By Jacob Ansari, National PCI Practice Leader at Mazars
With a looming economic downturn and major tech companies undergoing layoffs, organizations are seeking ways to cut costs and minimize investments in the face of rising costs and slowing demand. Many organizations may consider security as a prime area for budget cuts, but in reality, implementing those cuts would be a major strategic error.
Security and privacy programs are integral to modern business operations, no less than finance, product teams or IT. Regarding them as extraneous or suitable only for favorable economic conditions ignores 1) present threats, 2) ever-increasing regulatory and contractual obligations for maintaining security and privacy programs and 3) the rise of threats to information assets and data during periods of economic volatility.
Without yielding to fear or paranoia, one can reasonably say that the array of threats to organizations (i.e., their information assets, systems, reputation and overall health) have never been greater. Threat actors such as ransomware operators will target companies or other organizations merely because those targets are vulnerable, not necessarily because they represent targets of choice, further exemplifying the need for reliant cybersecurity programs.
Security teams have an increasing array of defenses to deploy, such as protecting remote workforces, complying with new privacy requirements and working to secure diffuse IT efforts that constitute third parties and cloud services. Further, many organizations that share data with third parties or use third parties to manage their IT systems find themselves victimized by criminals who attack third parties, as customers of SolarWinds, Kaseya, Kronos/UKG and numerous other service providers learned over the past few years.
Scale and speed of threats keep increasing
The fundamentals like promptly installing software updates, securing remote access, minimizing privileged access or making use of multifactor authentication have remained relatively constant over the last several decades. But the scale and speed at which defenders need to apply these controls have increased due to factors like software complexity, remote and web-based attack surfaces and complex arrays of user entitlements.
Most security and leadership teams are already significantly overtaxed, and a recent survey shows that burnout is one of the top risks for CISOs; reducing security teams or other resources further exacerbates existing challenges.
The role of regulation
Prioritizing security to protect an organization and its customers and business partners has always been the right thing to do from a strategic business perspective. Even when not subject to security or privacy regulations or laws, companies have faced increased scrutiny and penalties from government agencies, such as the Federal Trade Commission (FTC), for security incidents that disclose personal data.
Recent FTC pronouncements against entities like Drizly or Chegg have resulted in consent decrees requiring mandatory security program implementation and regular verification for several years. In 2023, several US states will see new privacy laws take effect, which will impact several businesses that process personal data.
Further, even non-EU businesses that process data for Europeans are subject to the General Data Protection Regulation (GDPR). In 2022, there were a significant number of financial penalties for large businesses that violated GDPR rules, even when no security incident exposed anyone’s personal data.
Many organizations lack a foundational privacy program
While deeply interconnected, security and privacy domains have significant distinctions in expertise and function, and many organizations lack even a foundational privacy program. Failure to invest in these necessities puts organizations further at risk as more jurisdictions require meaningful privacy efforts.
In an adverse economic climate, the need for security functions only increases in proportion to both the increase in attacks that occur and the potential for harm to businesses and other organizations. Facing a possible recession, businesses may need to take fewer risks in order to suffer less harm, and stretching already taxed security resources works against that principle.
Further, in adverse economic climates, the need for trust and assurance only increases between business partners – as do efforts to demonstrate security practices, such as compliance validation, security assessment or penetration testing. Because of this, a willingness to invest in such efforts, for example obtaining a SOC 2 audit or verifying GDPR compliance through Europrivacy, could pay significant dividends in winning new business or deepening existing client relationships.
A willingness to undergo an independent verification effort demonstrates a measure of trustworthiness to existing and potential business partners or customers. But such a verification requires significant efforts to create the controls and programs needed to obtain that verification and demands the necessary priority from company leadership.
The prospect of a recession or other economic downturn will have an adverse effect on most organizations, and many are already preparing for these hardships. It may be reasonable to expect reduced levels of investment or expansion, but organizations that regard their security function as a cost center or extravagance may make a significant strategic error by curtailing or reducing these efforts.
The risks to the organization remain or, if anything, increase in times of uncertainty. The safe play is to clearly and effectively mitigate risks to data security and privacy, just as one might mitigate other business risks.
Jacob Ansari is the National PCI Practice Leader at Mazars in the U.S. and has more than 20 years of experience performing security assessments, application security reviews, penetration testing and forensic examinations, as well as extensive work with advisory bodies and task forces advancing payment security.
.
.
Follow Brilliance Security Magazine on Twitter and LinkedIn to ensure you receive alerts for the most up-to-date security and cybersecurity news and information.