Managing Cyber Security through an Economic downturn is no easy task. With increasing concerns on how to stay secure and compliant in a down economy, John Verry tackles this podcast himself giving you his ten best fundamental practices.
This episode features your host John Verry, CISO & Managing Partner, from Pivot Point Security, who provides answers and explanations to a variety of questions regarding how to stay compliant, secure, and budget in a down economy.
Join us as we discuss:
- How to be Strategic in a Down Economy
- How to leverage automation
- How to get more from your vendors
- Which security investments to maintain and eliminate
To hear this episode, and many more like it, we would encourage you to subscribe to the Virtual CISO Podcast on our YouTube here.
To Stay up to date with the newest podcast releases, follow us on LinkedIn here.
Listening on a desktop & can’t see the links? Just search for The Virtual CISO Podcast in your favorite podcast player.
See Below for the full transcription of this Episode!
Intro Speaker (00:05):
Listening to the virtual CISO podcast, providing the best insight on information security and security it advice to business leaders everywhere.
John Verry (00:19):
Hey there, and welcome to another episode of the Virtual CSA podcast. Uh, with you is always John, very host and with me today, no one but me. Uh, today is November 11th, 2022. Uh, and over the course of the last couple months, I’ve had increasingly a number of conversations with clients, um, where they’re expressing a concern with regards to budget and the economy. And I’ve been having a lot more conversations about how do we remain secure and compliant in a down economy. Uh, shared some ideas with folks, uh, and thought it would be a good idea to share them on the podcast. So, roughly, I’ve got five, excuse me, 10 ideas here. Uh, and they break down into three fundamental things. Uh, we still want to remain strategic. Uh, we still want to be efficient, and we want to be HR flexible. So let’s talk about being strategic.
Um, if you do not have an information security strategy, I would suggest that you developing one, uh, a three year vision or a three year strategy is very valuable because it provides you a framework to vet every decision and every investment against, you know, and what this does is it allows you to ensure that every step that you take is fully aligned with your long term information security and business strategy. Uh, in a down economy, you know, you can’t really afford to make a wrong term, uh, that costs you time and money. So ensuring that we’ve got a security strategy to guide everything that we’re doing is going to set us up for success,
Part of an information security strategy. And the second idea is to make sure that we align our information or your information security program with what I’m going to call open trusted frameworks. So think about things like ISO 27,001 and O OSP and CVSs, guidance and Ness guidance, Anisa Guidance Center, <inaudible> Security. Uh, these are all fantastic forms of open, trusted guidance on how to optimize your information security program. And optimizing your information security program optimizes your organizational resilience. Um, the value of trusted frameworks. They immediately raise the security knowledge of your security team by leveraging proven principles. We don’t end up in a situation where we’re reinventing security. You know, it, there’s formulas that have been figured out that work well. Uh, it also ensures that your team doesn’t miss something, you know, miss a key element effectively. You know, it’s the, the checklist manifesto.
A, you know, these frameworks provide a good checklist, uh, to ensure that nothing is missed. I mean, there is a reason that, you know, brain surgeons and pilots use checklists, uh, open, trusted frameworks. One of the other advantages is that it will help you ensure that your security products seamlessly interate that simplifies operations. It reduces costs. And again, in a down economy, we can afford to make investments, uh, and then find out that our investments don’t play nice together. Uh, trusted frameworks also maximize the pool of available resources. We’re gonna talk about the HR challenges. Uh, we know that there are shortages of good people. And when you work with trusted frameworks, you increase the pool of available resources that are going to be available to you, uh, to help you, uh, maintain your cybersecurity program. Uh, again, staying away from proprietary standards provides re resilience.
