So far, 2023 is shaping up to be yet another volatile and difficult year. Companies across sectors — with a particular concentration in high tech — are shedding jobs and slashing costs to weather the next 12 months. Given the perennial skills and staffing shortage in security, it’s unlikely that CISOs will be asked to make deep cuts to their organisations — but they won’t be entirely immune to spending cuts if the downturn endures.
CISOs now need to get ahead of any belt-tightening efforts by demonstrating that they’re operating as prudent financial stewards of capital. They must use this period of austerity (performative for shareholders or otherwise) to reinforce security as a core competency that drives growth and protects revenue by relieving downturn-induced burdens placed on customers, partners, and peers.
Our new report, Navigating the 2023 downturn: security and risk, provides recommendations to help you disabuse executives of the notion that security is merely a cost centre, including the following:
Show how you secure what you sell. To increase customer loyalty and retention, prioritise security projects that drive the top line and increase customer stickiness, such as bot management solutions that improve customer experience; that automate processes, such as security questionnaire responses and software bill of materials generation, to give customers what they need before they ask for it; and that emphasise investments that reduce product infrastructure costs and enable you to pass savings on to customers.
Volunteer to stop backfilling roles. You can potentially save jobs from cuts in other functions by not backfilling departures on your team in the near term. This reduces costs voluntarily and minimises the need for future involuntary cuts.
But doing this with a likely already-understaffed team requires excellent communication and management skills when explaining why these roles will remain vacant in the near term. To relieve the additional pressure and create a pipeline of experienced talent at the ready when the hiring freeze lifts, partner with regional nonprofits to bring on cost-effective cybersecurity apprentices.
Don’t consolidate your partner ecosystem. Although cutbacks in this area may appear to be practical, overcorrection in key areas such as cybersecurity, risk, and compliance could increase concentration risk and severely disrupt your operations, similar to what many firms experienced at the onset of the pandemic.
Consider in your decision-making the time it takes to fully onboard a strategic supplier to ensure that you don’t miss out on opportunities when the economic pendulum swings back to growth.
The 2023 downturn has been on our minds for some time, starting last summer when the reaper came for cyber unicorns. Here are some additional resources to help you navigate — and optimise your security program:
Planning Guide 2023: security & risk. CISOs must balance managing budget, staffing, and technology challenges with maintaining trust with customers and employees, all while geopolitical events and technology disruption continues to fuel a highly sophisticated and evolving threat landscape.
Merritt Maxim and members of the Forrester security and risk research team provide spending benchmarks, insights, and recommendations to future-proof your security investments to keep you on budget while simultaneously mitigating the risks facing your organisation.
How to use zero trust to defend against cyberattacks through an economic downturn. Zero Trust initiatives provide business value by improving security, breaking down departmental silos, and improving the employee experience, all without expensive new tools.
Allie Mellen and several Forrester security and risk analysts outline how security leaders can refocus efforts on Zero Trust in the event of an economic downturn to improve security posture, control costs, and increase influence.
Prepare your application security program for an economic downturn. Security leaders with a strategy for tightening or even reducing application security spending will be in a credible position to defend the areas of the application security budget that can’t be cut without increasing business risks.
Janet Worthington and Sandy Carielli provide insights on where application security budget trade-offs can be made.
Additionally, stay tuned for our annual “Top Recommendations For Your Security Program” report. Jeff Pollard, Forrester executive partner David Levine, and others will lay out important considerations for CISOs as they endeavor to protect their businesses, their budgets, their teams — and themselves.
First published on Forrester Blog
