Check out the on-demand sessions from the Low-Code/No-Code Summit to learn how to successfully innovate and achieve efficiency by upskilling and scaling citizen developers. Watch now.
Few words strike as much fear into security leaders as “recession.” As more analysts anticipate a recession in 2023, CISOs and security leaders are coming under increasing pressure to do more with less.
Unfortunately, this isn’t sustainable, as a recession is likely to only incentivize cybercriminals to create new types of threats, as occurred during the 2008 recession when the FBI noted an increase of 22.3% in online crime reports between 2008 and 2009.
Similarly, Regulatory Data Corp noted that cybercriminal activity rose 40% in the two years following the recession’s 2009 peak. The writing on the wall is that cybercriminals will never let a good crisis go to waste.
While it’s difficult to tell if early predictions of a recession are accurate or what the severity will be, CISOs and security leaders need to start bolstering their cyber resilience now to reduce the potential for disruption.
Intelligent Security Summit
Learn the critical role of AI & ML in cybersecurity and industry specific case studies on December 8. Register for your free pass today.
The talent shortage will get worse
One of the main challenges a recession could bring is a worsening of the cyber skills gap. Many analysts predict that the skills shortage will get worse as economic uncertainty encourages organizations to pause hiring new talent, or even cut existing employees.
As CISO at (ISC)2 Jon France explains: “We predict the recession will cause a reduction in spending on training programs. Despite the idea that cybersecurity may be a recession-proof industry, it’s likely that personnel and quality will take a hit during the economic downturn.”
Organizations that cut costs and decide not to take on new security hires will inevitably exacerbate their cyber skills gap. This means security leaders will need to rely more heavily on monitoring and analytics-based solutions if they want to prevent security incidents.
“Usually, the first impact [of a recession] is that new hiring gets postponed,” said John Pescatore, director of emerging security trends at SANS Institute. “Operations staff productivity can often be increased by the use of security monitoring and analytics tools, many of which are open-source and don’t require acquisition spending,”
However, Pescatore notes that these solutions “require analyst skills,” which means organizations will need to invest in staff who have the expertise to configure and use these tools to their full potential.
“Investing now in those skills will have many benefits later, including reduced analyst turnover,” said Pescatore.
In addition, organizations should look to hire internally where possible, as existing IT staff often have the needed technical hands-on knowledge and the expertise in how a company works. Transferring IT staff to security roles can give employees a chance to use these abilities and eliminate the need to cut staff.
CISOs in a recession will face a mandate to maximize value
As organizations adjust to the financial instability that accompanies the recession, CISOs will be under greater pressure to optimize cost-efficiency throughout the tech stack. This will involve eliminating expensive tools while looking for ways to derive greater value from existing solutions.
“In 2023, there will be increasing pressure for CISOs and security leaders to maximize the value of their existing security stacks due to the pending recession,” said Leonid Belkind, CTO and cofounder of security automation provider Torq. “The current economic climate is dictating [that] all enterprises must become more efficient in their spending.”
Belkind says that CISOs will need to adapt by finding ways to derive greater value from their existing technological solutions, rather than adding more solutions. “Those who do not adhere to this will become an easier target for cybercriminals,” said Belkind.
Together, Belkind and Pescatore’s perspectives suggest that both the cyber skills gap and the need for cost optimization can be addressed by making better use of existing resources, instead of investing in new solutions and staff.
However, it’s important to note that organizations should look to assess what technologies provide the greatest impact internally, and not rely on guesswork.
“CISOs and other security leaders should assess which cyber capabilities will produce the greatest return on investment,” said Anderson Salinas, risk and financial advisory senior manager in cybersecurity at Deloitte.
One of the greatest avenues for improvement is to identify opportunities to automate processes and controls, he said.
The role of automation
Automating processes and procedures throughout the organization (particularly within security) can help to increase the productivity of existing staff. After all, the less time employees and security analysts spend on repetitive, manual tasks, the more time they can spend providing value to other areas of the business.
“Solutions that automate manual and security processes should not be underestimated,” said Muralidharan Palanisamy, chief solutions officer at AppViewX. “CISOs can look to automation to remove manual burdens from their teams and help them prioritize utilizing staff to accomplish strategic tasks to better protect their organizations.”
One potential use case for automation is digital certificate management. Research shows that the average enterprise manages more than 50,000 certificates. If one of these certificates expires, it can not only contribute to service disruptions, but provide threat actors with an opportunity to breach critical systems.
By leveraging automation, security teams can automatically manage certificates’ lifecycle and deployment. This offers many benefits, including decreasing the risk of operational disruption and data breaches, while freeing up analysts to focus on more high-value tasks like threat hunting.
Prevention and AI will become increasingly important
With the average cost of a data breach totaling $4.35 million in 2022, it’s more important than ever for organizations to prevent security incidents. If they don’t, they run the risk of inviting greater economic instability in a time when it will be more difficult to financially bounce back.
Using AI and machine learning (ML) to detect and intercept high-risk actions and unusual behavior throughout the environment is essential for identifying malicious entities before they can gain a foothold and gain access to critical data assets.
“Preventative technologies are a must at each access control point to ensure that no attacker is able to establish persistence in an organization’s IT environment,” said Jerrod Piker, competitive intelligence analyst at Deep Instinct.
Piker notes that AI and deep learning solutions have revolutionized prevention capabilities and give security teams the ability to prevent novel attack types that haven’t been seen before.
However, Gartner notes that organizations considering investing in AI should be skeptical of the hype around “next-generation” solutions that claim to offer holistic security capabilities.
Instead, organizations should manage their expectations, and understand that such solutions augment the ability of security teams and particular processes, rather than automating their defenses entirely.
Reasonable expectations include using AI to help identify more attacks, reduce false positive alerts and streamline an organization’s detection and response functions, according to Gartner.
The cybersecurity industry will remain resilient
While the financial outlook for 2023 looks bleak, the good news is that the cybersecurity industry is traditionally resilient during periods of economic uncertainty.
“We studied past recessions, macroeconomic uncertainty moments, and the cybersecurity industry’s performance relative to other software and technology verticals,” said McKinsey analyst Jeffrey Caso. “The cybersecurity space is generally more resilient across key metrics, such as revenue change, EBITA, and TSR change.”
Caso notes that during the 2007 to 2009 recession, the revenue growth of cybersecurity companies was up to two times that of other software companies.
During that recession, the security companies that thrived were the ones that focused on driving business growth by reevaluating and addressing core customer challenges.
“Looking back at the last recession, more resilient players demonstrate a standard set of actions — for example, they bundled individual products together into solutions that solved vital customer challenges, looked at opportunities for recurring revenue and continued to diversify through strategic acquisition and organic expansion — that can be studied as today’s players chart their strategies,” said Caso.
This suggests that CISOs and security leaders shouldn’t get discouraged, but should double down on efforts to use cybersecurity to provide broader business value. In addition to enhancing the organization’s cyber resilience, it can improve the company’s competitive standing as a whole.