutiny. So be prepared to talk with your executive team about how security is doing its part. Frame the discussions around all the ways security is measurably driving business enablement—from helping to earn revenue, to establishing trust with customers, to facilitating implementation of new digital tools.
In support of demonstrating value toward justifying security budgeting going forward, focus your program objectives on three main areas of impact: resilience, cost management, and business agility.
Building Trust and Resilience
While historical data shows that economic downturns bring more cyberattacks, your discussions with other C-suite leaders about security budgeting should focus on demonstrating value rather than warning about potential risks. Avoid using “FUD” (fear, uncertainty, and doubt) about things like the cost of a successful ransomware attack or the fines from a compliance violation. These kinds of arguments make weak cases for budget requests.
Instead, CISOs should focus on building trust with other executives by showing how their program supports business enablement. You need to make detailed use cases for how security impacts the bottom line or how it directly contributes to customer retention (such as signing a client with strict regulatory requirements). Using positive messages reinforces the often overlooked fact that security creates its own unique and measurable value—it isn’t just another cost center being carried by the sales team.
Managing Costs and Complexity
Like any technology infrastructure, security can get bloated. Most existing architectures today have been built product-by-product, and over time, they have become exceedingly complex. Complexity is the enemy of security