CISOs can use the following five strategies to preempt any cost cuts — by demonstrating that they are not “just cost centers”!

According to Forrester’s January 2023 trend report on navigating this year’s downturn(s), security leaders surveyed consistently indicated that growing revenue and improving customer experience were their top two business objectives. Why?

Because those security leaders now understand and support how businesses make money. Yet boards, executives, and many of their peers still see security as a cost center.

So, how can security and risk leaders demonstrate security as a critical link to business resilience during an economic downturn? Here are five key actions gleaned from the surveys…

    1. Help your Board three perspectives clearly
      The three perspectives are:

      • Cybersecurity spending drives revenue, and cuts to the security program directly affect relationships and requirements with three key constituencies: customers, insurers, and regulators.
      • Today’s customers will not trust — or do business with — firms that are seen to have weak security of their data. Instead, they will turn to competitors.
      • Cyber insurance carriers will refuse coverage or raise premiums, and regulators will remove your firm’s ability to sell into specific markets if your cybersecurity posture falls below a certain threshold.

      This is where CISOs can defend existing security budgets by quantifying the investments in those security controls — and how much revenue is generated from the systems that those controls protect.

    2. Show how you secure what you sell
      Just as your firm is under downturn pressures to review security and risk management investments, your corporate customers’ security teams are relying on your firm to not be part of supply chain risks. This works both ways across entire business ecosystems.

      Therefore, to increase customer loyalty and retention, your security team has to do more to improve customer experience and help assure your customers’ security teams:

      • Prioritize security projects that drive the top line and increase customer stickiness, such as bot management solutions that improve customer experience. Automate processes like security questionnaire responses and software bill of materials generation to give customers what they need before they ask for it.
      • Emphasize investments that your firm has made to reduce product infrastructure costs and enable you to pass savings on to customers.
      • Inform all customers of the steps your firm has taken to thwart costly application attacks, including such initiatives as monitoring for denial-of-wallet attacks in serverless functions’ minimizing bot fraud; and keeping an eye on bug bounty program costs.
    3. Gather support and influence from your peers
      Now is not the time to focus only on just security aspirations: instead, focus on key corporate objectives and ensure your security initiatives demonstrate traceable alignment. Take the time now to schedule regular meetings with peers across functions to stay current on their challenges, security needs, and points of friction. From there, develop joint initiatives that further corporate objectives and provide services, resources, or assistance in the form of partial funding or staffing and friction remediation efforts.

      This ethical politicking will not only help make funding or resource allocation discussions more amicable in the immediate term, but will extend goodwill toward security into the future, when you may need internal allies and evangelists to push through policy or process changes.

    4. Volunteer to stop backfills
      Given the perennial shortage of security talent, it is unlikely CISOs will be asked to make deep cuts to the staff strength. However, to preempt any attempts and justifications — and potentially save jobs from cuts in other functions, volunteer to refill job vacancies (‘backfilling’) in the near term.

      While no leader wants to ask an already overwhelmed team to do more with less, finding ways to stave off filling vacancies can reduce costs now to minimize the need for involuntary cuts in the future.

      To pull this off requires excellent communication and management skills when explaining to your team why these roles will stay vacant:

      • It can be part of succession planning, associated upskilling, and job shadowing initiatives to incentivize those that stick around
      • Be sure to offer an expected duration for the hiring freeze. Explain that no one expects them to perform their old responsibilities, and the new ones they absorb, at the same level as before
      • Work with internship programs to bring on cost-effective cybersecurity apprentices to relieve the additional pressure and create a pipeline of experienced talent ready to go when the freezes can be lifted
    5. Keep your partner ecosystem intact
      After two years of extending third-party ecosystems to bolster resilience, you may be tempted to consolidate existing technology, services, and other partner relationships. However, although cutbacks in this area may appear to be a practical cost-saving strategy, overcorrection in key areas such as cybersecurity, risk, and compliance could increase concentration risk, expose firms to disruption, and severely affect your operations like at the onset of the pandemic.

      Economists estimate that modern recessions last for 10 months. It is critical that security and risk pros consider the time it takes to fully onboard a strategic supplier — typically six months or more — so they do not miss out on opportunities when the economic pendulum swings in the opposite direction.

According to the firm’s analysts, CISOs must make tough choices for, and possibly cuts to, their security programs. It is also a time for CISOs to strengthen influence, generate goodwill, and dispel the perception of security as cost center by relieving downturn-induced burdens placed on customers, partners, peers and affected teams.