Heading into 2023, the economic outlook looks gloomy and cybersecurity professionals will be faced with challenges that come with any business that is feeling the pinch.
There are multiple headwinds weighing on global economic prosperity and the International Monetary Fund has lowered its global growth forecast for 2023 to 2.7%, down from 3.2% in 2022.
The IMF has said this is the weakest growth profile since 2001, except for the global financial crisis and the acute phase of the COVID-19 pandemic.
“Due to the current uncertainty, businesses aren’t going to be making frivolous decisions when it comes to spending. And despite the growing need for it, this will include paying very close attention to cybersecurity budgets,” noted Amanda Finch, CEO of the Chartered Institute of Information Security.
Speaking to cybersecurity professionals in the industry, Infosecurity Magazine has explored what economic uncertainty means for cybersecurity, how to prioritize technology investments and why carrying out an audit of cybersecurity capabilities may be necessary.
Cybercrime in Uncertain Times
Financial gain in the main motivator for the vast majority of attacks and Daniel Dos Santos, head of security research at Forescout, noted that even during favorable economic climates, the number and impact of cybersecurity attacks were already increasing. Dos Santos expects these trends to continue regardless of the economic outlook.
“With that being said, there is an undeniable relationship between cybercrime and economic adversity (for instance, see the examples of banking Trojans in Brazil, scams in Nigeria and cybercrime in Russian-speaking countries). With many new opportunities in underground cybercrime markets, from ransomware affiliate programs to selling stolen credentials, not all those that fall into economic hardship will resist the temptation to make easy money,” he said.
Insider threats should also be considered as Lisa Forte, partner at Red Goat Cyber Security, highlighted in a recent Infosecurity Podcast. She discussed recent research by US CERT that found that insiders faced some form of personal struggles before committing attacks. This could be financial difficulties, addictions or other personal issues.
With many people feeling financial pressures, those who would typically err away from such behaviors may be more inclined to take a chance to make up any monetary shortfalls in their personal lives.
Finch noted that despite the scrutiny that will be felt over cybersecurity budgets, this does not mean that spending will definitely be reduced – in fact, increased risk may well result in increased investment.
Mark Guntrip, senior director of cybersecurity strategy at Menlo Security, added: “Value is more important than cost and companies need to make sure that in cutting costs they aren’t lowering security and therefore expanding potential exposure.”
Making Cybersecurity Priorities
There is no shortage of new technologies, solution enhancements or upgraded products for cybersecurity professionals to invest in in order to tackle the multitude of challenges they face on a daily basis.
“This is the time when companies need to prioritize doing the basics well rather than investing in shiny new things,” noted Dos Santos, adding that it is better to ensure asset inventory is covered and basic cyber hygiene is employed – such as patching, hardening and segmentation – for all devices on the network.
“It's better to do the basics well and leave no blind spots on the network than to try to invest on really advanced projects for a part of the network and leave the rest behind,” he said.
"Knuckle down and focus on ensuring they maximize the outcome of every pound or dollar spent on cyber."Rob Demain
Meanwhile, Rob Demain, CEO at E2E-Assure, cautioned against looking for “silver bullet” solutions and instead advised businesses to “knuckle down and focus on ensuring they maximize the outcome of every pound or dollar spent on cyber. Improve the effectiveness of key threats, such as ransomware and email compromise, rather than attempting to cover everything at once.”
Guntrip said, based on Menlo Security’s findings, there is now a shift away from traditional detection technology in the security stack back to a preventative approach.
Time for an Audit
Cutting waste, removing tools that duplicate each other and identifying unnecessary technology can be carried out in an audit of existing capabilities.
Demain noted that this can allow organizations to cut down on the costs of cyber technology licenses and renewal builds. “Businesses can do this by taking a more threat led approach (i.e., what threats are top of our list and prioritizing their spend on these),” he said.
He also observed that a “surprising amount of cyber spend can go towards simply paying your security provider to host a copy of your logs. Security providers should be linking to your existing technology and leveraging it.”
Guntrip also highlighted removing or reducing adjacent technologies as a means of offsetting costs.
“But be cautious about consolidating down to a very small number of vendors. It might be easier in terms of initial cost, but the compromise in security posture will be inevitable. There is no vendor out there who is great at a wide range of security capabilities so you will have to decide where you’re willing to make concessions,” he warned.
Dos Santos said cybersecurity practitioners should also consider if technology is deeply integrated into a security ecosystem. He noted that some security tools form the basis of a security operations center and should integrate with everything else on the system.
“These tools tend to provide the most value and therefore are hard to replace. On the other hand, tools that operate in silos and do not play well with others can often be dismissed more easily,” he said.
Finally, Demain emphasized that cost certainty is crucial. “Businesses need to look at how to fix costs and control them. Consider fixing costs through outsourcing – managing cyber services internally like SOCs is expensive and these costs can be reduced and fixed by outsourcing.”
Working with the Business
Cybersecurity is not restricted to SOCs and CISOs and impacts the entire business. Finch noted that in 2023, cybersecurity teams will need to justify any expenditure, and how it will benefit the wider business.
“To adapt to this, cybersecurity departments will have to ensure that their plans are thought out and strategic – and show that they have contingencies in place for any outcome,” she said.
“In order to communicate this, security will also need to ensure it can talk to other business units on their level – making sure finance, HR and other departments understand business risk; including levels of risk, what risks are and aren’t acceptable, and how best to mitigate them,” she noted.
Finch highlighted that for these plans to be successful, security will have to coach employees to reduce, recognize and react to threats; including staging mock attacks to make the risks clear.
“Executing this properly demands more than just technical skills; security teams also need the “soft skills” necessary to teach, manage and communicate with their co-workers at all levels. Recognizing these skills, and either training the right people or hiring them in, is both an essential part of 21st-century security best practice, and critical for security to justify its actions in 2023,” she concluded.