How cybersecurity executives make the case for continued tech investments in a tough economy
- Cybersecurity executives are under increased pressure to improve efficiencies and are often expected to do more with less.
- At the same time, they're expected to keep pace with cyber threats and increasingly complex attack surfaces.
- This will require CISOs to rethink their approach to investments in tools and services.
Cybersecurity executives have enjoyed a nice run of receiving the financial resources they need to keep their organizations protected against attacks. But given the current economic uncertainty, many will likely need to rethink their approach to investments in tools and services.
"Cybersecurity is not immune to economic pressures and uncertainty," said Daniel Soo, risk and financial advisory principal in cyber and strategic risk at Deloitte. Cybersecurity executives are under increased pressure to improve efficiencies and are often expected to do more with less while at the same time keeping pace with cyber threats and increasingly complex attack surfaces, he said.
"CISOs should be ready to justify spend as a result," Soo said. "An effective mechanism for justifying cyber investment is to consider the negative impact of business disruption caused by a cyber incident to revenue, which also reduces trust built between organizations and their stakeholders."
Whether the economic downturn is a temporary dip lasting one to two quarters or a prolonged period of austerity, CISOs need to demonstrate that they are operating as a cautious financial steward of capital, said Merritt Maxim, vice president and research director at Forrester Research.
"It's also a time for CISOs to strengthen influence, generate goodwill, and dispel the perception of security as a cost center by relieving downturn-induced burdens placed on customers, partners, peers, and affected teams," Maxim said.
When prioritizing security investments, security leaders should continue to invest in security controls and solutions that protect the organization's customer-facing and revenue-generating workloads, Maxim said. They should continue to defend any investments that support the organization's modernization efforts with cloud and its evolution to zero trust security, he said.
Some of the cybersecurity functions that deserve increased or sustained funding in this economy include application programming interface security solutions, bot management solutions, cloud workload security, container security, multi-factor authentication, security analytics and zero trust network access, Maxim said.
In addition, CISOs should continue to look at experimenting with newer security technologies such as attack surface management, software supply chain security, and extended detection and response, Maxim said.
While investing in cybersecurity is important, it's also important to determine which security capabilities will produce a greater return on investment to maximize risk reduction, Soo noted.
"CISOs ought to invest in their talent to elevate their ability to better leverage artificial intelligence and automation, both of which are levers for rearchitecting how work can be done while improving productivity," Soo said.
Cybersecurity programs can also benefit from what the industry refers to as a "shift-left" or "secure-by-design" approach, meaning that they lean on DevSecOps practices and integrate cybersecurity capabilities earlier within technology processes, Soo said. This in turn helps prevent breaches.
"CISOs should also consider driving security optimization efforts through tool and technology rationalization, and looking to alternative workforce, talent and operating models to achieve outcomes through more efficient means," Soo said.
A recent Forrester report on planning security and risk said while business leaders are far less likely to target security investments during economic downturns, "it would be unwise for [security and risk] leaders not to join their IT counterparts to assess their spending across the board to ensure maximum value."
On-premises technology spending remains significant despite the shift to the cloud, the Forrester report said. "When we combine the expenditures for maintenance and licensing, upgrades, and new investment, on-premises technology spending is by far the largest expenditure in the security budget," it said. "Since many applications and workloads have transitioned to the cloud, this suggests potential misallocation of security budgets. CISOs should closely scrutinize on-premises spending to determine if it aligns with the cloud and modernization strategy of the overall IT organization."
CISOs have struggled for years to recruit and retain security talent for a variety of reasons, the report said. "It's tempting to cut spending in these areas when the economic picture darkens, but it won't save much compared with other expenditures, and it will exacerbate the skills shortage and sacrifice the ability to instill trust just when borderless, anywhere work organizations need it most," Forrester said.
Investing in the right cybersecurity tools
When prioritizing their security investments, security leaders should continue to invest in tools that protect the organization's customer-facing and revenue-generating workloads, the report said.
Forrester sees growing and promising value in four categories of security tools. One is software supply chain security, including a software bill of material that provides a list of all the components of a software program including open source and commercial libraries.
Another category is extended detection and response (XDR) and managed detection and response (MDR). XDR tools offer behavioral detections across security tools to provide alerts, additional context within alerts and the ability to detect, investigate and respond from a single platform. MDR services offer more mature detection and response than XDR products, Forrester said.
A third category of tools is attack surface management (ASM) and breach and attack simulation (BAS). ASM tools help security teams identify, attribute, and assess the exposures of newly discovered and known assets for risks such as vulnerabilities. BAS provides an attacker's view of an enterprise with deeper insights into vulnerabilities, attack paths and controls.
Finally, there are privacy-preserving technologies (PPTs), which include homomorphic encryption, multiparty computation, federated privacy and other capabilities. PPTs allow organizations to protect customers' and employees' personal data while processing it, Forrester said.