When faced with economic disruption, organizations may look to business functions that are usually considered cost centers, including cybersecurity, as an opportunity for cost reduction. Whether CFOs look to cutting roles altogether or restructuring information security and IT departments, it is vital for an organization to approach this carefully with risk-informed decisions that counterbalance the need to reduce costs.
Without a risk-based approach, organizations could face regulatory or legal fines for insufficient protection of data or systems containing sensitive data, breaches resulting in serious financial and/ or reputational loss, and pervasive culture shifts that de-emphasize the importance of cybersecurity for years to come. Instead, CFOs should look to approaching their cyber programs from a threat-informed risk perspective, prioritizing people, processes and technology spend that provides the greatest return on investment, and specifically protecting the organization’s most critical assets.
Depending on your organization’s maturity, conducting a threat-informed risk or “crown jewels” assessment to identify the most critical assets, data, and systems may be the logical first step in making the appropriate informed decisions for a shifting cybersecurity strategy. Building upon this perspective, organizations should apply industry-leading frameworks to identify the core capabilities and services needed to maintain the necessary level of security. Services and resources that fall outside of these critical areas should then be reallocated to allow the cybersecurity team to focus on what matters most in a time of limited resources. Doing so will also create a solid foundation for evolving the future of the program and strategy when economic situations improve. Based on these assessments, CFOs should look to their IT and security leaders to advise them on how best to restructure the cybersecurity tool stack to better reflect the new strategies and priorities, or return to business as usual.
Organizations should look at times of extreme change or disruption as an opportunity to catalyze a leaner, more efficient strategy and introduce more collaborative ways of thinking by:
- Leveraging cyber expertise to enable business functions and operational efficiency
- Building security into solutions instead of retroactively applying
- Providing increased awareness so that all employees can serve as a first line of cyber defense
This more efficient use of resources poises your organization to have a strengthened security posture and more strategic and impactful evolution of capabilities in the future when resources are less scarce.
Our latest guidebook provides leaders with a roadmap to enhance resiliency plans, simplify operations, address new financial requirements, and more. To download, please click the link below.