Blog post -
Risk vs cost: cyber in the face of economic uncertainty
By Paul Vlissidis, Technical Director and Senior Adviser, NCC Group
The temptation of cost reduction in a recession against increased risk
As the Covid recession starts to bite, many organisations will be looking at ways to reduce their costs. Cyber security, beyond pure compliance activities, can often be seen by CFOs as purely a cost, making it a prime candidate for the review and ultimate reduction or removal. But recent research by Portsmouth University (1) in the UK has shown that as GDP falls, criminal activity, including fraud, rises.
As recession hits, individuals may struggle financially and the temptation to exploit known weaknesses in internal organisational procedures and systems may increase thus exposing organisations to a heightened risk of internal malicious activity. Similarly, organised crime groups will find recruitment easier during a global recession, so the external threat also increases as techniques like ransomware become more lucrative. (2)
Below, I’ve identified the key areas you should be paying attention to as you plan your security investment:
Budgets will be smaller – ensure they are smarter
So what about that security budget? It’s unlikely to remain unscathed given the financial pressures, but where could it be best spent? It’s a nettle that CISOs and CFOs are going to have to grasp. If you are still tackling essential security hygiene issues then this should take priority over everything else. Focus on estate management, patching, privilege and credential management to ensure one of the greatest returns on investment.
Digital transformation – Removing technical debt and reducing running costs
If you still carry significant technical debt then you may be under pressure to service that debt longer than you planned. But if the current events have shown anything then it is that cloud computing increases resilience across the board so any cuts to digital transformation are likely to end up costing more in the medium term. The security benefits of moving to cloud are well-documented.
If your workforce has transitioned fully to cloud for their day-to-day activities, then much of your traditional on-premise equipment could be decommissioned.
Ensuring you can detect, contain and respond to security events
If you have a detection & response project in flight or in place then protect it, as this capability is a critical compensating control in a technical-debt-ridden and increased threat environment with a far greater number of staff working from home. In-house security operation centres (SOCs) may be advised to give way to external service provision to take advantage of the scale and investment that pure-play service providers can offer. Similarly in-house tools for basic security assessment such as vulnerability scanning are expensive to buy and to skill up for, so look to managed vulnerability scanning and testing as a more cost effective way to achieve improved scrutiny.
Be able to articulate the risk but provide options to cost curtailment
At the end of the day it’s the CFO and the board that need to be shown the value so security leadership needs to be able to:
- Articulate risk
- Quantify and qualify likelihood and impact beyond in the real-world
- Provide least worst options for cost curtailment
- Identify options for short term increases in cost which substantially reduce spend in the medium term
For many CISOs the coming recession will require them to revisit business cases they thought had been won.