GUEST ESSAY: Could CISOs be on the verge of disproving the ‘security-as-a-cost-center’ fallacy?

By Jess Burn

This year has kicked off with a string of high-profile layoffs — particularly in high tech — prompting organizations across all sectors to both consider costs and plan for yet another uncertain 12 or more months.

Related: Attack surface management takes center stage.

So how will this affect chief information security officers (CISOs) and security programs? Given the perennial skills and staffing shortage in security, it’s unlikely that CISOs will be asked to make deep budget or staffing cuts, yet they may not come out of this period unscathed.

Whether the long anticipated economic downturn of 2023 is a temporary dip lasting a couple quarters or a prolonged period of austerity, CISOs need to demonstrate that they’re operating as cautious financial stewards of capital, a role they use to inform their choices regardless of the reality — or theater — of a recession.

This is also a time for CISOs to strengthen influence, generate goodwill, and dispel the perception of security as cost center by relieving downturn-induced burdens placed on customers, partners, peers, and affected teams.

For CISOs to achieve these goals, here are five recommended actions:

Tie security to the cost of doing business. CISOs should not allow their board or executive team to continue believing that cybersecurity exists solely as a cost center. In other words, they shouldn’t detail how cybersecurity spending drives revenue and that cuts to the security program directly affect relationships and requirements with three key constituencies: customers, insurers, and regulators.

Instead, they should defend their security budget by quantifying investments in required security controls — and how much revenue is generated from the systems those controls protect. Ultimately, cybersecurity can become a profit center when customers, insurers, and regulators require it.

Demonstrate secure practices to customers. Your customers’ security teams are navigating the same downturn pressures. They still need to collect audit and security information from vendors and they may have fewer employees to complete the work. CISOs should prioritize security initiatives that drive the top line and increase customer stickiness, such as bot management solutions that improve customer experience, then they should inform customers of the steps taken to thwart costly application attacks.

These include such initiatives as monitoring for denial of wallet attacks in serverless functions, minimizing bot fraud, and keeping an eye on bug bounty program costs. Lastly, CISOs should automate processes such as security questionnaire responses and software bill of materials generation to give customers what they need before they ask for it.

•Support (as you influence) peers in other functions. Now is the time for CISOs to focus on key corporate objectives and ensure that their security initiatives demonstrate traceable alignment. If you didn’t start this practice in your early days as a security leader, take the time now to schedule regular meetings with peers across functions to stay current on their challenges, security needs, and points of friction.

From there, develop joint initiatives that further corporate objectives and provide services, resources, or assistance in the form of partial funding or staffing and friction-remediation efforts. This ethical politicking will make funding or resource allocation discussions more amicable. It will also extend goodwill toward the security organization in the future, when CISOs may need allies and evangelists to push through policy or process changes.

•Stop backfilling open positions (for now). No security leader wants to ask an already overwhelmed team to do more with less. Not backfilling certain roles, however, reduces costs voluntarily and minimizes the need for future involuntary cuts. For CISOs, this requires excellent communication and management skills when explaining to their teams why these roles will stay vacant.

Burn

This should include succession planning, associated upskilling, and job shadowing efforts for those who stick around. Provide an expected duration for the hiring freeze and work with regional nonprofits to bring on cost-effective cybersecurity apprentices — relieving some of the pressure while creating a pipeline of experienced talent at the ready when the freeze lifts.

•Resist the temptation to consolidate your partner ecosystem. Although cutbacks in this area may appear to be a practical cost-saving strategy, overcorrection in key areas such as cybersecurity, risk, and compliance could increase concentration risk, expose firms to disruption, and severely affect your operations. Given economists’ estimates that modern recessions last 10 months, CISOs should consider in their decision-making the time it takes to fully onboard a strategic supplier — typically six months or more — so they can ensure that they don’t miss out on opportunities when the economic pendulum swings in the opposite direction.

The outlined actions must be executed deftly at a time when instilling and maintaining trust with customers, employees, and partners is a business imperative. They also become crucial when factoring in how current geopolitical events and technology innovations continue to fuel a highly sophisticated and evolving threat landscape.

About the essayist: Jess Burn is a Forrester senior analyst who covers CISO leadership & security staffing/talent management, IR & crisis management, and email security.

March 13th, 2023