Whether we’re actually in a recession right now may be immaterial; companies are surely behaving as if we are. People are being laid off. Budgets have been slashed. Decision makers are intently looking at cost-centers within the enterprise.
That certainly means a very introspective spotlight is being shined upon cybersecurity spending. It’s possible that we’ve arrived at a point where double-digit percentage increases for cybersecurity may be at an end because chief financial officers and boards of directors may not be in the mindset of signing big checks for big security technologies for the immediate future.
While we’ve been able to throw money and technology at security programs for the better part of two decades now, it may instead be time to adopt a strategic approach for sustainable security. In fact, this recession—or economic downturn—may kick the door open to the cyber and operational resilience that chief information security officers and other technology leaders have dreamt about for years.
Digital transformation, which has been the overarching strategy in many enterprises within critical infrastructure sectors, has long ago adopted resilience as a key tenet. Smart companies that are automating and digitizing what were previously non-digital processes, are integrating cybersecurity at the start of development cycles, and throughout detection and response activities. Agility is key to resilience, and having systems that can withstand attacks while they’re in progress is the outcome we all want.
In 2021, NIST revised its cybersecurity resilience framework to take a systems engineering approach toward fending off advanced adversaries in particular. The framework identifies a number of objectives: anticipate, withstand, recover, and adapt. The objectives stress that agility is key and that organizations maintain a state of informed preparedness for adversity, continue business functions despite adversity, restore critical business functions during and post-incident, and finally, adapt to changes in operational or threat environments and modify business functions accordingly.
Security leaders must communicate this to business leaders and boards of directors. Resilience and agility may in fact, in the end, be a lot less expensive than constantly throwing new technologies at problems. Boards will appreciate the possibility of higher rates of returns on their investments, and it’s incumbent upon CISOs to make this case accordingly. Spending on higher, deeper walls requires significant expenditures, but that won’t work in resource-constrained environments. Instead, focus on strategies that result in sustaining the business in the event of a penetration; not only is there a higher ROI possible, but also much greater utility.
Automating resilience is another approach worth considering, especially as many companies are putting a freeze on hiring, or cutting staff. A strategy that is predicated on the need to increase staff year-over-year by 5% while increasing salaries in parallel is not sustainable. In fact, boards may be soon forcing your hand as a security leader by allocating fewer resources and budget dollars. CISOs must find a way to get to a good, sustainable state, and a byproduct of that success is resilience.
U.S. Navy Adm. (Ret.) Michael Rogers served as the 17th Director of the National Security Agency and the 2nd Commander of U.S. Cyber Command. Adm. Rogers presided over the activation of the Pentagon's Cyber Mission Forces and the elevation of U.S. Cyber Command to unified combatant command status. He is currently the chairman of Claroty’s Board of Advisors.