We don’t wanna be reliant on a single proprietary product or a vendor. Um, it’ll position your company as an industry leader. And the other advantage of trusted frameworks is by aligning with a trusted framework, you’re going to be in a position where you’re going to have highly valued attestation. So something like ISO 27,001 Gold Standard for information security, if you hand someone an ISO 27,001 certificate, they’re going to be excited to get that, and it’s going to have the intended effect. So that’s the idea of these open trusted frameworks. As part your strategy, um, as part of our strategy, we need to continue to make what I’m gonna refer to as necessary security investments. It is going to, it is tempting in a down economy, uh, to cut corners wherever we can. Um, you know, what we wanna do is if we’re going to make investments, uh, we wanna make them judiciously, of course.
Um, there is a, this is, I look at this as a, what I’m gonna call a value preservation or risk mitigation play. If you, if you think about the average cost of a breach in an SMB being about $110,000, um, you know, in a time of, uh, economic downturn, having some type of an unfortunate situation of that nature and the associated loss of customers, uh, would be put us in even worse position. So my suggestion would be, continue to make the investments that need to be made in security, make them judiciously of cost, of course, but let’s make sure we do that. And then perhaps a, a zig, where I zag strategy or a zig where the market is zagging strategy is, uh, I see some of the better run organizations making additional investments into security in a judicious manner in, in economic downturns. Why?
Cuz if you think about continuing to make the investments that we’re making is continuing to mitigate risk, right? I think of that as being value preservation, uh, and making additional investments is, is the idea of adding a value creation component, right? Good security, provable security and compliance as a business enabler. Uh, it’s something which, uh, facilitates selling. Um, and in a down economy, not many other companies are going to be investing. So it is a chance to competitively differentiate, right? To move your organization forward while other organizations are either standing still or sliding backwards. Um, another justification for this is that in a down market, you need to win a higher percentage of the business that is there, there will be business there. It might be 10% less. It might be 20% or 30% less. What you need to do is you need to win a higher percentage to maintain, you know, your organization in good health. Um, and then one last thing is, as an added advantage is when you go through economic downturns, and you know, i, I, you know, was through the 2008 to 2010 or 2008, 2011, whatever it was, downturn, you know, what you see is that during a downturn, weaker competitors get weaker and they disappear from the market. And if we’ve actually made the right investments when we come out of the back end of this downturn, assuming that there is one, uh, you’re gonna be a lot better positioned, uh, you know, from, from a competitive standpoint.
Um, moving towards the, the idea of being efficient. One of the things which we see consistently is people don’t fully capitalize on the security investments they’ve already made. Uh, you are. So what I would suggest is make sure you use what you pay for but are not currently using. A great example of that is, uh, Microsoft 365. Uh, I, I think Microsoft 365 is a remarkable bargain. Uh, and they provide a remarkable amount of capability. You know, think about things like security and compliance center, Sentinel sim that comes in there. Defender, edr, you know, they, they’ve got multifactor authentication, you know, built in. They’ve got, uh, DLP capabilities, MDM capabilities, uh, there’s defender for cloud. It would be a rare occurrence that I would, that we would work with a client that has the vast majority of that technology deployed optimally. In fact, very often they’ve got other components deployed, uh, other sims, other endpoint protection software, and they’re not really taking advantage of what they’re paying for.
So, uh, that would be a, something I would definitely aspire to in a down market. Um, and then also use what you’re already paying for, that’s not yet fully, I’m gonna say, configured or being used correctly. What we see in the marketplace is that most organizations are able to make opex, uh, investments into security components, but fail to continue to make the ongoing, excuse me, make CapEx investments into security products, but often don’t fully recognize the opex that is necessary. Uh, that being time and perhaps training for folks to actually use these tools. Well, I always tell a story of a client of ours that, uh, was using, uh, one of the better scanners, I believe it was qs. And we went, came in to do a penetration test of a very, very sensitive environment. It was a governmental entity. They actually ran vulnerability assessments in this environment on a weekly basis, which is unusual and patched everything that they found.
