CEO: “Due to complications in the market with unexpected changes in products and customer expenses, we are going to announce a 20% in personnel, expenses and capital projects for the rest of the year”.
CIO: “Does that include all my departments and platforms?”
CEO: “Yes, if demand for our products is falling, our spending on IT resources should be reduced.”
CIO: “If we decide to reduce IT services and the market comes, it will cost us more money to increase resources once the market comes back.”
CEO: “Our stocks will be affected in the morning. Let me know once the cuts are in place.”
While many of us who work in IT know this, this is not an uncommon reality. Businesses hit a recession and result in the “peanut butter knife” with finance poised to spread budget cuts evenly across departments with little regard for long-term implications. Within IT, of course, this becomes an even more complex problem.
Hackers and cybercriminals also read the news. They know which organizations have financial setbacks. Many hacker groups will even reach out for social engineering to see if anyone in IT or SecOps knows if layoffs are coming. If an organization announces any change in financial status, expect an increase in attack vectors, coordinated attacks against its systems, and cybersecurity attacks against its employees.
IBM’s annual Cost of a Data Breach study found that a single data breach could cost a company up to $3.29 million., a 12 percent increase from the cost of violations from the previous year. That $3.29, even with cyber insurance, is still a significant blow to the organization’s bottom line. The CISO should be the ultimate authority when it comes to reducing cybersecurity operations, staff, and budgets. If the CEO requires a 20% reduction across the organization, reducing security only puts the company at risk of a breach that could have a far greater financial impact than a drop in sales.
When considering the cost of a breach for a moment, the need for a transformation model makes more sense than we think.
As a technology sales professional for nearly 26 years, the fastest way to close a deal is to find a way to tie your product or service to a group within the customer’s organization with need, budget and relevance. Will your solution solve your business problem within the budget allocated for the specific project? Is this project the most important thing for the equality of the CIO with the business group requesting his solution? What is the risk to the corporate consumer if the platform has multiple vulnerabilities and potential exploits? Does the technology producer have the resources to maintain operating technology expectations even during budget cuts?
In simple terms, we define the business group as the “consumer” of the technology and IT as the “producer”. One group consumes the technology while the other is the enabler. A company with 4,000 employees needs centralized content management, a supply chain portal, and a sales/commission system. TI is working with technology providers to develop and enable consumers to leverage the platform for their business needs.
Based on the dialogue between the CEO and the CIO, if the company mandated a reduction in its expenses and headcount, reducing the number of licenses by 20% would meet this budget reduction requirement.
How does information security fit into the producer/consumer model? In some cases, yes, information security fits into this in several ways:
- a. Number of consumers requiring multi-factor authentication for zero trust access
- b. The number of endpoints required to have EDR/XDR security
- C. The number of users required to receive patch and service pack updates
- d. Number of endpoints that require backup for compliance
These information security areas align well with the 20% reduction requirement.
However, what about the rest of the information security capabilities? This causes the dialogue about redefining information security as a utility for the corporation and not as a member of the IT department to start to make more sense.
IT and building maintenance are focused on ensuring everything is working and ready to use, whether it’s the HVAC system or the network infrastructure. Similar to facilities, when a corporation decides to locate its new office in a new city, facilities work with leaders to define the size of the business, power/cooling requirements, and the number of parking spaces. Etc.
Once the faculty is complete, IT learns the size of the data center, the number of employees, the expected amount of power/cooling and network outages, and WIFI expectations. Once the network teams with APP Dev deploy the network, other elements, including information security, begin to enable their solutions.
Following the same business model for a while as facilities, information security teams, separate from IT, design the same parameters ahead of IT to ensure that all critical infrastructure systems, including network, applications, and users, meet corporate security standards long before anyone else. deployment of the group of technology producers.
Examples of information security utility models
- Information security sets specific mandates on how the network must be built to comply with ISO 27001, PCI-DSS, NIST-800, Fedramp, etc.
- Information security requires approved routing, VLAN, and network contention protocols.
- Information security mandates that EDR/XDR endpoint security must be implemented before it is consumed by the end user.
- Information security enforces all rules and processes around all remote access before any services have been enabled.
- Information Security offers its utility layer services in line with network and application equipment.
The new independent information security department model aligns well with organizations that have embraced the DevOps model. Information security becomes a traveler through various scrums throughout product development. Information security brings its approved frameworks to the various sprints to help ensure governance and compliance are built into the fabric.
While this line of thinking is not new, the idea of equivalent corporate alignment between the chief information security officer and the chief information officer, even when it comes to budgeting and cross-billing models, helps take security out of the equation. information on classic budget cuts and reductions. Even with staffing and cost reductions, the organization must maintain maximum protection.
Organizations that have successfully moved information security to a separate department can now take advantage of threat modeling as a unified audit and compliance workflow. With each sprint within the agile model, an element of threat modeling includes:
- Penetration testing at a point in time
- Continuous vulnerability scanning
- Composite Risk Score Update
- Set remediation prioritization, along with automatic retesting
Separation of duties between SecOps, NetSecOps and DevOps is achieved and supported by the threat modeling audit and compliance workflow.
While many in business still believe that “sales runs the company” or “engineering and product run this place.” Getting hit by a significant cybersecurity event will have a significant impact on sales and trust in the product. Arguable cybersecurity “should be the top priority of companies.”
In the new world we live in, cybersecurity is the brand of the company, the culture and the salvation of data. The information security department and C-level position should be the same as other C-levels, not a footnote in the budget line.
My best wishes,