Twitter’s CISO resignation is the latest in a series of senior executives leaving the social media platform after Musk’s disruptive October takeover.
As people wonder who’s in charge of security at Twitter, the headlines fill with tech sector layoffs. Some of those are security professionals, which leaves organizations at risk.
The stakes are high as IBM’s 2022 Cost of a Data Breach reports, “for 83% of companies, it’s not if a data breach will happen, but when. Usually more than once.”
If you are a cybersecurity professional worried about your team getting affected by layoffs or budget cuts, your key challenge will be communicating the value of critical security functions to your board.
We’ll cover these topics below:
- Layoffs and Budget Cuts
- Current Climate
- Why IT and Cybersecurity Get Cut
- Boards Don’t Understand the Value
- Common Objections from Board Members
- Board Doesn’t Care About Technology
- Are SecOps a Critical Business Function
- Financial vs. Security Performance
- How to Demonstrate the Value of SecOps
- Rationalize the Tech
- Assess Business Risk
- Measure the Financial Impact of Potential Breaches
Budget Cuts & Layoffs in Cyber Security
SecOps professionals might wonder if cybersecurity is recession-proof, especially since so many companies are already understaffed, but even cybersecurity companies have laid off analysts in recent weeks.
Current Climate: Recession & Downsizing Trends
With recession talk dominating the news cycle, it’s normal for business leaders to look for ways to cut expenses. They’ll look to each department for opportunities to trim costs, whether through tools, people, or processes..
Yet, organizations are becoming increasingly digital, and as information systems grow more complex, they’re more at risk of online vulnerabilities.
Chief Information Security Officers (CISOs) and other IT professionals recognize that focusing on cybersecurity in a time of economic downturn is a way to protect your business.
If you practice risk-based security, you should have already identified and prioritized the most essential cybersecurity procedures for your organization.
Why Cybersecurity and IT Get Cut
Most of us in SecOps and IT believe that we are essential personnel, yet, the board may not agree.
Our departments get cut because boards don’t understand cybersecurity risks are a business issue and not a technical one. What’s the ROI on not being breached? A data breach can cost millions of dollars, and we focus on avoiding such scenarios.
Yet we continue to struggle with justifying our work:
- It’s hard to tie cybersecurity to ROI because the whole point of it is risk avoidance. Often boards don’t understand potential risks involved.
- IT and security professionals often get the least amount of time with the board.
During times of organizational change like a recent M&A or other restructuring, our departments are on the chopping block.
When management consulting firms come in, they search for redundant roles they view as not critical to the business. In the end, they often decide that security and IT are not essential.
Yet, good cybersecurity is like an insurance policy. No board member would (hopefully) want to operate without insurance. It’s up to us cybersecurity professionals to help them see the connection and showcase why we’re an essential part of the business.
Boards Don’t Understand the Value of Cybersecurity
Unfortunately, cybersecurity can seem like a black box. Non-technical board members may not realize the rise of cybersecurity vulnerabilities in today’s online world.
In 2022, the average cost of a data breach in the U.S. is estimated at $9.44 million. When the worst happens, will your organization have the expertise needed to find those threats and resolve them? Do budget cuts leave the opportunity for a comprehensive risk management plan for recovering assets, getting your systems back online, and managing your reputation after a breach?
Understaffed and under-funded security departments leave organizations open to risk.
Common Objections from Board Members
The key to more budget and job security for us in cybersecurity is to communicate our value of cybersecurity to the board in their own language. That requires understanding their perspectives as opposed to our own.
Board Members Don’t Care About Technology
Board members don’t care about security or technology metrics. If there’s a problem, they ask, “have we been breached?” If so, they want to know how quickly it can be fixed.
Your CISO can speak to larger financial priorities by conducting a risk-based assessment. What’s the likelihood of breaches if the organization:
- Stays the course
- Does nothing
- Increases support to IT
You can also show cybersecurity performance goals and the best cybersecurity framework to establish other metrics that the board will understand.
Reality Check: Are SecOps a Critical Business Function?
No matter the economic climate, organizations should be wary of letting go of all of their security staff. However, sometimes we have to accept working with a smaller budget or team. Working with limited spend doesn’t mean compromising your entire cybersecurity program.
