January 18, 2023

Last Updated on January 15, 2024

A big part of being efficient as an organization is leveraging technology intelligently. The choice of security tools is ever greater, and many now have AI and machine learning (ML) components. Have you explored technology options for reducing the operational burden of your information security program—and potentially boosting its effectiveness as well?


To share his “top 10 tips” for SMB leaders on moving security forward in an economic downturn, John Verry, Pivot Point Security CISO and Managing Partner, recently recorded a special episode of The Virtual CISO Podcast.

Schedule a brainstorm
John suggests brainstorming with your team to identify tasks they’re performing that technology could potentially tackle. Say you have people doing threat hunting or managing a security operations center (SOC). Could one of the new attack surface/digital risk management platforms improve your risk profile or reduce the need for certain threat hunting or dark web monitoring activities?

A new tool might also provide new security capabilities, such as monitoring your key vendors’ attack surfaces in addition to your own. We all know a significant percentage of breaches come through third parties.

Other potential time-savers

A noteworthy emerging area for AI-driven security automation are tools to reduce the operational burden of security questionnaires. Who doesn’t want to spend less time on those?

“We have some clients that are processing one or two security questionnaires per week,” says John. “These things can take hours of a person’s time; very often four hours. We’re finding that some of these tools, if used well, can reduce that resource burden by 60% or more.”


If you need to keep a system security plan (SSP) or other policies updated, such as for ISO 27001 or NIST 800-171 compliance, tools like Pivot Point Security’s own Policy Automator can dynamically generate information security policies aligned to your exact requirements.


“That could be beneficial this year and next year as we move from ISO 27001:2013 to ISO 27001:2022,” John reflects. “There’s going to be a lot of policy rewriting and tuning.”


You might also find ways to automate some of the new privacy tasks you may be facing.

“Privacy’s getting hot,” mentions John. “You may be in a position where you’re having to deal with privacy in an economic downturn with fewer people. Some of these tools are really cool in terms of automating data discovery, auto-generating your record of processing activities (ROPA), or even providing support for managing and servicing data subject access requests (DSARs).”


Automating task management

John also suggests leveraging technology to help track and manage cybersecurity program tasks.

In some combination of annual, bi-annual, quarterly, monthly, weekly, and daily cadences you’re reviewing policies, doing risk assessments, holding security committee meetings, performing entitlement reviews for critical systems, etc., etc.


“When we manage a cybersecurity program, there are literally for most organizations 100-plus tasks that need to happen,” validates John. “Increasingly we’re seeing clients automate these, so they happen ‘automagically.’ So it’s not something you need to think about.”

It takes initial effort to build your master “compliance calendar” or “master cybersecurity program task list.” But after that you’ll get alerts or escalations automatically when something needs to happen, or isn’t happening.

Codifying expertise with automation

Another way automation can benefit orgs in a downturn is by codifying knowledge and best practices in an “expert system.” Defining processes more concretely and thoroughly can often allow you to get work done with less experienced resources.


An expert system also increases your resilience when a key person with a lot of organizational knowledge leaves.

“You don’t want that institutional knowledge to walk out the door,” cautions John. “If that knowledge is codified in an expert system, or into your GRC platform, or into your help desk ticketing system or some other automation mechanism, you know that you’re not [losing it.]

Are you ready for a GRC platform?

If your org needs to comply with multiple standards, you’re facing multiple audits per year, and/or you’ve got a heavy vendor due diligence burden, John suggests weighing the value of a governance, risk, and compliance (GRC) platform, of which there are many.

“However, in a simple environment, you may not need to make any additional investment or add any more tools,” clarifies John. “I’ve got clients that are running their cybersecurity programs using Asana. I’ve seen multiple clients do it with help desk software, like ServiceNow.”

John continues: “There are lots of different ways to do this. But you will be very happy if you’re sitting in a management position to know that your program’s operationalized and you’ve got a single pane of glass to look at. That way, in a downturn when people are busy or you’re short people, you know exactly where you stand.”

What’s next?

To hear this special podcast episode on “10 security tips for a downturn” all the way through, click here.


Want more ideas on how to do more with less in information security? Here’s a topical episode of The Virtual CISO Podcast: EP#18 – Jose Ciriaco – IT & Security: How to Do More with Less

SOC 2 vs ISO 27001 (Or Both)

What every Software-as-a-service (SaaS) firm needs to know in order to acquire/maintain independent validation of their security posture.
View our guide today.