And we started the pen test, and the CISO was very confident that they were gonna fly through the pen test. It was an attestation requirement, uh, that they had to have the pen test. We conducted the pen test, and we’re 15 minutes into the pen test, and we’re just destroyed the environment, right? We own, we own everything. You know, the, the environment was remarkably insecure. And they were like, how is this possible? You know, we run these scan, we run one of the world’s best scanners on a, on a weekly basis. We went and looked at the implementation of the scanner, and somebody had clicked on a button that said, um, enable fast scans, because who wouldn’t want to enable fast scans? But what enabling fast scans is what was disabled. Its scanning, uh, the vast majority of the, the open ports. And, you know, they had intentionally hidden a lot of their services on what we call ephemeral or higher ports, non-standard ports.
So they were only scanning the standard ports. So they weren’t aware that all of these services that were running on the upper ports were actually highly vulnerable and had been in that state for a long period of time. They were using the products incorrectly, the folks hadn’t been properly trained. Uh, so, you know, we see the same thing with sims. Uh, if you’ve implemented any form of, uh, log management, any type of security information, event management, you know, these products are great when they’re turned on and outta the box and they’re properly configured. But over time, as drift occurs in your environment, if somebody is not consistently carrying and feeding for that sim, it’s no longer gonna be working well, you know? So again, you’ve already made good capital investments. Uh, make sure that you’re making the ongoing investments into those tools to take advantage of them.
Another strategy that we’ve seen, uh, and we’ve done successfully on the business side, right, is consolidate your vendor list. Uh, in an economic downturn. Your vendors are struggling, uh, as well at the time of this recording, I saw an article that roughly three dozen major cybersecurity vendors have all cut their workforces by 10 to 20% ahead of this downturn. So what I would suggest is you find those that are your, uh, partner, not just vendors, uh, and grow your work with them. Uh, that has a couple of advantages. One, managing fewer vendors saves time. Uh, it saves time on vendor due diligence. It saves time of your folks in, uh, interacting with multiple different forms of parties and coordinating work across multiple entities. Uh, and, and it saves time. You know, on that, that vendor management component we talked about. Uh, the other advantage is you’re likely to get better pricing on larger, larger blocks of works or larger, uh, licensing deals.
Uh, part of being efficient is what I’m gonna say is leveraging technology intelligently. Um, we’ve seen a rapid growth in tools and some of the cooler, newer tools, uh, are leveraging, uh, machine learning and artificial intelligence, uh, and they can be valuable in reducing your operational burden. Um, so what I would suggest is you sit down with your team and figure out where they’re spending time that might be better addressed by technology. Uh, as an example, uh, if you’ve got a team that’s doing threat hunting or managing a, you know, a sim sock operation for you, can you leverage some of the newer attack surface digital risk platforms to reduce your risk profile, uh, and re and, and reduce or even eliminate some of the threat hunting activities that are going on, or dark web monitoring that you’re doing. Um, you might be able to leverage that same tool, um, to reduce your third party supply chain risk by using that same tool to monitor the attack surface of all your key vendors.
Uh, that in an economic downturn might be even more valuable because if we think about the fact that they might be cutting their budgets and doing a little bit less, us doing a little bit more to make sure that their security posture, if their security posture were to go down, we’d know about it, uh, would be help. Because a signi, as we all know, a significant percentage of breaches occur through or third parties, uh, you might be able to use a tool like Luo or a veic, uh, to reduce the burden of security questionnaires. We have some clients that are, uh, processing one to two security questionnaires per week. And these things, you know, can take hours of a person’s time to actually do, uh, very often four hours of time to do. Uh, we are finding that some of these tools, if they’re used well, can reduce that burden by 60% or greater.
