Infosec Leader Postpones Transformation, Integrates Tools Amid Growing Recession Fears

As interest rates rise and profits dwindle in Canada and the United States, many CEOs are telling managers, including information security leaders, to cut spending. One of the latest is Patreon, a platform for content creators, where five of his 80 layoffs this month were from the application security team.

The company claims that application security is not compromised. But examples like this raise the question of what the Chief Information Security Officer (CISO) should do when told they need to cut their budgets.

It can consolidate the number of tools it handles and streamline some processes, said Tony Buffomante, global head of cybersecurity and risk services at Illinois-based Wipro.

“It’s not uncommon to have 60, 70, 80 tools. Vulnerability assessment tools, compliance tools, identity and access management tools, etc.”

Switching from best-in-class to a suite that offers more tools not only saves you money, but consolidates your log data, which can also help with reporting.

But IT security departments that don’t have good control over where all the tools and their data live “have a really hard time proving their worth right now,” he added.

To prepare for the ups and downs of business cycles, information security leaders need an agile operating model, Buffomante said.

“There are certain processes that organizations need to follow to stay compliant or reduce risk. We know that organizations with agile operating models can pivot those resources. We’ve taken the human element out of the equation 60% by implementing things like governance risk compliance technology that can automate and automate environmental and third-party assessments, and we’ve also redirected some of our spending to our most strategic business priorities ( (e.g. cloud implementations), and are reducing some of the low-risk activities.

“But that requires organizations to really know their most important assets, their most important assets, their most risky areas. could be adjusted.

Wipro is an international IT consulting and services company that surveys customer needs twice a year. “With the current headwinds, a topic that clients continue to have is how they should think about cyber investments.

“Our CISO and other security personnel are really struggling.”

“We are starting to see a bit of a slowdown in cyber transformation programs,” he added. “It is a concern for me because the pace of business continues to change. [and] The pace of technology adoption continues. What we want to see is that cyber program maturity continues to keep pace with the latest in business and technology. Otherwise, you expose yourself to undue risk.

“We’re not advocating for more budgets in these recessionary times. We’re advocating a balanced approach. [the organization] You can shift some of your security organization’s priorities to better align with your business strategy. This will “enable us to better articulate our return on investment in terms of risk reduction, increase customer confidence and potentially enter new markets.”

Forrester Research recently argued that security leaders respond to recessions differently depending on the type of organization they belong to: high growth, moderate growth, no growth, or negative growth (i.e., company revenues are declining). Did.

Forrester suggests that security leaders in high-growth companies should align their programs with customer orientation, and companies facing disruption should emphasize their values.

Security requirements and policies should be tied to customer and regulatory requirements, regardless of the state of the company, he adds. There are opportunities to consolidate security applications, such as outsourcing some functions.

However, some information security personnel may need to cut back. In that case, information security leaders need to see which services fit their business, add value, and cannot be eliminated, he said. A recommendation to the Board is required and the Board accepts that changes may be made at the expense of a higher level of risk.

Some of that could be mitigated by switching to lower cost managed service providers and automating some tasks.

The way layoffs are handled can cause “anxiety and frustration” among staff and increase insider threats, he added. This means IT staffs need to increase their monitoring for this type of threat. This is especially noticeable among staff with elevated access to the system.