As we battle our way through the COVID-19 fallout, some have started to think about what the cybersecurity world will be like when we emerge from this current situation. Budgets across an organization are likely to shrink as businesses recover from the COVID-19 fallout. Cybersecurity will not be immune to this. As a result, CISOs will need to adjust and be prepared to ‘do more with less’. This poses different challenges to CISOs.
In my effort to understand those challenges, I’ve talked with CISOs. Below are what I’ve identified as the four most concerning challenges, and suggestions for how to confront these issues:
Challenge 1: Disaster Recovery Planning (DRP) and Business Continuity Planning (BCP) to be an Ongoing Focus – Post 9/11, there was a surge in DRP/BCP activities. However, over the following two decades since that event, organizations had become less focused on continuity and recovery. COVID-19 revealed some gaps in preparedness. For example, many organizations were prepared to move operations to an alternative site, but they were not prepared to move their entire workforce to work from home. As we recover from COVID-19, expect more focus on DRP/BCP activities to manage this critical area of risk.
Response: CISOs will need to divert attention and funds to manage this critical area of risk. Robust DRPs/BCPs must cover a wider range of scenarios, and these plans will need to be well tested and maintained over time. Let’s not forget suppliers and third parties. No business is an island, and as a result, it will be just as important to ensure your supply chain is as secure and prepared for a disaster as you are to ensure your survival.
Challenge 2: Do More with Less – As budgets shrink, CISOs will be required to do more with what they already have or with less than what they already have. Leveraging existing investments and ‘sweating the asset’ will become the mantra for at least the next three years.
Response: CISOs can respond to this challenge effectively by leveraging what they already have, including consolidating and better using existing investments. Most organizations have invested in technology that is likely not being fully utilized. Now is the time to ensure we are using them to their full potential, and to remove or consolidate any that may not be needed. Simplifying existing infrastructure and using it better also adds the advantage of simplifying management efforts. This in turn will allow an organization to reduce their OPEX expenditure in the cybersecurity space.
Challenge 3: Need to Prioritize Projects – As budgets shrink, the need to prioritize projects will become paramount. CISOs will need to justify the projects they want funding for as boards and executives will perform greater scrutiny over any funding requests.
Response: The easiest and most logical way to justify a cybersecurity project is by taking a risk-based approach. Understand the risk your organization is exposed to. Ensure that this takes into account vulnerabilities and threats. Be prepared to discuss this with boards and executives on a regular basis. Clear indication of risk mitigated by requested projects, backed by threat information and dollar value of risk mitigation, will be required by boards and executives, and this data needs to be made available regularly and needs to be current. Regular threat-based reporting and clear indicators of risk reduction will become a core part of a CISO’s reporting regime.
Challenge 4: Compliance Burden Remains – Compliance requirements such as privacy laws, payment card industry data security standard (PCI DSS), and general data protection regulation (GDPR) will not go away. With shrinking budgets, the challenge to CISOs will be to continue to address this and broader cybersecurity initiatives.
Response: Understand the requirements and focus on tools and technology that can address more than one control. Invest in technologies that allow you to do more with less. This is an extension of Challenge 2, and organizations must focus on ensuring ‘best bang for their buck’. The privacy laws of various countries in addition to existing regulations such as PCI DSS and GDPR require the data in question to be identified and isolated, access strictly controlled, vulnerabilities managed and encryption enabled both in motion and at rest. Organizations must invest in technology that can discover, segregate, cloak and encrypt data ‘on the wire’ in one hit, which will allow organizations to leverage every dollar by consolidating technology investment and management effort.
As we start to look forward to a post-COVID-19 world, CISOs need to start thinking about what that world will look like and start addressing the challenges. The four challenges I have outlined are key, and a plan to address these is a must for transformational CISOs.