While economists debate the technicalities of whether we are in a recession or not, the rest of us are left preparing ourselves for a downturn. With a wave of tech layoffs at the top of the newscycle, and cybersecurity startups caught up in that trend, is it any wonder that the “R” word is on everyone’s minds?
In July we spoke with CISOs and industry analysts to get their take on how security leaders should be preparing for a (perhaps already present) recession. Here, we’ll review their top recommendations, but we’d be remiss to leave out the commentary that started the discussion: is a 2022 recession going to be different from anything we’ve seen before?
The world is certainly different from the Great Recession of 2007-2009, so the question seems fair. But as Fernando Montenegro, Senior Principal Analyst at Omdia reminded us: “The four most dangerous words are ‘this time it’s different.’”
In many ways, 2022 is very similar to previous downturns. We’re seeing security teams of all sizes face a tension between speed and security, and trying to plan for the future without a crystal ball.
Yet 2022 is also a unique ‘soup’ of factors that make a looming recession a bit more threatening for security teams especially. During Covid, organizations opened themselves up to unprecedented levels of risk by moving their workforces to remote operations overnight, and let’s face it: most haven’t closed those gaps. Attackers are more motivated than ever before, and with cryptocurrency more accessible, it’s easier for them to monetize their criminal activity.
Recovering from attacks is also more difficult, says Sounil Yu, CISO and Head of Research at JupiterOne. “We have already seen manifestations of catastrophic ransomware attacks that have targeted critical infrastructure and taken terabytes of data hostage. But, the threat trends of the past two years are just the tip of the iceberg. In the decade ahead, we will see the full maturation of irreversible attacks that completely undermine our ability to recover."
Even if a 2022 recession is never officially labeled, or turns out to be mild, preparing for an economic downturn should be a priority for every CISO or security leader, ideally in advance of that downturn. Here, we’ll outline three exercises to work through now to better protect your organization if/then.
Three Exercises to Consider Ahead of an Economic Downturn
1. Frame Your Organization’s Risk in Terms Other Leaders Will Understand
CISOs and security leaders are masters in identifying and predicting business critical risks, so a common pitfall they face is assuming other business leaders are thinking about risk in the same way. The truth is, CISOs need to be more prepared to speak about risk in terms that leaders in other functions will more easily relate to.
Anne Marie Zettlemoyer, CSO at Cygognito, told JupiterOne, “One of the things that a security leader, needs to start pushing for is quantifying risk and showing how an incident at this time specifically results in an impact to the bottom line and the ability to operate. If that risk could be catastrophic, could be above risk tolerance. Because if you get hit now, when resources are scarce and it's enough to affect your bottom line… those are the languages that we need to speak to the business.”
To do this effectively, you’ll need to collaborate with your fellow leaders, intentionally breaking down the silos between your functions. Here are a few examples of why this is critical.
The 2017 Equifax Breach and the Language of CFOs
Take the 2017 Equifax hack as an example. This data breach was considered the largest identity theft cyber crime ever, exposing more than 30 million records.
Anne Marie Zettlemoyer describes the impact of the Equifax breach in ‘CFO terms’ during a recent panel hosted by JupiterOne:
People would say that [Equifax] wasn't a big deal because ‘they could afford it.’ Now let's translate that into CFO terms. The fines alone were enough to wipe out net income for 18 months. Just in the fines. That's a very different message than, ‘Oh, it cost me a couple hundred million, but I make a billion.’ It's very different.
The language of the CFO and the board is going to be like, “Shit! What would it look like functionally if they had no net income because of a security incident? On top of the increased regulations that are now an added pressure? Precedent for opening up civil lawsuits?” …
It's not just about, “Oh, I have a data breach and there's, you know, an average cost of $1.25 per record. The story is so much more comprehensive than that.
You have to be able to speak the language of that.
Security in the Language of the CMO: Protecting Reputation and Revenue
Zettlemoyer didn’t stop her examples at financial leadership either. She pointed out security protects an organization’s reputation just as much as the bottom line:
The message, when resources are scarce, is how does security protect the business to continue to operate? Right. And that means protecting the reputation as well.
Manage the operational risk. Enhance the ability to sell in terms of, you know, in times of chaos and uncertainty, can you maintain the brand trust? Can you maintain the quality?
