Skip to content
Shutterstock: Royalty-free stock vector ID: 1188428611
Shutterstock: Royalty-free stock vector ID: 1188428611

Blog post -

Risk vs cost: cyber in the face of economic uncertainty

By Paul Vlissidis, Technical Director and Senior Adviser, NCC Group

The temptation of cost reduction in a recession against increased risk

As the Covid recession starts to bite, many organisations will be looking at ways to reduce their costs. Cyber security, beyond pure compliance activities, can often be seen by CFOs as purely a cost, making it a prime candidate for the review and ultimate reduction or removal. But recent research by Portsmouth University (1) in the UK has shown that as GDP falls, criminal activity, including fraud, rises.

As recession hits, individuals may struggle financially and the temptation to exploit known weaknesses in internal organisational procedures and systems may increase thus exposing organisations to a heightened risk of internal malicious activity. Similarly, organised crime groups will find recruitment easier during a global recession, so the external threat also increases as techniques like ransomware become more lucrative. (2)

Below, I’ve identified the key areas you should be paying attention to as you plan your security investment:

Budgets will be smaller – ensure they are smarter

So what about that security budget? It’s unlikely to remain unscathed given the financial pressures, but where could it be best spent? It’s a nettle that CISOs and CFOs are going to have to grasp. If you are still tackling essential security hygiene issues then this should take priority over everything else. Focus on estate management, patching, privilege and credential management to ensure one of the greatest returns on investment.

Digital transformation – Removing technical debt and reducing running costs

If you still carry significant technical debt then you may be under pressure to service that debt longer than you planned. But if the current events have shown anything then it is that cloud computing increases resilience across the board so any cuts to digital transformation are likely to end up costing more in the medium term. The security benefits of moving to cloud are well-documented.

If your workforce has transitioned fully to cloud for their day-to-day activities, then much of your traditional on-premise equipment could be decommissioned.

Ensuring you can detect, contain and respond to security events

If you have a detection & response project in flight or in place then protect it, as this capability is a critical compensating control in a technical-debt-ridden and increased threat environment with a far greater number of staff working from home. In-house security operation centres (SOCs) may be advised to give way to external service provision to take advantage of the scale and investment that pure-play service providers can offer. Similarly in-house tools for basic security assessment such as vulnerability scanning are expensive to buy and to skill up for, so look to managed vulnerability scanning and testing as a more cost effective way to achieve improved scrutiny.

Be able to articulate the risk but provide options to cost curtailment

At the end of the day it’s the CFO and the board that need to be shown the value so security leadership needs to be able to:

  • Articulate risk
  • Quantify and qualify likelihood and impact beyond in the real-world
  • Provide least worst options for cost curtailment
  • Identify options for short term increases in cost which substantially reduce spend in the medium term

For many CISOs the coming recession will require them to revisit business cases they thought had been won.

1. https://www.eurekalert.org/pub_releases/2020-04/uo...

2. https://securityboulevard.com/2020/05/covid-19-unc...

Subjects

Press contacts

NCC Group Press Office

NCC Group Press Office

Press contact All media enquires relating to NCC Group plc +44 7824 412 405

Related stories

NCC Group exists to make the world safer and more secure

In today’s threat landscape understanding the risks organisations and customers are exposed to is more important than ever.

Understanding the impact and how to be more resilient is key to protecting brand, reputation and sensitive customer information. Building a cyber-resilient organization can be a complex process but it’s not impossible.

With our knowledge, experience and global footprint, we help assess, develop and manage cyber resilience posture.

NCC Group Newsroom
XYZ Building, 2 Hardman Boulevard, Spinningfield
M3 3AQ Manchester
United Kingdom