Is the United States heading toward a recession? If we are, then profits will dip, and belts will be tightened while we wait for the government to turn things round. Most, but not all, businesses will survive; but all will be affected.
The big question is what should CISOs, cybersecurity professionals and cybersecurity vendors do to ensure they and their companies do survive the turbulence.
Is a recession inevitable?
According to IMF director Kristalina Georgieva (January 2, 2022) contractions in the three major economies – the US, EU, and China – will drive a global recession during 2023. The UK will face a deeper and more prolonged recession than other major countries, but the outlook for the US is less clear.
Some pundits have claimed the US was in recession as long ago as summer 2022. Other business leaders say it is unavoidable during 2023. Jeff Bezos reportedly said, “The probabilities say if we’re not in a recession right now, we’re likely to be in one very soon. Take as much risk off the table as you can. Hope for the best, but prepare for the worst… The probabilities in this economy tell you to batten down the hatches.”
Elon Musk reportedly said, “My best guess is that we have stormy times for a year to a year and a half, and then dawn breaks roughly in Q2 2024. Hope for the best, prepare for the worst. Don’t get too adventurous. From a cash standpoint, keep the powder dry.”
But White House economic adviser Heather Boushey was quoted in Fortune (December 29, 2022) as saying, “We remain optimistic that we will be able to see the soft landing that we are looking for.” Governments must always talk up the economy, but there is a reason for her optimism.
Former Federal Reserve Bank of New York President William Dudley explained in an interview with Bloomberg on January 2, 2023, “A recession is pretty likely just because of what the Fed has to do. But what’s different this time I think is that if we have a recession, it’s going to be a Fed-induced recession and the Fed can end the recession by subsequently easing monetary policy.”
The government is risking recession by raising interest rates to curb inflation. If it gets its sums and timing right, it can reduce inflation and then end any consequent recession by relaxing the interest rate. That’s the theory.
The effect of a recession in 2023
The likelihood is that the US will have a recession during 2023 of indeterminate depth and indeterminate length – but it will almost certainly be less severe than elsewhere in the world. Nevertheless, it is important for cybersecurity professionals and cybersecurity vendors to plan for the effect of that recession.
For professionals the effects will primarily be constrained budgets and insufficient staffing levels. The skills shortage will be exacerbated by a funds shortage for new recruitment. Budgets will unlikely be increased, and will most likely be maintained or reduced. At the same time criminal and nation state adversarial activity will increase.
Nation state activity will increase because of the parlous state of geopolitics (rather than the recession), and the usual striving for economic advantage. Criminal activity will increase because of its growing ease through crime-as-a-service offerings fueled by an increasing number of unemployed people seeking some form of income, laid off employees leaving with company data, and efficient phishing campaigns playing on targets’ lack of money.
“Phishing emails encouraging people to apply for fake cost of living payments that mimic genuine government support packages are just one example,” suggests Zach Fleming, principal architect at Integrity360. “Cyber criminals will also be looking to take advantage by bribing employees to provide them with the credentials they need to breach a business,” he added. “These malicious insider threats are becoming increasingly common and pose a growing significant threat as people struggling financially may turn to APT groups to raise some extra money.”
“Downturns and bad economies create disgruntled people both internal and external, creating more exposure. Risk goes up not down,” adds Chris Morales, CISO at Netenrich.
“Ultimately, organizations will be looking to do more with less in 2023 – or more with the same, in many instances,” says Charles Talley, senior director of services at LogRhythm.
Cybersecurity vendors will likely be hit with lower sales. Larger companies with money in the bank will survive; but large cash-strapped companies may seek to merge with better-off partners, fueling the M&A market. Startups and early-stage companies with venture financing may be able to ride out the recession without needing new sales. Startups may be able to receive new venture funding – but will also be attractive acquisitions for larger companies looking for additional new technologies.
Mid-growth companies will suffer the most, with lower sales and difficulty in getting new or sufficient venture funding – but, again, they may become acquisition targets.
The effect on CISOs
There are two opposing views on the effect of a recession on CISOs and their security teams: ‘doom and gloom’, and ‘just another day in the ongoing struggles of the CISO’.
The former is well-voiced by Aaron Sandeen, CEO and co-founder of CSW, in an article published January 3, 2023, on Spiceworks. “If and when the recession does arrive,” he wrote, “we can predict what we’ll see. Cash-strapped organizations will pause hiring cybersecurity talent or cut existing security professionals. They’ll seek to trim the fat by eliminating expensive tools. They’ll demand IT professionals get more done with less. Crucial penetration tests will go unscheduled; vulnerability management will be ignored; important security decisions will be deferred or forgotten.”