That's important. And so if we can speak in those languages and then provide stories of evidence on why that's important. Then I think we're going to have a better shot of making sure that our organizations are doing the right things at the right time.
Whenever you have the opportunity to frame risk (specific or general) in terms of direct impact to other business functions, get in the habit of doing so.
Explore Your Organization to Communicate Risk More Effectively
Fernando Montenegro, Sr. Principal Analyst at Omdia, noted that the most effective way to learn and communicate using the language of your leadership peers is to be an “organizational explorer.”
From an organizational perspective, as a security executive, there's two elements you have to stay on top of: What are the key initiatives, outside of security, that your organization is doing? And how can you map those back to what security is doing?
So is marketing having a new campaign or something that involves a long term partner that they've worked with all the time? You will never know about that if you don't talk to marketing, right? So I think that security executives in this day and age have to be almost like organizational explorers. You have to understand what's happening in your organization, and how that translates back into what you are doing.
To communicate risk most effectively across your organization, it’s important that you understand the broader context of what other business functions are focused on. This will help you relate security priorities to business priorities, and help protect your team and budget from cuts.
2. Evaluate Institutional Knowledge and Implement Safeguards
Faced with resource constraints, nearly every organization is at risk of losing institutional knowledge. Most companies choosing to reduce their workforces will implement ‘peanut butter spread’ cuts across the board, which inevitably affect security teams, even when risk has been contextualized appropriately. Knowing that a recession could create the need to reduce their team, how can CISOs and security leaders prepare? Understand and evaluate institutional knowledge, and implement safeguards to prevent over reliance on it.
Preserve Institutional Knowledge When Possible, but Have a Plan B
First, on understanding the value of institutional knowledge, Montenegro says, “The value that your security organization is bringing is not only the domain knowledge of how to operate the particular tool or even how to code in a particular language. It's that understanding of how you translate organizational objectives into a technical reality, right?
The moment that you are letting go of security people within the security organization, you're losing not only yes, sure, you're losing some technical capability that you may potentially be able to offset with an outside firm, but you're also losing that organizational knowledge.”
Preparing to lose organizational knowledge is an ongoing risk management exercise, says Anne Marie Zettlemoyer.
Risk managers should never rely on one person or a small group of people for any one thing. So if there is a crux of institutional knowledge, where's your failover? You know, humans are humans. Something can happen. What is your plan B?
So, yeah, you don't want to let [institutional knowledge] go, but you need to plan for it leaving.
You've got to start memorializing that knowledge and being strategic about it because people are not forever. You've got to start pushing it over, having some redundancy in that knowledge.
A Simple Stress Test? Take a Vacation
Sounil Yu, CISO at JupiterOne: “When you go on vacation, it's actually a really good disaster recovery practice to cut someone's access. So that, one, they have a really great vacation. And then two, you understand what institutional knowledge that person had, that may actually be pretty critical that wasn't shared elsewhere.”
Security’s Role in Evaluating Institutional Knowledge in Other Functions
Outside of evaluating the potential points of failure on your security team, consider the role Security should play in preserving institutional knowledge across the organization. Jasmine Henry, Field Security Director at JupiterOne, shared how framing “security as record keepers” can help address this risk across all business functions:
Security plays an important role in institutional knowledge management. Security teams are essentially organizational advocates for best practices and records-keeping, and knowledge management is a natural extension of many security activities.
Security teams should be at the forefront of using automation to create excellent, reusable knowledge artifacts, and they should share their models for knowledge capture and dissemination with other teams.
An example of this would be how JupiterOne's security team manages meetings as code for compliance evidence. We do this by submitting meeting notes as an update to a markdown document and then merging using a pull request on Github. One approving review from a meeting attendee is needed to merge the pull request into the security meeting main branch. Doing this creates searchable artifacts in JupiterOne of our weekly meetings, along with a timestamp of when updates occur.
This streamlined approach makes it easier to track and manage evidence for security assessments and regulatory audits. It’s a clever tactic and a good example of how a security team can implement knowledge keeping and safeguards across the organization.
