I’m Jeffrey Wheatman, Cyber Risk Evangelist at Black Kite. And I’m going to say it. (Even though nobody wants to say it, at least out loud.)

A recession is coming (maybe it’s even here now.) – How soon, how bad, and how long it will last are still very much up in the air, but at this point it is inevitable. The question I have is, ‘are you prepared for budget cuts, hiring freezes, and maybe even layoffs?’

Will Security Budgets Be Affected by the Economic Downturn?

An inordinate percentage of CISOs I speak to are saying they haven’t heard about coming requests to cut. I am very scared by the ‘all’s quiet on the cyber front.’ IMHO, because of some conflicting economic indicators, executives are apprehensive to talk about it out loud.

As a result, I am fearful that the call for cuts will come with minimal notice. Decisions made under the gun, under time pressure, and without much lead time are rarely well thought out. They often end up focusing on the most visible changes versus the most valuable changes.

This blog will lay out a framework for dealing with requests to cut, cut, cut. Over the next few weeks, I will expand and expound on each element of the framework.

How Can the Security Team Deal With Budget Cutting Demands?

1. Focus on cost optimization rather than cost cutting.

Cutting is often viewed as a drastic and desperate measure, reactionary rather than proactive. Efficiency must be part of the messaging, but you should focus on opportunities for leverage instead of thinking about a slash of x% across the board.

2. Make sure you can clearly and concisely articulate the business impact of your tools.

Think about it in this way, ‘if we lose tool XYZ, we will be less able, or unable to [see|do|act|communicate] about risk ABC and will be unable to achieve business goal X and adhere to our current risk appetite requirements.’

3. Think about your current risk appetite and begin to have discussions about how it may shift.

Recent survey data indicates boards may be reassessing risk appetite under more challenging conditions.

4. Assess your current portfolio of tools.

Look for redundancies and seek areas where tools have overlap, even if this means you may have to sacrifice features and functionality. One tool that can provide a few 80% solutions is better than having to drop tools to keep a single 100% solution.

5. Focus on ways to implement automation to offset frozen hiring, or reductions in  workforce.

Look at tools that support automation and continuous monitoring (like Black Kite) that can give you a ‘set it and forget it’ opportunity.

6. Look for opportunities to partner with, well, partners.

Prioritize a shift from CapEx to OpEx if appropriate, or buy tools to take over a managed service. Understand what your organization’s preference is when making changes. Every organization I speak to has different perspectives on what color of money they prefer to cut or not.

7. Get ahead of the request to cut.

If you find areas where you can get lean, put together a plan and present it to management. Maybe if you save some money before they ask, they may move on to the next team.

8. Plan for cuts, just in case.

  1. Create a tiered plan if cutting is the only option. Plan for cuts, for argument’s sake, of 5%, 10%, and 20%.
  2. Push out new tool purchases for a quarter or more
  3. Focus on leading edge technology for cutting. And the flipside, don’t cut basic blocking and tackling.
  4. When considering A/B/C choices, make sure you consider the human cost of tools and platforms and not just the initial cost and ongoing licensing.

The bottom line is the bottom line. We are all on the same team, unless you are a Dallas Cowboys fan, in which case you are no friend of mine. In all seriousness, if you wait and you get caught unaware, you will likely regret it.

Stay safe. Stay Healthy, Stay Secure!

Wheatman, OUT!