As we battle our way through the COVID-19 fallout, some have started to think about what the cybersecurity world will be like as we emerge from the current situation. One thing that is clear is that the economic fallout is likely to be severe and last at least three years if not longer. What this means is that CISOs will need to adjust to this new way of working for at least this period of time.
So what is this economic fallout and what does it mean? In simple terms, budgets across an organisation are likely to shrink as businesses recover from the COVID-19 fallout. Cybersecurity will not be immune to this. As a result, CISOs will need to adjust and be prepared to ‘do more with less’. Due to the nature of cybersecurity, the effort required in this space is likely to remain the same or increase with budgets shrinking. This poses a clear challenge to CISOs.
The following four challenges have emerged in my discussions with CISOs:
CHALLENGE 1: DISASTER RECOVERY PLANNING (DRP) AND BUSINESS CONTINUITY PLANNING (BCP) TO BE AN ONGOING FOCUS – For those of you that can remember as far back as 9/11, post 9/11 there was a surge in DRP/BCP activities. However, over the following two decades since that event, organisations had become less focused on continuity and recovery and COVID-19 has revealed some gaps in preparedness. For example, many organisations were prepared to move operations to an alternative site, but they were not prepared to move their entire workforce to work from home. As we recover from COVID-19, expect more focus on DRP/BCP activities to manage this critical area of risk.
RESPONSE: CISOs will need to divert attention and funds to manage this critical area of risk. Robust BCPs/DRPs must cover a wider range of scenarios and these plans will need to be well-tested and maintained over time. Let’s not forget suppliers and third parties. No business is an island, and as result it will be just as important to ensure your supply chain is as secure and prepared for a disaster as you are to ensure your survival.
CHALLENGE 2: DO MORE WITH LESS – As budgets shrink, CISOs will be required to do more with what they already have. Leveraging existing investments and ‘sweating the asset’ will become the mantra for at least the next three years.
RESPONSE: CISOs can respond to this challenge effectively by leveraging what they already have, including consolidating and better using existing investments. Most organisations have invested in technology that may not be fully utilised. Now is the time to ensure we are using them to their full potential and remove or consolidate any that may not be needed. Simplifying existing infrastructure and using it better also has the advantage of simplifying management effort. This in turn will allow an organisation to reduce their OPEX expenditure in the cybersecurity space.
CHALLENGE 3: NEED TO PRIORITISE PROJECTS – As budgets shrink, the need to prioritise projects will become paramount. CISOs will need to justify the projects they want funding for and Boards and Executives will perform greater scrutiny over any funding requests.
RESPONSE: The easiest and most logical way to justify cybersecurity projects is by taking a risk-based approach. Understand the risk your organisation is exposed to. Ensure that this takes into account vulnerabilities AND threats. Be prepared to discuss this to boards and executives on a regular basis. Excel spreadsheet-based vulnerability assessments on a six month basis will no longer cut it! Clear indication of risk mitigated by requested projects, backed by threat information and dollar value of risk mitigation will be requested by boards and executives and this needs to be made available regularly and needs to be current. Regular threat-based reporting and clear indicators of risk reduction will become a core part of a CISO’s reporting regime.
CHALLENGE 4: COMPLIANCE BURDEN REMAINS – Compliance requirements such as Privacy Laws, PCI DSS, APRA’s CPS 234 will not go away. With shrinking budgets the challenge to CISOs will be to continue to address this AND broader cybersecurity initiatives.
RESPONSE: Understand the requirements and focus on tools and technology that can address more than one control. Invest in technologies that allow you to do more with less. This is an extension of Challenge 2 and organisations must focus on ensuring the ‘best bang for their buck’. Various countries’ Privacy laws, PCI DSS, CPS 234 etc require the data in question to be identified, isolated, access strictly controlled, vulnerabilities managed and encryption (in motion and at rest) enabled. Organisations must invest in technology that can discover, segregate, cloak and encrypt data ‘on the wire’ in one hit. This will allow organisations to leverage every dollar by consolidating technology investment and management effort.
As we start to look forward to a post COVID-19 world, CISOs need to start thinking about what that world will look like and to start addressing the challenges this poses. The four challenges I have outlined are a start and now is the time to think about these and start to prepare our responses as best as we can.