3. Ensure Visibility of Your Infrastructure to See Opportunities to Reduce Costs
If you have to reduce your spend next quarter and you want to preserve your team, where would you cut? This question is difficult to answer if you don’t have a clear understanding of your cyber asset inventory, cloud usage, or other critical security resource questions.
There may be ‘low-hanging fruit’ opportunities to reduce costs that you are simply blind to - resolving these blind spots now will ensure you are ready to make the best decisions for your organization later.
Good Cloud Architecture: It Costs Money Because It Saves Money
The following is an excerpt from “A CISO’s Guide to Security Strategy During a Recession,” a July 2022 webinar panel with Cloud Security Alliances. This panel was moderated by Sounil Yu, CISO at JupiterOne, and featured Anne Marie Zettlemoyer, CSO at Cycognito, alongside Fernando Montenegro, Sr. Principal Analyst at Omdia.
You can watch this webinar on demand here, but in this excerpt the panelists discussed cloud architecture as an example of where visibility makes all the difference when discovering ways to reduce costs.
Sounil: If there were to be cuts, do you see people potentially cutting cloud costs and cloud engineers?...
Anne Marie: Well, so when you talk about whether [the cloud]is a cost savings or a cost cost suck, you know, folks go to the cloud for speed, because it reduces your capital outlay. Right. You don't want to have to procure and then rack and stack and run cable…
Sounil: And cloud is useful for uncertainty, right. When you don't know what you need and what you might need.
Anne Marie: Yes, if you have planned and put in place the controls and the people to monitor it. You know, the idea of cost savings in the cloud can only happen if you spin the instance down and how many organizations are actually spinning anything down or throttling back, anything. It doesn't happen, right?
Because they're so focused on the speed and they don't necessarily realize it. And then the folks that are doing the accounting aren't following up with the engineering and showing them the impact. Right, it's too siloed.
So it's just like anything else. With security, I think people are going to try and automate and increase tooling. But you still need a body to tune that tool. You still need to make it work. And you forget that you might have to hire someone, if you're going to replace ten, you still need one or whatever it is to manage that tech. Same thing with cloud.
Fernando: Spot on. One thing I would say, not only do you forget to turn off those instances, you may have provisioned those instances wrong in the first place because what ends up happening is that way back when, when we were racking and stacking things, we had two provisions for two people, right?
So you would design your architecture for that. And if you do a simple lift and shift to cloud and okay, what used to be a half terabyte memory server on premises now is a half terabyte service of a memory service on cloud…that is expensive.
So if you don't have the experience to understand how to re-architect your application and your operations, you end up with extreme cost on cloud because all of a sudden you're paying for a massive server that could, if you had re-architected it, been much, much less.
Anne Marie: And then they turn on services for redundancy, which is important, right, we need redundancy, but then they'll turn on things like continuous snapshot for things that you absolutely don't need. It's a default.
And they don't tie it to cost because these two orgs or three orgs are not talking about the impact of that. If you don't understand the impact that that has on size and cost, do you really need to have continuous snapshot on every single thing you do? NO!
Sounil: In terms of the preparation, I think one of the things that I've seen is some teams have scaled down their security resources while they've also scaled up in other places. And I think part of the conversation I'm hearing here is, especially in relation to cloud, you can do cloud wrong, right? If you treat it as if it's a persistent environment, just like your existing on-premise environment.
However, if you hire the right type of people, who understand how to do cloud engineering properly, where if you need to horizontally scale, you build that out as you need it, not have it on a persistent basis. If you need a backup environment, it's a design thing so that the backup environment can be stood up really quickly, not always hot standby. Because if you do that, then you're not really capitalizing on the real true cost saving opportunities.
And I think in the context of an upcoming recession and there's a huge emphasis on cost reduction and cost savings, I would much rather be able to have a team of people who I hire in addition to who I already have who can understand how to build into our infrastructure better cost saving measures.
Anne Marie: Does anybody remember the movie Moonstruck?
Fernando: Yes!
Anne Marie: It costs money! It costs money because it saves money.
For more insights into security strategy during a recession
Watch the full panel with Sounil Yu, Anne Marie Zettlemoyer, and Fernando Montenegro anytime by clicking here. You’ll also gain access to an interactive transcript so you can dive deeper into the insights that are most relevant to you and your team.