Uh, so what that does is it frees up those resources to maybe do something else or maybe reduces your overall burden for, for resourcing. Uh, you might be to use a tool like our policy automator tool to dynamically generate information security policies aligned with your exact requirements. Uh, that could be beneficial, you know, especially this year and next year as we move from, uh, 27,001 colon 2013 to 27,001 colon 2022, uh, there’s gonna be a lot of policy rewriting and tuning that’s, that might be necessary. Uh, so again, leveraging technology, uh, intelligently to reduce that burden can help. Uh, you might be to use a tool like Big ID or Secure IT or some of the newer, uh, privacy tools, privacy’s getting hot. You may be in a position where you’re having to deal with privacy in an economic downturn with less people. Uh, some of these tools are really cool in terms of, um, automating data discovery, automating, uh, generation of ropes, your records processing activities, uh, and can even provide support in, um, managing and servicing, uh, data subject access requests. So the idea here is, uh, can we replace human effort with, uh, with machine effort, right? Using some type of an expert system, uh, providing economic benefit to us.
Uh, closely related is, you know, seek to, what I’m gonna refer to is operationalize and automate. And I, you know, when we manage a cybersecurity program, uh, there are literally, you know, for most organizations, a hundred plus, uh, tasks that need to happen. Some combination of, uh, annually, bi-annually, quarterly, weekly, monthly, uh, and daily, you know, annually we’re reviewing policies, you know, bi-annually we might be doing risk assessments quarterly. We’ve got ISMS committee meetings, uh, monthly. We’ve got, uh, uh, entitlement reviews for critical systems. Uh, we’re doing vulnerability assessments, you know, whatever these activities might be. Uh, increasingly we’re seeing clients automate these so that they happen, you know, I use the term automagically. Uh, so it’s not something that we need to think about. There’s a, a higher degree of effort on the front side, you know, to, to build this master. You know, we call, often call it a compliance calendar, master cybersecurity program task list.
But then once we put that into some type of a application, it, it will happen automatically. It’ll alert us when we need to do something. It’ll alert us when people are not doing things that many of them can do. Things like escalation. Um, so this allows you to be much more efficient and, uh, you know, I’m gonna say do more with less. Um, the other advantage is it also, you know, codifies institutional knowledge into an expert system, um, which allows you to do the same task with lower price resources, which can also be beneficial, uh, during an economic downturn. You know, that’s the fundamental principle of McDonald’s, right? You know, create highly defined pro processes, um, you know, and that allows you to reduce the cost of the personnel required to run them. It also provides an insane level of resilience. Uh, you know, one of the things you’re gonna have to be concerned about during the economic downturn is either letting people go or people moving somewhere else. Um, you know, and you don’t want that codified institutional knowledge to walk out the door. If that codified institutional knowledge is codified into an expert system, into a GRC platform, into a help desk ticketing system or some automation mechanism, uh, you know that you’re not having your or institutional knowledge walk out the door.
Um, this is especially important in more complex environments, uh, where you’ve got compliance with lots of standards or you’re doing, uh, multiple audits per year. Uh, if you’ve got a heavy vendor due diligence burden, uh, in those instances, uh, I would suggest that you look at some of the GRC platforms that are out there, uh, that we commonly referred as governance risk and compliance platforms. Uh, you, there are, uh, a number, uh, too numerous to mention. Uh, we’ve got a platform that we call Oscar, which is quite good. Uh, you can think of other problems like, uh, tugboat Logic is a, is a very nice platform. Uh, hyper proof is a very nice platform. There are literally dozens of these. Uh, however, in a simple environment, you may not need to make any additional investment or add any more tools. For years before we were using our own Oscar platform, we ran our ISO 27,001 information security management system on a combination of SharePoint with workflows, Microsoft teams.
And, um, we used Reich, a project management tool. Uh, I’ve got clients that are running their cybersecurity programs using Asana. Uh, I’ve seen clients, uh, multiple clients do it with help desk software, you know, something like a ServiceNow implementation. Uh, so there’s lots of different ways that we can do this, but you will be very happy if you’re sitting in a management position to know that your program’s operationalized and that you’ve got a single pane of glass to be able to look at. So that way, in a downturn when people are busy or in a downturn, when you’re short people, you know, you know exactly where you stand. Uh, pursuant to that, and kind of follow on to that is, you know, you might need to consider fractional support. Uh, we’re seeing this as increasingly a viable business model for many organizations. So consider using a, you know, virtual chief information security fraction.
