Last Updated on January 17, 2023
In recent months, more security conversations have been pervaded with concerns about an economic downturn. How might a tight economy impact your security and compliance program? What’s most important to keep in mind? And what are some key moves to make (or avoid)?
To share his top 10 ideas to keep security and compliance moving forward in a slow economy, and address questions he’s often hearing from clients and peers, John Verry, Pivot Point Security CISO and Managing Partner and host of The Virtual CISO Podcast, recorded a special briefing episode for SMB decision-makers.
3 fundamental goals
John groups his 10 “slump security” suggestions under 3 fundamental security goals:
- You want to remain strategic.
- You want to remain efficient.
- You need to be “HR flexible.”
Start with a cybersecurity strategy
If you don’t have a longer-term (e.g., three-year) vision for information security that aligns with your business strategy, how can you evaluate investments and other decisions?
You need to be sure that every security step you take is aligned with your long-term business strategy. Especially in a down economy, you can’t afford to make wrong turns that cost time and money. Having a coherent, business-centric security strategy sets you up for success.
Along with a security strategy, you should align your security program with one or more “trusted frameworks”—such as ISO 27001, NIST 800-171, OWASP or Common Vulnerability Scoring System (CVSS) guidance, etc. By leveraging proven principles, a trusted framework immediately elevates the knowledge of your security team. Why reinvent security? Frameworks also serve as a handy checklist to ensure you don’t miss anything major.
Another aspect of strategy is making security investments. It’s tempting to scale back or cut corners, but the cost of a data breach overwhelms any potential savings. Meanwhile, provable security and compliance is a competitive differentiator that can help you win more business when you need it most.
“If you do not have an information security strategy, I would suggest that you develop one.”—John Verry
Focus on efficiency
Efficiency is key when you’re looking to stretch every dollar. But many orgs aren’t getting all the value they could from their current security investments, because useful features aren’t enabled. Make sure you’re using all the capabilities you’re paying for.
Another efficiency issue is using security tools ineffectively, sometimes to the point of creating vulnerabilities. This can be a training problem, or it can be a focus issue. For example, your SIM might have been working great initially, but if you haven’t put energy into keeping it up to date with your environment, you’re probably missing things.
Another way to boost efficiency can be to consolidate your vendor list. Look to do more with “partners” and less with “vendors.” Consolidating vendors saves time, potentially reduces your attack surface, and may get you better pricing.
Leveraging today’s AI and machine learning (ML) security capabilities to reduce your operational burden through automation could be another option for improving security efficiency. A tool that reduces the burden of processing security questionnaires is but one example.
“Sit down with your team and figure out where they’re spending time that might be better addressed by technology.”—John Verry
Be flexible with staffing
If revenue has dwindled, you might be short-staffed. In this case, fractional support can be the most cost-effective way to get more done with less. A vCISO can be great if you need regular advisory and governance support. If that’s overkill, a virtual security team could be a better choice for getting lower-level, tactical jobs done as needed without the overhead of a full-time employee.
Finally, in a tough economy you can’t afford to lose good people. To retain and attract great talent in a time of talent scarcity, your work environment/culture needs to shine. Yes, compensation is important. But money can’t buy happiness in the workplace or anywhere else. Security is a stressful job and hard times are stressful times. Do everything you can to make your business a terrific place to work, where people feel supported and valued.
“Consider fractional support, like a virtual Chief Information Security Officer (vCISO) or fractional CISO.”—John Verry
To listen to this special podcast episode with John Verry, click here.
How can you measure the value of information security? Learn more about the value in cybersecurity in this blog: How to Measure the Value of Information Security