Blog post -

Risk vs cost: cyber in the face of economic uncertainty

By Paul Vlissidis, Technical Director and Senior Adviser, NCC Group

The temptation of cost reduction in a recession against increased risk

As the Covid recession starts to bite, many organisations will be looking at ways to reduce their costs. Cyber security, beyond pure compliance activities, can often be seen by CFOs as purely a cost, making it a prime candidate for the review and ultimate reduction or removal. But recent research by Portsmouth University (1) in the UK has shown that as GDP falls, criminal activity, including fraud, rises.

As recession hits, individuals may struggle financially and the temptation to exploit known weaknesses in internal organisational procedures and systems may increase thus exposing organisations to a heightened risk of internal malicious activity. Similarly, organised crime groups will find recruitment easier during a global recession, so the external threat also increases as techniques like ransomware become more lucrative. (2)

Below, I’ve identified the key areas you should be paying attention to as you plan your security investment:

Budgets will be smaller – ensure they are smarter

So what about that security budget? It’s unlikely to remain unscathed given the financial pressures, but where could it be best spent? It’s a nettle that CISOs and CFOs are going to have to grasp. If you are still tackling essential security hygiene issues then this should take priority over everything else. Focus on estate management, patching, privilege and credential management to ensure one of the greatest returns on investment.

Digital transformation – Removing technical debt and reducing running costs

If you still carry significant technical debt then you may be under pressure to service that debt longer than you planned. But if the current events have shown anything then it is that cloud computing increases resilience across the board so any cuts to digital transformation are likely to end up costing more in the medium term. The security benefits of moving to cloud are well-documented.

If your workforce has transitioned fully to cloud for their day-to-day activities, then much of your traditional on-premise equipment could be decommissioned.

Ensuring you can detect, contain and respond to security events

If you have a detection & response project in flight or in place then protect it, as this capability is a critical compensating control in a technical-debt-ridden and increased threat environment with a far greater number of staff working from home. In-house security operation centres (SOCs) may be advised to give way to external service provision to take advantage of the scale and investment that pure-play service providers can offer. Similarly in-house tools for basic security assessment such as vulnerability scanning are expensive to buy and to skill up for, so look to managed vulnerability scanning and testing as a more cost effective way to achieve improved scrutiny.

Be able to articulate the risk but provide options to cost curtailment

At the end of the day it’s the CFO and the board that need to be shown the value so security leadership needs to be able to:

  • Articulate risk
  • Quantify and qualify likelihood and impact beyond in the real-world
  • Provide least worst options for cost curtailment
  • Identify options for short term increases in cost which substantially reduce spend in the medium term

For many CISOs the coming recession will require them to revisit business cases they thought had been won.

1. https://www.eurekalert.org/pub_releases/2020-04/uo...

2. https://securityboulevard.com/2020/05/covid-19-unc...

Topics

  • Consulting

Contacts

NCC Group Press Office

Press contact All media enquires relating to NCC Group plc +44 7721577574

Related content

What the Covid-19 crisis teaches us about infosec

As an InfoSec professional, Joseph Macmillan has noticed a few interesting phenomena and reactions to the Covid-19 pandemic from an individual, organisational, and governmental level, which can be compared to the everyday life of the InfoSec world. He takes us through how the Covid-19 pandemic is similar to a company network, and how it’s different.

CISO Interview: Covid-19 has changed our approach to crisis management

We have interviewed some of Denmark’s leading CISOs about their experiences and reflections on being on a constant of high alert the past two months during COVID-19, and the impact it has on the approach to crisis management.

Maintaining operational resilience in the midst of COVID-19

In his second briefing in response to the outbreak of COVID-19, our director and senior advisor Tim Rawlins provides continuing advice to organisations on how they can maintain operational activity despite the current challenges.

Updating your business resilience plan: advice for those concerned about COVID-19

With instances of coronavirus hitting the headlines each day, many organisations are looking to strengthen their business resilience plans. NCC Group’s director and senior adviser, Tim Rawlins, has provided some useful tips on how your organisation can put effective processes in place

FAQs on how to prepare for, prevent or detect a hack

On 30 July 2020, NCC Group Australia held a webinar on Cyber incident Response Planning, explaining how to prepare for, prevent or detect a hack. This blog provides responses to the Q&A questions asked by attendees during the webinar.

With good threat intelligence it’s still possible to do security well, even on a tighter budget

​Matt Hull, Cyber Threat Intelligence Manager, explains how organisations can get more out of their security budgets by applying good cyber threat intelligence.

Five questions you should be asking about your business’ cyber resilience

Joss Howard, senior advisor at NCC Group shares the five questions she thinks businesses should be asking themselves in order to build a robust cyber security posture.