Could a lack of investment in cybersecurity in 2020 due to overall company budget cuts see a company go backwards in its security capabilities? We often see companies spend what is necessary to improve maturity and lessen the success of a future attack, but is that enough to keep security at an acceptable level?
Speaking to Infosecurity, Eric Friedberg, co-President of Stroz Friedberg, cited research he had conducted with CISOs on issues around cybersecurity. This had helped him establish the point that CISOs understand that an uptick in cybercrime in 2020 means that it’s dangerous to go backwards on security by failing to have enough budget for security investment.
As a result, he claimed many companies are making judgments about pausing or cutting these projects (individually or cumulatively), whilst cybercrime budgets in harder-hit sectors such as healthcare and oil and gas are also not exempt from cuts.
At the same time, he said a number of CISOs are guarding against cuts to outsourcing of critical functions for which highly-skilled personnel are typically needed. These include threat hunting, incident response, security strategy, defining security controls and security monitoring.
Asked how he conducted the research, Friedberg said it mostly began as “long conversations with CISOs” whilst he was on assignments, and he saw cuts being made.
In particular, in a large energy company he said there was financial pressure due to falling oil and gas prices, with cybersecurity budget affected. “If cuts need to be made, how do we do this in a way without going backwards on cybersecurity?” he asked, saying a common theme was about when to pause or cut projects, and what the impact could be to be less secure.
“If cuts need to be made, how do we do this in a way without going backwards on cybersecurity?”
He claimed that, at a high level, CISOs are looking at the worst case scenario where projects are not advanced, but considering where they are cut or paused may not result in measureable backwards movement.
Where a company is trying to achieve savings through a major transformation by using a cloud-first strategy, he admitted it can look good on paper because of the cost savings, but it is easy to see you’re saving money but it is “premised on the idea of not doing everything perfectly.”
Friedberg cited the issues that outsourcing can bring, such as being reliant on third party threat hunting. “Once you’re fiddling with critical projects or complex projects at scale, the execution risk is to not go backwards, and this is premised on superb execution and the presumption that external services are as good as the people you’re using,” he said.
He explained that companies are typically on a three-year cybersecurity assessment cycle, so they often want to know that if they are going backwards, “they need to keep a close eye to measure implementations.”
Does the concept of going backwards mean that the use of evolving technology is not adopted? He cited a 2017 assessment of a company in the industrial control space he was involved in conducting, and when it came to a reassessment in 2020 “technology had advanced so much in three years that it had not kept up and gone backwards by doing nothing.”
Friedberg said this was an example of how a company can go backwards when nothing has changed, especially as a combination of nothing changing and an increase in ICS attacks “so the threat level is higher.”
In conclusion, has 2020 been a year that has had any positives in his view? He looked back at 2014 and 2015, where there were a number of breaches and some resulted in CEOs and CISOs losing their jobs, so five years on some “companies can say they are in terrific shape.” He has seen companies make investments, and those who made “incremental investments are ahead of the curve.”
On the other side, some have “not done much and they are those you see getting [hit by] ransomware” as there is a low level of maturity, as they often do not have advanced malware detection, password vaulting or URL filtering “and so attackers rip through.” Although this leads to the CISO getting budget after the attack.
He said one thing he has found is, if an attack is significant enough for the board to be aware, the board find money for security afterwards, and occasionally, CEOs and boards “get very irritated with seeing that there has not been as much progress as they thought there was.”