Times are challenging, organizations are pushing to do more with the same or less. Cybersecurity is an essential function, but how do you ensure the cybersecurity team can withstand the pressures of a downturn?

By Dave Cartwright, CISSP

Recession proof imageWherever we look across the technology industry, it’s hard not to see companies laying people off to save money. In some cases downsizing is attributed directly to a need to backtrack on COVID-19-induced over-recruitment, the most prominent of which is Zoom divesting itself of 1,300 people (15% of its staff) because the pandemic-generated demand for people has now receded. For some others, the stated reason is less clear, such as Google’s layoff of 12,000 people because of a “rigorous review across product areas and functions to ensure that [its] people and roles are aligned with [its] highest priorities”.

Whatever the reasons, though, the fact is that because of the rising cost of doing business, inflation rates at historic highs and the far-from-complete recovery from the pandemic, companies have less money to spend on doing business. And when the overall budget is cut, even the cyber security function must ultimately take its share of the pain.

Can we make our cyber team recession-proof? In a word … no. Even at the best of times the cyber budget is a compromise between risk and cost, as we can never fully defend ourselves against all cyber threats. Also, the more secure you make your systems, the harder and the more expensive it becomes to make even the slightest improvement as the law of diminishing returns kicks in.

But as with any challenge, we can mitigate the downside.

Hiring Good People

The obvious place to begin is recruitment. With statistics telling us that 63% of cyber security roles take three months or more to fill, we have already resigned ourselves to having to live with the people we have as we do battle in the highly competitive cyber recruitment market. (ISC)² research shows there is an estimated global gap of 3.4 million people in the cyber workforce. With such a long lead time for recruitment and a shortage of oven-ready practitioners, we presumably already have contingency plans in place – after all, if we know it’s more likely than not to take months to recruit someone, we must have an interim plan that involves more than crossed fingers and hopeful prayer. And if that’s the case, we can slow down our recruitment drive and hence delay the increase to payroll costs.

On a related topic, looking overall at the cost of the people who work for us should include consideration of the balance between payroll employees and contractors (or other temporary staff). The rules and conventions around employment vary wildly with geography – in some countries it is normal to be laid off with little or no notice, while in others letting staff go is a far more involved and expensive exercise – but there is a lot to be said for using non-permanent staff for specific tasks in order to minimise fixed costs and focus expenditure on people as and when business need and funds permit. Generally speaking, if you have a niche, specialist job to do, look at using temporary labour, and focus your payroll on generalists who can turn their hands to multiple areas of security.

Slowing down recruitment does not, of course, give us any immediate savings. Should we be slashing headcount to give a direct reduction in headcount expense? Not if we can help it, for two reasons. First is the simple cost of doing so: severance pay will generally be non-zero, and if you think hard about choosing the “right people” to make redundant, selecting the “right people” will almost certainly not simply mean taking the lowest-cost, last-in-first-out approach. Second, and more important, we already mentioned the cyber skills gap: competition for cyber skills is fierce, which unless your pay and benefits regime is super-generous means you can expect a natural level of attrition in your workforce – 21% per annum according to the survey we cited about the skills gap earlier.

The Actual IT Elements

There is, of course, more to the cyber budget than people: we have systems and software. And many of us have a skeleton or two in the closet, in the form of security kit from which we don’t get value.

Look back over 20 years at the general IT equipment we were using, and security was most definitely not the focus. Software was written to do the job for which it was designed, and security was an afterthought (or not a thought at all). Wind the clock forward to today and it is nigh on impossible to deploy a new server or desktop without being prompted to enable anti-malware functionality (which, at least, in a basic form at least, ships with many modern systems), turn on automated patching functionality and configure secure authentication features. From a past world where the average router’s admin password was “admin”, we’re now forced to configure it as something sensible. Security now has proper consideration in the development divisions of mainstream IT equipment vendors, so it would be criminal not to use those features that are handed to us on a plate, yet many organisations miss the opportunity to employ them. So as the purse strings get tighter, it is essential to step back and look at the gap between what we’ve been given and which of it we’re using.

And there is a further sin being committed around the cyber world: spending significant sums of money on high-end security systems and then getting terrible value from them by failing to use them properly. This is most prevalent for security products that observe systems and generate reports and alerts – security information and event management (SIEM) and security orchestration, automation and response (SOAR) are two common examples. The issue is simple: we install such packages but then fail to spend the time and effort to configure them properly … and even if we do the latter, we then don’t staff up the response team sufficiently and so the reports and alerts go unheeded. Once again, we need to be rational and consider the entire range of security systems we employ and ask whether we can do more with less. If we decide that yes, we are not doing justice to a particular system, strong consideration should be given to decommissioning it. This can provoke an inquisition from the finance team – particularly if it’s a subscription service with time yet to run or an asset that is yet to be fully depreciated – but it may well be that by focusing your people on fewer systems, your security defences will in fact benefit. If the bean counters win that argument, you should at the very least be judicious at licence/subscription renewal time and not cave into the vendors’ renewal demands unless you absolutely need that system.

At The End of The Day – It’s Still All About People

Which brings us to a final point, which is to go back a few hundred words and revisit the discussion of people. While we employ software and systems to make our lives easier – such as the previously mentioned SIEM systems which take unmanageable quantities of log messages and distil them into something human-consumable for us – we need a critical mass of people to run them and react to what they tell us.

There are three considerations for keeping cybersecurity going in these financially challenging times: always consider more than just the cost of the service, this includes the cost of the organic lifeforms needed to run it; for the staff expense consider the balance of permanent vs. temp staff; and while you should always be cautious before buying a new system, it’s just as important to give serious consideration to decommissioning existing systems if you’ve deployed too much.