Security teams are increasingly challenged to do more with less in today’s macroeconomic environment. Successfully meeting business targets is particularly difficult when teams are faced with limited bandwidth, resources, and budgets. Simultaneously, security teams must ensure their organizations effectively meet the growing and changing threats to sensitive data.
We gathered a panel of security leaders to discuss both the challenges and opportunities the current market conditions pose to businesses and security leaders alike.
With revenue declines fueling recession fears, long-term ROI starts to matter less than short-term saving measures. According to Fazal Merchant, former Co-CEO of Tanium, and CFO at DreamWorks, boards understand they have major risk exposure, but the complexity of what CISOs deal with and the fluidity of how fast the environment changes aren’t typically in the wheelhouse of most board members. “That’s why education is key,” says Merchant. “But if education is done at too high or low of a level, it won’t be effective.”
What are the KPIs (Key Performance Indicators)?
Why do the KPIs matter?
How do the KPIs compare?
How are the KPIs trending?
According to Global Chief Information Security Officer at Aon, David Damato, you need to establish your risk appetite and create a contract with your senior leadership to understand how much security is needed. What are the acceptable risks that you’re willing to tolerate at a high level? That helps drive the amount of investment required. “If you work for a cryptocurrency company, your tolerance for risk is very low. You can’t afford an incident. But if you work in retail, there may be a higher risk appetite,” says Damato. “So, it’s not only describing the value that you’re bringing, but also working out that contract with leadership to show them that you’re being fiscally responsible, understanding how much security you need for your specific business.”
Merchant believes that amid chaos there is always opportunity. “I’ve found that when you’re facing a challenging economic environment, capital becomes more binary and starts to favor the consolidators. In the build versus buy equation, it can be a really opportune time to lean into the buy side at really attractive valuations.”
Damato claims there are two big opportunities at this moment. The first is talent. “There are a lot of layoffs in the tech industry right now, which means there’s a lot of great talent out there,” explains Damato. “So, it’s about focusing on how to acquire some of that great talent during this time frame.”
The second opportunity is consolidation of your portfolio of items. Are you paying the right amount for certain products? Are you focused on making investments in the right products and building those out? “Often, we’re looking at breadth instead of depth,” says Damato. “It’s about focusing teams on the things that really matter and what you have the resources for."
Beyond the cost savings, how can companies benefit from consolidation? For Ryan Crum, Chief Information Security Officer at Apollo Global Management Inc., it’s simple. “The more tools I can consolidate, the more comprehensive the product can be, instead of these one-off solutions. Consolidation drives a lot of that simplicity in our environment.” He points out that people have been talking about endpoint consolidation for years. “We all have 15 agents that run our security tools—every time something goes bump in the night, it’s one of those. So, getting that down to seven, five, or even three, for an endpoint, is great.”
Crum acknowledges that with all these cloud tools connecting to other cloud tools, there’s this explosion of data everywhere. You need to have a connector, otherwise you end up having to hire analysts to maintain these tool sets, and they have to look at five different tools just to get a good view between vulnerability, configuration, and inventory. “You end up building your own stuff, because you don’t have that one pane of glass,” says Crum. “Buying a product that already has that consolidation is very helpful. The more things you have, the more things that can break, the more things that need to be patched, and the more things that need to be paid for and negotiated.”
It’s critical to have clarity and alignment with leadership about what you want to achieve, how you plan to achieve it, and what it’s going to cost to get there. “It comes down to communication and transparency. If you’ve educated the right way, everyone will understand the consequences of not following through,” says Merchant. “Companies don’t get to where they are by being dumb.”
Have a plan
Help leadership understand the consequences of not executing your plan
“I’ve seen CISOs react poorly to being denied a budget, and they were forced out because of the way they handled that rejection,” says Crum. “You have to remember the business still has to be successful. Everything can’t be about security. Sometimes you’re going to get a ‘no.’ You’re going to win some, and you’re going to lose some. You have to figure out how to prioritize and how to better communicate the value of what you’re asking for.”
Damato says it’s about having conversations with leadership early in the process and understanding your audience. In a lot of cases, it’s a nontechnical leader, and you should be educating them, so they understand exactly what the program is doing, how it’s doing, and how you’re measuring it. This all has to be done up front, because if you’re rushing to demonstrate value, it’s probably too late. The last thing you want is to be talking after the fact about the value that the team has been adding.
Companies have to balance running a profitable business and the risks of security. Sometimes it’s going to align with your opinion; sometimes it won’t. But you can’t take it too personally. “At the end of the day, everyone’s striving to run a proper business, to keep people employed and continue to serve customers,” says Damato.
Merchant keeps going back to education and communication. “Get comfortable being a little uncomfortable. Over communicate with the team. Keep everybody focused on the things that really matter. Stay within your sphere of influence—the things you can control and influence. The rest is not worth obsessing over.” In many ways, it’s about prioritizing and focusing on the fundamentals. “Whether that’s misconfigurations, vulnerabilities, restoring two-factor authentication, network segmentation—these are the things that are always the issues that get people into trouble,” says Damato. “There are a lot of things to buy; there are a lot of shiny new toys out there. But continuing to align with a standard framework and making sure that you have strong capabilities in those fundamental areas are still the biggest contributors to whether or not an organization has an issue.”
Watch the video with our expert panel to hear all their advice for enduring the current market environment.