The opposing belief is that CISO activity during 2023 may not change that much from 2022. Few CISOs have ever had as large a budget as they would like. And they are accustomed to work with fewer staff than they would consider optimal, if only because of the skills shortage. They have consequently adopted security strategies to cope with this reality – and it may be that to survive the recession, CISOs will primarily need to double down on what they are already doing rather than change strategies.
“The good news is the recession isn’t having that big an impact on our security budget and it’s business as usual,” explained Morales. “The bad news is that I always struggle with budget and business as usual just means continually figuring out how to do more work by augmenting existing talent to be more efficient and effective.
“We have a people problem in a good economy,” he added. “Operational scale has always been a problem. Bad economies do not change that.”
There are several technologies and methodologies that CISOs have been turning toward over the last few years – all with the intent to maximize efficiency while minimizing cost These include attack surface management (ASM), automation (especially where augmented by AI), platform security, and migration to managed services.
ASM takes a risk management approach to concentrate mitigation on the most impactful vulnerabilities. It may be that more of the less serious vulnerabilities are ignored, but ASM used in conjunction with CISA’s KEV list can help focus security only where it is most needed. “Using a risk-based approach to security decision-making, rather than trying to address every potential threat, will help focus on the areas most likely to cause harm, and you can allocate resources accordingly,” suggests Darryl MacLeod, vCISO at Lares Consulting.
The marriage of automation and AI can be seen in EDR and other ‘detection and response’ models. AI can automatically detect intrusions and/or malware presence, and instigate an automatic system response. While many companies have that response set to ‘alert only’, this may be expanded first to automated isolation of suspect devices, and then to more complex automated responses.
A move toward platform security has been evident for a few years. A good platform security product can eliminate the waste of needlessly overlapping and redundant security tools, while eliminating gaps between different point products. This consolidation is likely to be spurred by a recession – but it won’t be limited to security controls.
Just as IT and OT networks are converging, so too will the IT and OT security teams. “It will no longer make sense for organizations to have separate teams for IT and OT security,” suggests Trevor Dearing, director of critical infrastructure solutions at Illumio.
But Mark Guntrip, senior director of cybersecurity strategy at Menlo Security, warns: “Be cautious about consolidating down to a very small number of vendors. It might be easier in terms of initial cost, but the compromise in security posture is inevitable. There is no vendor out there who is great at a wide range of security capabilities so you will have to decide where you’re willing to make concessions.”
Asked whether platform or automation will be the most important, Chris Vaughan, VP technical account management at Tanium, noted that many platforms include automation. “But if I had to choose,” he added, “I would say the platform because you can add the automation later.”
A migration toward managed services – especially among SMBs – has also been evident over the last few years. This approach solves several problems, such as staff shortages, skill shortages, and operational problems, in an economic manner. We may well see more companies moving to managed services, spurred by the recession.
“Lean IT teams will turn toward these services to fill internal skill gaps and help achieve organizational security goals, like improving maturity, unlocking 24×7 visibility and optimizing threat detection and response,” suggests Talley.
Finally, it is worth noting that CISOs may have to cope with another increase in remote working. This has been a growing trend for many years but was given a dramatic boost during the Covid-19 lockdowns. New impetus may come from a recession.
“Office costs are reduced – in terms of necessary floor space, heating in the winter and cooling in the summer,” said Vaughan. “Travel stipends can be eliminated — the cost of a season ticket from my home into London is around £5,000 [just under $6,000] per annum. And working time inevitably increases — it takes me just 10 seconds to walk from my bedroom to my home office.”
The good news for the CISO is that remote working is a problem already solved after Covid-19 – the blueprint already exists.
Conversations with business leadership
One certainty is that conversations between CISOs and the board will become more intense. During a recession, boards will be seeking to reduce costs – that’s their job. CISOs will be seeking to increase, or at least maintain, their budget – that’s their job. Somewhere, a consensus must be reached.
Over the last few years, boards have become more aware of the necessity for strong security. The CISO must prevent any backsliding – security is a necessary cost of doing business, not just a nice add-on.
The effect of a recession is painful during the recession; the effect of a major breach or ransomware that effectively becomes wiperware could be existential — or at the very least, its repercussions will last longer and be more painful than a passing recession.