Instead, your cybersecurity team can prioritize potential vulnerabilities and focus your efforts based on other events within the organization. For example, M&A announcements often attract curiosity and spike cyberattacks, so it’s helpful if the board recognizes the associated risk.
Common Questions from Board Members
In our experience, common questions from the board include:
- “Why can’t somebody on the [other team] do that job?”
- “Why is the level of experience that you are requesting from someone so high?”
- “Why are there so many security tools?”
- “Why can’t this other tool do the job?”
And the most common question boards ask is: “What does that breach cost us if we don’t do this?” It’s hard to articulate an exact figure because every breach is different. However, you can focus on past costs or statistics, such as the average data breach in the U.S. is 9.44 million dollars.
Financial vs. Security Performance
As a cybersecurity professional, you have metrics to measure the performance of your tools. You’ll measure the number of security alerts you get in a day or how long it takes to detect a threat. But board members have different metrics.
They want to know how those security alerts connect to the financials. IT professionals who can make a business case for cybersecurity will strengthen the organization’s safety and the security professionals’ position.
How to Explain the Value of SecOps to Your Board
When Board members understand the financial ramifications of a potential data breach and recognize the risks, they’ll be more apt to value the security team.
It makes sense to assess every expense, and IT professionals can evaluate tools for essential features and capabilities. If you’re using the tool to its full potential, it makes sense to keep it. If not, can you squeeze more value from it?
Are there cheaper tools that do the same thing? Or can you consolidate tools? Can you show how much money you’re saving?
Once you’ve evaluated your critical tools, you’ll know if there’s something you can cut.
Assess Business Risk
After a thorough evaluation of tools, processes, and people, you’ll know the business essentials, and even if you can’t increase your budget right now, you can work with the IT team to reduce the risk of a data breach.
Use this time to go back to most critical security functions. When working with clients we usually recommend a focus on:
- Patch management
- Account management
- Configuration management
Measure Financial Impact of Potential Breaches
A data breach can cost millions of dollars, lead to bad press, and lose customer confidence.
If or when it happens, time is of the essence because every day the breach continues, the more costly it is.
IBM’s most recent Cost of A Data Breach report states: “When detecting, responding to, and recovering from threats, faster is better. Organizations using AI and automation had a 74-day shorter breach lifecycle and saved an average of USD 3 million more than those without.”
Attackers can move at astonishing speeds. The 2022 SANS report surveyed over 300 ethical hackers to discover how they think, and found that 57% could launch an end-to-end attack in less than a day, and 41% could exfiltrate data in two hours or less.
Why Is Cybersecurity a Top Priority Now?
As we enter the new year, one fact remains clear: despite the ongoing recession and budgets getting slashed across the board, cybersecurity is more important than ever.
Companies are facing a growing risk of cyber-attacks as they scramble to keep their systems secure while cutting costs. This is why cybersecurity is a top priority now – your organization needs to take a proactive approach to protecting your systems and data from malicious actors.
Organizations are also coming to terms with the fact that traditional security techniques can no longer keep up with the pace of digital transformation and the growing sophistication of cyber-attacks. The traditional approach of leaving cybersecurity as an afterthought is no longer enough. Organizations need to prepare holistic risk assessments and address their cyber hygiene in collaboration with other executives and business stakeholders.
It’s more important than ever for your organization to invest in cybersecurity as part of your overall strategy. A comprehensive cybersecurity program should incorporate technology, processes, and people – all of which help you reduce risk, protect data and systems, and prevent costly security incidents – making cyber security a top priority now, in Q1 of 2023.
Final Thoughts: The Difficulty of Working in Risk Avoidance
Cybersecurity professionals can demonstrate their value. Don’t expect board members to understand what you do automatically.
Remember, cybersecurity is, at its core, risk avoidance. The nature of security operations makes it tough to tie financial metrics to avoiding a hypothetical breach.
You should showcase other available metrics and industry benchmarks like the known costs of data breaches from other organizations.
What You Should Do Next
- Conduct a tool assessment to evaluate your current tools and see where you can get more value or consider cheaper alternatives.
- Be prepared to showcase the potential costs of a data breach and what risk-based security measures you’re taking.
- Demonstrate why organizations need experienced IT professionals using business metrics.
If your budget has been cut and you need to maintain security operations with fewer in-house analysts, consider outsourcing your cybersecurity operations. Schedule a Consultation Call – Pareto Cyber to learn about how we can help.