CISOs and cybersecurity in an economic downturn: do more with less

The financial outlook for the rest of 2023 and 2024 is far from cheery, and economic uncertainty is affecting everyone and everything, including the cybersecurity sector.

Security budget cuts or freezes are the course many organizations are tempted to take in this financially precarious situation. Conservative spending is a natural response to the present economic downturn and a possible recession knocking on our doors, implying fewer clients, lower profits, and higher costs.

Should organizations like yours reduce or freeze cybersecurity spending? What can a chief information security officer (CISO) do to meet stakeholders’ expectations while keeping sight of your security team’s interests and protecting the organization? 

How can cybersecurity budget cuts and freezes affect your organization?

There are good reasons to believe that security budget cuts, especially if they include layoffs, are not the most prudent way to fend off economic headwinds. 

A strong correlation between an economic crisis and a substantial increase in cybercrime

As George Gerchow, Sumo Logic’s Chief Security Officer, noted during a recent HackerOne event, “Whenever there are times of high anxiety, such as an economic downturn coming off of a pandemic, bad actors are at their best.” The FBI’s annual Internet Crime Reports confirm this.

The reports from 2008 and 2009 — remember, this is the period of “the worst economic disaster since the Stock Market Crash of 1929” — show drastic increases in the complaints received compared to the years before and after the global financial crisis. 

The number of complaints in 2007 was 206,884. In 2008, it grew to 275,284 — a staggering 33.1% increase compared to the previous year. In 2009, the FBI’s Internet Crime Complaint Center recorded 336,655 complaints — 22.3% more than in 2008. 

For comparison and to better understand how fertile ground a prolonged economic downturn can be for cyber attacks, the number of complaint submissions in 2010 (right after the end of the crisis) not just didn’t increase but dropped to 303,809. 

The economic disruption during the height of the COVID pandemic tells a similar story, with a record-breaking increase of 69% in internet crime complaints in 2020. 

From this perspective, reduced or flat security budget, spending, and headcount can only worsen things, leaving your organization open to more vulnerabilities, threats, and attacks.

Cyber attacks are cheaper to prevent than to repair

According to the Cost of a Data Breach Report 2022: 

• $4.35 million is the global average cost of a data breach, the highest national being $9.44 million in the United States

• 83% of the studied organizations have experienced multiple data breaches

• 60% of the breaches resulted in increased prices for customers

• $4.54 million is the average cost of a ransomware attack (without including the amount organizations have paid as a ransom)

• 277 days on average — this is how long it takes to detect and contain a breach

Considering the numbers above, reported cases of small and midsize businesses going bankrupt due to a cyberattack, hard-to-measure variables such as reputational damage, and potential spillover of attacks’ effects from one organization and sector to another, it is puzzling how a reduced or flat security budget can help you build or maintain a strong security posture.

A cybersecurity budget cut or freeze is hardly the solution for organizations amid the current economic disruption. If anything, it can be part of the problem. 

Unfortunately, a recent HackerOne study reported that more than a few companies have already made or planned to carry out security budget cuts and layoffs. So, if push comes to shove, what should you do to ensure your organization is secure as best as possible and minimize the fallout from reduced security spending? Forrester has some constructive suggestions.

Forrester: CISOs in a corrective period 

In its CISOs, Time To Pay Down Your Security Debt report, Forrester notes that after a decade of security spending and budget growth, CISOs have entered an economically less favorable period, which it calls a corrective period. As the term suggests, this is when CISOs can correct the (probably inadvertent) mistakes of the past, make a creative turn, and adjust their cybersecurity infrastructure for the future.  

To pull off this extraordinary feat, CISOs must:

• Reevaluate their security strategy created for different times — before the advent and popularization of artificial intelligence (AI).

• Eschew “good enough” security solutions and focus on technologies steadily shaping the future, such as cloud computing, APIs, and security orchestration and automation.

• Concentrate on staffing challenges like security professionals nurturing or gaining skills in state-of-the-art technologies (e.g., AIOps and serverless security).  

This is sound expert advice, but it is somewhat general. What precise moves can you make to apply these guidelines in practice to avoid a checkmate and stay in the game? Following the Forrester recommendations — some closely, others loosely — we can say that security leaders should do the following:

• Consolidate tools

• Automate repetitive and streamline burdensome and complex tasks

• Reconsider costly point solutions (e.g., expensive log management platforms with inflexible pricing)

• Measure progress using concrete values such as security KPIs

• Invest in proficiency in future-proof cybersecurity skills

How to do more with less 

Consolidate your security tools 

Tool consolidation means simply decreasing the number of IT tools. There are multiple reasons why you would want fewer solutions in your security stack, the principal three being the following: 

1. Tool consolidation increases simplicity, potentially turning even the most complex tool stacks into comfortably operable systems.

2. Tool consolidation allows you to dispose of redundancy, meaning overlapping and unnecessary security capabilities.

3. Tool consolidation can significantly lower costs, enabling you to optimize your security stack despite any budget cuts.

Automate everything you can

Automation is widely regarded as one of the best ways to address cybersecurity's challenges. And with the obstacles the current economic insecurity creates for CISOs on top of their everyday challenges, its benefits become even more apparent.

Security automation brings numerous benefits:

• It allows you to investigate threats and respond to incidents much faster with fewer resources.

• It makes it possible to do away with costly — in terms of time, energy, and money — duplicative and burdensome manual and, generally, inefficient procedures and tasks.

• It enables you to alleviate the consequences of cybersecurity staff and skill shortages.

Consider highly integrated platforms with flexible pricing

The main advantage of an integrated platform — a unified cybersecurity system where multiple security solutions, such as security analytics, SIEM, and SOAR, converge into one — is that they usually offer diverse functionalities at a fraction of the cost of point solutions.

If, on top of this, the platform includes flexible pricing, e.g., a type of tiered pricing model, CISOs can save noticeably without significant trade-offs that heighten the risk of compromising their organizations’ security. 

Conclusion

The current global economic conditions are hardly conducive to cybersecurity growth and prosperity. Nonetheless, CISOs can make the best out of the situation by grabbing the opportunity to pay down their security debt accumulated over the years, as Forrester vividly describes this phenomenon. 

Read the full Forrester report and learn how Sumo Logic can help you consolidate tools and automate security operations while embracing a flexible pricing system.