The CISO’s Guide To Navigating The 2023 Downturn

The gap between positive economic indicators and negative economic sentiment is widening as 2023 begins, and CISOs must make tough choices for, and possibly cuts to, their security programs. Whether the economic downturn is a temporary dip lasting one to two quarters or a prolonged period of austerity, CISOs need to demonstrate that they’re operating as a cautious financial steward of capital, a role they use to inform their choices regardless of the reality — or theatre — of a recession. It’s also a time for CISOs to strengthen influence, generate goodwill, and dispel the perception of security as cost center by relieving downturn-induced burdens placed on customers, partners, peers, and affected teams. Here are specific actions to take, irrespective of the nature of the 2023 downturn:

• Bring your board three perspectives they can’t refuse. Don’t allow your board to believe that cybersecurity exists solely as a cost center. Explain how cybersecurity spending drives revenue and that cuts to the security program directly affect relationships and requirements with three key constituencies: customers, insurers, and regulators. Customers won’t trust — or do business with — companies that don’t protect their data. Instead, they will turn to competitors. Cyber insurance carriers will refuse coverage or raise premiums, and regulators will remove your ability to sell into specific markets if your cybersecurity posture falls below a certain threshold. Defend your security budget by quantifying the investments in those security controls — and how much revenue is generated from the systems those controls protect. Cybersecurity can become a profit center when customers, insurers, and regulators require it.
• Show how you secure what you sell. Your customers’ security teams are navigating the same downturn pressures. They still need to collect audit and security information from their vendors — including you — and they may have fewer employees to complete the work. To increase customer loyalty and retention, what can your security team do to improve customer experience and help your customers’ security teams operate more efficiently? Prioritize security projects that drive the top line and increase customer stickiness, such as bot management solutions that improve customer experience. Automate processes like security questionnaire responses and software bill of materials generation to give customers what they need before they ask for it. Emphasize investments you’ve made that reduce product infrastructure costs and enable you to pass savings on to customers. And inform them of the steps you’ve taken to thwart costly application attacks, including such initiatives as monitoring for denial of wallet attacks in serverless functions, minimizing bot fraud, and keeping an eye on bug bounty program costs.
• Simultaneously support and influence your peers. The current macroeconomic situation means your peers across varying functions are panicking as some try to assert their positions, and budgets, seeing a bad economy as a zero-sum game, making them less willing to collaborate. Now is not the time to focus only on your own aspirations. Instead, focus on key corporate objectives and ensure your security initiatives demonstrate traceable alignment. If you didn’t start this practice in your first 100 days, take the time now to schedule regular meetings with peers across functions to stay current on their challenges, security needs, and points of friction. From there, develop joint initiatives that further corporate objectives and provide services, resources, or assistance in the form of partial funding or staffing and friction remediation efforts. This ethical politicking will not only help make funding or resource allocation discussions more amicable in the immediate term but will extend goodwill toward security into the future, when you may need allies and evangelists to push through policy or process changes.
• Volunteer to stop backfills. Given the perennial shortage of security talent, it’s unlikely you will be asked to make deep cuts to your staff. But you can get ahead of any requests that may come your way — and potentially save jobs from cuts in other functions. Volunteer to stop backfilling departures in the near term. No security leader wants to ask an already overwhelmed team to do more with less, but not backfilling certain roles reduces costs voluntarily to minimize the need for involuntary cuts in the future. This requires excellent communication and management skills when explaining to your team why these roles will stay vacant. That should include succession planning, associated upskilling, and job shadowing efforts for those that stick around. Provide an expected duration for the hiring freeze. Explain that no one expects them to perform their old responsibilities, and the new ones they absorb, at the same level as before. Work with regional nonprofits like Year Up to bring on cost-effective cybersecurity apprentices to relieve the additional pressure and create a pipeline of experienced talent ready to go when the freeze lifts.
• Don’t consolidate your partner ecosystem. After two years of extending third-party ecosystems to bolster resilience, you might be tempted to consolidate existing technology, services, and other partner relationships. Do it mindfully. Although cutbacks in this area may appear to be a practical cost-saving strategy, overcorrection in key areas such as cybersecurity, risk, and compliance could increase concentration risk, expose firms to disruption, and severely affect your operations like at the onset of the pandemic. Economists estimate that modern recessions last for 10 months. It’s critical that security and risk pros consider in their decision-making the time it takes to fully onboard a strategic supplier — typically six months or more — so they don’t miss out on opportunities when the economic pendulum swings in the opposite direction.