Let’s see, so you hear different terms. Um, if you only need expensive skill sets in the advisory and governance domains, occasionally, uh, you know, in that instance, you know, it’s sort of like the equivalent of paying for an architect salary when you need, uh, an H V A C contractor, or you need a painter, or you need somebody to, uh, run wiring in, in, in your building. Uh, so we, you, and you can get this can work quite well. So, as an example, we had an organization that we were their virtual CSO for about two years. Uh, helped them correct some challenges within their environment. Uh, they were a, a small client, relatively small in the investment advisory space. Uh, and they exited with a billion dollar, a billion dollar valuation. And one of the things that they were complimented on was their information security posture.
And they were able to do that at an extremely, you know, competitive rate over a multi-year period. Um, you can also use fractional support to offload, um, lower level tasks from your more expensive advisory governance, more strategic personnel. So if you’ve already got those people, um, but they’re stuck doing things like vendor due diligence questionnaires where they’re, they’re sending out the reviews and dealing with that, or they’re answering security questionnaires where they’re spending inordinate amount of their time doing compliance management, validating that the processes that need to occur are occurring, making sure that the artifacts the processes are producing are the ones that need to be produced. You know, you can often offload that to like, you know, often they call that virtual security teaming. Uh, so that’s another good strategy for, um, either getting the support that you need but don’t currently have or unburdening the, the, uh, more strategic advisory folks in your organization to fulfill those rules, uh, and outsourcing those lower level rules.
And then the last thing, uh, you know, around the same HR issue is, uh, trying to both attract and retain great talent. Um, security is about properly architected controls executing effectively on a consistent and repeatable basis. Uh, in order for that to happen, you need the right products. We talked a lot about that, but you really, most importantly, need the right people. Right now that is a hard formula to, you know, hard needle to thread, so to speak. There is, uh, definitively a shortage of good information security talent. Uh, it’s hard to find these people. It’s hard to afford these people. Maybe the economic downturn will help a little bit, uh, in terms of salary, but we’ve seen salary escalation and, um, and the, the, the people are expensive. And then it’s hard to retain these people. The average time that, that folks stay in a spot is, you know, in 18, 19 months.
So how do we retain great talent? What the industry says in talking to lots of good people in the, in, in the industry and, and what all of the data says is it’s really not just all about the comp. Money is definitely an important part of it, and you’re gonna have to make the investments from a dollars perspective, but there are a lot of other things that are important. Uh, I talked to, uh, de Diamond on this podcast about inclusive cultures. Uh, that is definitively a way to keep people happy. I think we’ve got a very inclusive culture and a very healthy culture, and we do very well at, in terms of retaining people at a much longer retention period than the industry average. You know, we’re not perfect. We have turnover as well, but I do think culture is an important part of that, I think in awareness of the overall stress levels and information security and being aware of that.
And accounting for that is also critical. Uh, I just read there was a global study of 1100, uh, security cybersecurity professionals by MI cast that just came out and have found that one third are currently considering leaving their role in the next year, two years due to stress. Many of them were talking about leaving information security as a discipline. So think about how viable and vibrant and how much job security you have in information security. And the stress levels are so high that people are talking about getting out of the field. And I don’t think that’s going to get better if we do have an economic downturn, uh, anything worse than we having right now. Uh, because, you know, economic downturns increase people’s stress level independent of just work, right? When the economy’s down, you know, the consumer confidence index is down, people are not feeling as good. They feel that that stress more. And now that work level stress coupled with that, is gonna make things even worse. So I think that’s something that you need to be aware of. Uh, hopefully these 10 ideas were valuable, uh, and we got some good stuff in, in a relatively short period of time. Uh, if there’s anything that I can do to help you, or if you need any, uh, additional information or any, uh, additional advice on dealing with be remaining provably secure and compliant, uh, please let us know.