Cyber ​​security executives are pushing for continued technology investments in a strong economy

Cybersecurity executives have had a great time finding the funding they need to protect their organizations from attacks. But given the current economic uncertainty, many are having to rethink their approach to making investments in equipment and services.

“Cybersecurity is not immune to economic pressures and uncertainty,” said Daniel So, director of cyber and strategic risk and financial advisory at Deloitte. Cybersecurity executives are under intense pressure to improve efficiency and are often expected to do more with less while keeping pace with cyber threats and ever-increasing attack surfaces, he said.

“CISOs need to be ready to justify the cost with the results,” Sue said. “An effective way to justify cyber investment is to consider the negative impact on revenue of business interruption due to a cyber incident, which reduces trust between organizations and stakeholders.”

Whether the economic downturn is a temporary dip lasting one to two quarters or a long period of austerity, CISOs must demonstrate that they can act as financial stewards of capital, said Merett Maxim, Forrester Research’s vice president and director of research.

“It’s also a time for CISOs to strengthen influence, build goodwill, and eliminate security awareness by addressing the burdens placed on customers, partners, peers, and affected groups by treating security as a cost center,” Maxim said.

When prioritizing security investments, security leaders must continue to invest in security controls and solutions that address the organization’s customer and protect revenue-generating workloads, Maxim said. Investments in the cloud and evolution to zero-trust security should continue to support the organization’s modernization efforts, he said.

Cybersecurity functions that deserve increased or continued funding in this economy include application programming interface security solutions, bot management solutions, cloud workload security, container security, multi-factor authentication, security analytics and zero-trust network access, Maxim said.

In addition, CISOs must continue to experiment with new security technologies such as attack surface management, software supply chain security and extended search and response, Maxim said.

While investing in cybersecurity is important, it’s also important to determine which security capabilities provide the greatest return on investment to maximize risk mitigation, Su pointed out.

“CISOs need to invest in their ability to leverage artificial intelligence and automation, both of which are levers to reshape how work is done while improving productivity,” he said.

Cybersecurity programs can benefit the industry as “left-left” or “secure by design,” meaning they rely on DevOps practices and integrate cybersecurity capabilities into existing technology processes, he said. This also helps prevent violations.

“CISOs need to drive security improvement efforts through the logic of tools and technology and look for alternative workforce, talent and operating models to deliver results more efficiently,” said Su.

A recent Forrester report on security and risk found that while business leaders are less likely to target security investments during an economic downturn, “it would be unwise to do so.” [security and risk] Leaders don’t have to join their IT counterparts in evaluating spending across the board to ensure maximum value.

Despite the shift to the cloud, on-premises technology costs are still significant, according to the Forrester report. “When we combine costs for maintenance and licensing, upgrades and new investment, on-premise technology spending is the biggest expense in the security budget,” he said. “As more applications and workloads move to the cloud, this suggests misallocation of security budgets. CISOs need to closely examine on-premises spending to determine if it aligns with the overall IT organization’s cloud and modernization strategy.”

CISOs have struggled for years to recruit and retain security talent for a variety of reasons, the report says. “When the economic picture is bleak, it is tempting to cut costs in these areas, but it will not save much compared to other costs, and it will exacerbate the skills shortage and sacrifice confidence when there are no borders, wherever companies need work. Forrester said.

When prioritizing security investments, security leaders should continue to invest in tools that protect the organization’s customer-facing and revenue-generating operations, the report said.

Forrester sees growing and promising value in four types of security tools. One provides an overview of all components of a software program, including software supply chain security, software bill of materials, including open source and commercial libraries.

Another category is extended detection and response (XDR) and managed detection and response (MDR). XDR tools provide behavioral detection across all security devices to deliver alerts, add context to alerts, and access, investigate, and respond from a single platform. MDR services offer more mature detection and response than XDR products, Forster said.

A third category of tools is Attack Surface Management (ASM) and Breach and Assault Simulation (BAS). ASM tools help security teams identify, identify, and assess their vulnerability to threats such as newly discovered and known assets. A BAS provides an attacker’s view of an organization with a deeper understanding of vulnerabilities, attack paths and controls.

Finally, there are privacy protection technologies (PPTs), which include symmetric encryption, multiparty computing, federated privacy, and other capabilities. PPTs allow organizations to protect the personal information of customers and employees while working, Forster said.