Business conversations about resilience usually relate to financial resilience or balance sheet strength. But when talking about IT resiliency, it’s important to understand exactly what it is and why it’s important to maintain it in an economic downturn.
Security and resilience are related concepts, but they are not the same. Cybersecurity is more functional and involves protecting things like data, applications, and critical infrastructure. Resilience is transformative, enabling organizations to bounce back when disaster strikes. It’s about developing people, processes, technology and budgets to withstand systemic shocks to the business so you can continue to do business and serve customers, partners and employees.
In terms of IT, resilience is an organization’s ability to remain operational when standard cybersecurity measures fail. IT resiliency is not focused on putting out small fires. Rather, it focuses on larger risks that could plague companies over the long term. For example, a team that lacks resiliency may not train non-technical staff on security awareness or may not have an efficient process for patching software, which it does Main causes of cyber attacks.
To build resiliency, IT leaders must develop a fundamental understanding of the business, how it drives revenue and serves customers. With an understanding of business drivers, you can prioritize and invest in preparation for the most critical talent, technology, operations, materials, and processes.
What should security teams focus on in the face of fluctuating market conditions?
Again, it’s all about understanding your business drivers – how your company makes money and serves its stakeholders. Even something as simple as keeping the lights on is very important to running a business.
This requires pragmatic leadership that emphasizes a tiered service catalog based on strategy versus an all-or-nothing approach. A one-year, five-year, and ten-year business roadmap is a simple framework for organizing long-term and short-term goals. For each destination, find out where IT and how you can create value across departments. Infosec should be viewed as a business enabler – train teams and attribute investments in infosec to business outcomes.
Once your department has a roadmap, you’ll know which technologies and services are critical and which may be taking up unnecessary space in your department’s budget.
After all, changing market conditions don’t have to be a time for IT to sit back and be a cost center, but a revenue driver. So use the downturn to find specific areas for innovation and come out stronger.
In times of tight cybersecurity budgets, what should organizations do? And how can IT teams maintain best-in-class security standards while staying on budget?
The human component is still a challenge for IT security managers. And for those who did manage to get their hands on top talent, they quickly realized it was short-lived. IT Security professionals have a high turnover rate, with the average CISO working full-time less than three yearsand maybe less for a junior staff.
Top security talent is not only short-lived, it’s also expensive. Of course, a CIO needs to deliver different results and add talent as needed. But to make room for leaner times, talent is a critical area for evaluation. Whenever possible, IT leaders should hire inexperienced people who can learn alongside the managerial roles—and they could bring interesting new perspectives.
Additionally, IT leaders can look inward instead of investing in external talent. Proceed across departments and create a feedback loop that continuously provides information on risks. By proactively aligning with marketing, finance, product teams, and others, organizations can promote proper cyber hygiene and develop a security-centric culture.
Where can companies start to reduce their technology/security costs? What mistakes do leaders typically make when trying to cut costs?
The most effective security investments tend to eliminate threats before they emerge. Knowing that no system is completely secure, IT security teams tend to overinvest in detection tools and software when in reality these tools often only add complexity.
So the question is not whether there is waste, but how much? Which tools have been on the shelf for a long time or are underused? Start by auditing the tools in your arsenal to tell you what created value and what’s dead.
Then focus on improving your software security. IT should proactively work with software teams to create a continuous feedback loop and ensure high-level security. As every business transforms into a SaaS company in some form, security needs to be adapted to be embedded in the software, and that starts with better collaboration.
In conclusion, I would argue that many infosecurity mistakes are the result of not understanding your most important assets and data. Not all data is created equal, so part of effectively allocating resources is knowing not only the types of security systems you need, but also where to deploy them. This is where it’s best to create a tiered framework to stratify the business from most to less critical across talent, technology, operations, suppliers and processes.
Anudeep Parhar is Chief Information Officer at entrust.