October 28, 2020

Last Updated on January 4, 2024

The pandemic has both aggravated longstanding information security shortfalls and created new difficulties. If you’re in the business of solving cybersecurity problems, most likely you’re already experiencing major operational changes driven by shifts in the global business landscape. These shifts—especially global economic constriction—are altering how organizations view, evaluate and address cyber risk.
Financial constraints are nothing new for security teams. But now our collective situation is significantly worse, and in many respects the economic fallout from COVID-19 is just beginning. 
According to industry thought leader Reg Harnish, cyber practitioners need to be thinking hard about how their solution, service or effort factors into the total cost of ownership equation. A recent guest on The Virtual CISO Podcast, Reg is founder and CEO of the cyber advisory firm Slingshot Cyberventures, CEO of the SMB-focused MSSP OrbitalFire and founder and former CEO of GreyCastle Security.

“So how do you solve problems with less money?” Reg asks.

“I’m encouraging folks to start to think about how to change your messaging, change your product or change your approach such that it actually either costs less or it respects what we’re going to see in terms of financial fluctuation over the next 12 to 36 months.”
“I think one way to do that, and one way we’re doing it, is we’re trying to figure out how to do more with less,” replies podcast host John Verry, Pivot Point CISO and Managing Partner. “We’re trying to look through concepts of automation, and also asking how do I bring somebody on and get them up to speed faster? How do I have a world-class onboarding program or a world-class training program? How do I automate processes so that for the same investment I’m getting more done?”

Now might not be the time to address security challenges with more and better technology, especially if it brings flat or diminishing returns.

“Think about your risk tolerance and what’s acceptable to your organization,” Reg advises. “Say, ‘Hey, listen, we’re just going to do less in cyber security now. And that’s so the business can continue to support its mission and vision, which is survival right now.’”

“We’re not doing cybersecurity to secure things,” stresses Reg. “We’re doing it to support the vision and mission of the business. And if the business can’t operate, then what have we done?”
But “doing less” with security shouldn’t just be making across-the-board cuts. It requires a risk-based approach. That probably means your risk tolerance will need to go up in certain areas.
“Where can we afford additional risk by cutting what we’re doing?” John points out. This could mean shifting priorities and investments; e.g., “rolling the dice” for a limited time by de-emphasizing preventive controls and relying on a strong response capability.
If you’re looking for new ideas and original thinking to help you problem-solve outside the box, this podcast episode with Reg Harnish offers that and a lot more. Click here to hear the show from the beginningand to check out our other podcast content.
If you’re not an Apple Podcasts user, you can find all our episodes from The Virtual CISO Podcast here. 

SOC 2 vs ISO 27001 (Or Both)

What every Software-as-a-service (SaaS) firm needs to know in order to acquire/maintain independent validation of their security posture.
View our guide today.