In an Economic Downturn, Threats to a CISO’s Budget Come from Many Directions – Get Ready with Risk Quantification

December 9, 2022  Jeff B. Copeland

Dollars - Threats to a CISO’s Budget In an Economic DownturnAt recent Cybersecurity Forum hosted by the Wall Street Journal a panel discussion titled Managing Cybersecurity in a Downturn (subscription required to view) came to agreement that an economic downturn could bring direct cuts to cybersecurity budgets, as well as surprise knock-on effects that could squeeze a CISO’s budget just as much.   

On the panel:

>>Renee Guttmann, Founder and CEO Cisohive, a former CISO at Campbell Soup and Royal Caribbean

>>Emilian Papadopoulos President Good Harbor Security Risk Management

>>Steven Rosenbush, WSJ Pro Enterprise Technology Bureau Chief

Some of those surprise squeezes might come from:

>>Cuts to the IT infrastructure team raising cyber risk by reducing staff tending servers, endpoints and other assets that could be attacked. Mistakes like misconfigured cloud buckets could multiply.

>>Cuts to marketing or other functions leading to more outsourcing, creating new workflows or demands for vendor verification

>>Retention of cybersecurity staff getting harder, raising labor costs but also a driver of more investment in automation. “The staff you have are no longer willing to put up with routine tasks,” Guttman said. 

In a downturn, CISOs should think strategically about spending, including

>>“Have a two- or three-year roadmap for what technology they are going to spend on, what staff they need,” said Papadopoulos, particularly with an eye on going “lean or later” – that is, what spending can be dialed back or postponed.

>>Prioritize those plans based on the biggest risks to the business

>>Work those plans through the business’ management and get them signed off by the board. “If the CISO can communicate to the board in plain English what the consequences are, then the board is a really good partner in saying here are the risks we are willing to accept for a while and here are the ones we are not,” he said.

But “that’s the rub,” said Guttman. “A lot of CISOs are not able to explain what the implications are to a business if something were to go sideways. 

“That’s why you see newer approaches coming to be like cyber risk quantification…I feel that’s a long overdue practice. It will put us in a better position to be able to describe a financial cost – materiality – which is also what’s coming down the road in terms of legislation” (and regulations).  

At RiskLens, we support CISOs in thinking strategically about budget with our Cybersecurity Prioritization and Justification use case that enables clear communication of risk reduction and ROI for major security projects through cyber risk quantification. Learn more in this webinar: CRQ Use Case Series: Risk Decision Support.