Uncertainties in the broader economy can significantly elevate exposure to both internal and external threats — and this is true for companies of all sizes and across virtually all sectors. With talk of a possible global recession this year, security professionals need to start anticipating the potential impacts to securing their organizations.
Many companies are already dealing with some combination of rising inflation, supply chain issues and/or murky revenue projections. While tightening annual budgets, some organizations might be tempted to skip necessary investments to keep the business safe from outside attacks. Security often becomes a target for operational spending cuts because it happens behind the scenes. We're seeing early signs of this already with some companies freezing their new technology budgets for the first part of 2023. And cybercriminals are well-aware of the rich opportunities this may present.
On top of more threats with greater sophistication, security leaders now face the additional challenge of doing more with less in their security program. Now is the time that true leaders step up and find ways to manage more with less. It is time to earn the “C” in CISO. To manage risks within the bounds of budgetary scrutiny, CISOs should focus on three critical areas: their people, processes, and technologies.
These risks start close to home — inside the organization. Threat actors look to take special advantage in times of stress and change via targeted social engineering attacks. Phishing campaigns often target opportunities when employees are out of their ordinary routines. For example, there might be an email with a subject line about a coming layoff — which people may quickly open without thinking.
In uncertain times, it’s also common for employees across an organization to start “packing” — just in case. They may take company files they’ve worked on and move them into private cloud libraries for later access. Maybe it's a copy of a sophisticated parsing routine that they wrote. It might be financial records or copies of sales contracts to reference the names of customers they worked with and how much they paid for services. One recent report shows a 300% rise in employee data theft during their last 30 days of employment.
But the intent behind exfiltrated data doesn’t have to be malicious to cause serious problems for an organization. Sensitive files stored in an unprotected cloud app could lead to unintentional disclosure of those materials. Risk managers need broad visibility of not only data and users, but also the account iterations of common applications and services.
More merger and acquisition (M&A) activity over the next year should also be anticipated. When companies experience sustained financial stress, we often start seeing consolidation in the market. That, again, leads to a widening attack surface that security leaders will have to manage with the same or fewer resources.
CISOs need to discuss the impact of a potential economic downturn with company leadership as soon as possible to find out what they’re anticipating for the year. If layoffs become a possibility at any point, security leaders need to be part of that plan well in advance to ensure seamless processes for both electronic and physical security. Can they quickly lock down systems and suspend all access in the event of a 15% reduction in workforce?
Backups are another consideration. Let’s say the company terminates someone due to a layoff. Afterward, their manager requests access to all the critical information that the employee controlled — including email and files. Security leaders need to have a seamless process in place that anticipates that type of common situation, as well as make sure they are compliant with the necessary privacy laws when accessing past employees’ emails. This plan needs to include not only data center assets but also all the software-as-a-service (SaaS) applications employees are using as well.
Security leaders may also face not having a fully staffed security team for their program — as a result of reductions-in-force, being unable to backfill open skilled positions, or being spread too thin as a result of M&A expansion. Doing more with less might also mean looking at strategic investments in automation of repetitive security tasks as well as broader infrastructure consolidation. A secure access service edge (SASE) solution is one such approach for consolidating infrastructure. A SASE framework can help simplify both networks and security stacks — reducing operational costs and the number of people needed to manage systems.
Technologies that automate repetitive security tasks can free up skilled human staff for higher-value responsibilities (like threat hunting). At the same time, automation can also help improve the overall effectiveness of your security program because you're less exposed to human errors. According to Verizon, 82% of all breaches last year involved the human element in one way or another.
Strategic planning starts today
Cybercriminals know how to take advantage of tighter security budgets and hiring freezes. CISOs should anticipate the very real possibility of having to cover more risk exposures with fewer resources than they had last year. Strategic attention to their people, processes, and technologies can help security teams plan to use what they have more efficiently and more effectively in the coming months.