The subject of prioritizing cybersecurity spending often arises in periods of economic uncertainty. As most security professionals will admit, the challenge of security budget justification is challenging in many organizations, regardless of the economic cycle. But in a recession, the challenge of cybersecurity budget allocation and spending can be compounded because, too often, cybersecurity is viewed as an auxiliary and non-critical IT program.
This blog sets out some core tenets essential for building a recession proof cybersecurity program. Spoiler: Building a resilient cybersecurity program starts with a mind shift
Cultivating a positive organizational cybersecurity culture
Many security leaders struggle to make the case for cybersecurity spending allocation, regardless of the economic environment. This is due to an out of touch mindset, with certain leaders failing to understand the importance of cybersecurity to their company’s overall business operations and objectives.
This poorly informed view was evidenced in a recent survey conducted by Tessian, with only 58% of employees thinking that senior executives at their company value cybersecurity. This explains why 1 in 3 employees don’t understand the value of cybersecurity, and why 30% of employees believe they play no role in cybersecurity threat prevention.
The mixed attitude towards cybersecurity could also explain why security leaders often find it challenging to justify cybersecurity program spend, which can become even more challenging in an economic downturn. The tide is slowly starting to turn, due in a large part to increasing cybersecurity risk and the catastrophic fallout associated with breaches, which can result in business failure.
Beyond an organization’s self-interest to keep their information systems and data secure, investors are starting to exert pressure on their portfolio companies to maintain an industry baseline of cybersecurity protection. Evidence of this shift in attitudes is reflected in the fact that environmental, social and governance (ESG) reporting now includes an assessment of an organization’s cybersecurity program and defenses.
It needn’t break the bank. Developing a positive cybersecurity culture in an organization is something that can be achieved on a relatively low cost basis. The key elements to achieve this include clear communication from the executive leadership on the importance of maintaining good cybersecurity hygiene. Creating a positive employee experience in relation to cybersecurity is essential. This entails developing engaging and context-based security awareness training programs that drive cybersecurity awareness – empowering employees to become part of the cyber defense.
Using open source resources and frameworks to build cybersecurity resilience
While there is no singular approach to building out a cybersecurity program, there are a trove of freely available resources and best practice guides to assist with building information governance systems and cybersecurity programs. View cybersecurity program development as a work in progress. Many unique factors and characterics will come into play in shaping your cybersecurity program development.
By establishing a dedicated team to tackle enterprise security architecture and using well established enterprise architecture frameworks such as COBIT and TOGAF, in conjunction with cybersecurity frameworks such as NIST Cybersecurity Framework, ISO 27001/02 and the CIS Critical Controls, organizations can start putting the building blocks in place for developing well-integrated and robust information governance systems.
Enterprise architecture frameworks such as COBIT are useful to build an information governance system that proactively identifies areas of risk or IT capabilities that need improvement to ensure that business objectives are achieved.
Ensuring compliance with industry and geo-specific regulations
Cyber risk is increasing year-over-year. In the latest FBI IC3 report, Business Email Compromise (BEC) fraud related losses increased by 65% globally in the period 2019 to December 2021. In the latest Verizon DBIR, ransomware attacks increased by 13% year-over-year, representing the largest increase in over 5 years.
Prioritize your cybersecurity technology budget from the assumption that there is a very strong likelihood that you will at some point suffer a breach. On this basis, focus on the fundamental threat vectors relative to your accepted risk threshold.
In US states such as California and many jurisdictions around the world, regulatory authorities are establishing minimum levels of cybersecurity preparedness that need to be met to ensure compliance.
The California Attorney General under the California Consumer Privacy Act (CCPA), has for instance established the requirement that businesses over a certain revenue threshold have to have a reasonable level of security in place. Reasonable security according to the CCPA is defined as having the CIS Controls implemented.
In the EU’s General Data Protection Regulation (GDPR), key stipulations include having data privacy and data security safeguards in place to ensure the confidentiality, integrity and availability of information processing systems and services. Other security controls include having the ability to restore availability and access to personal data, as well as having a process in place to regularly test, assess and evaluate the effectiveness of technical and organizational measures that ensure the security of data.
Going beyond the minimum
Threat actors are continuously advancing their abilities. This is why cybersecurity and business leaders cannot afford to rest. Continuously testing your cybersecurity defenses through regular audits and penetration testing will help you identify areas for improvement. This includes practicing incident response and business continuity preparedness.
Cybersecurity is not a tick box compliance exercise.
Cybersecurity is everyone’s responsibility. Many of the core components that encompass a cybersecurity program do not require significant budget, but rather effective leadership, time and effort. Most importantly it requires adopting a mindset that recognizes the importance of being cyber resilient as essential to the organization’s overall success.
To see how the Tessian Intelligent Cloud Email Security platform prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo.
For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn