Board guidance for cybersecurity in a down economy

Despite forecasting, cyber risk can come from anywhere, often far outside the control and oversight of an enterprise.

In recent times, we’ve seen what a risky business cybersecurity can be. COVID-19 increased cyber-risk exposure for many organizations as a result of the rush to transition to working from home. The conflict in Ukraine then raised many organizations’ cyber risk profiles further. Now, economic conditions, including the threat of an economic slowdown or recession, are uniquely impacting cyber risk.

In each of these situations, cybersecurity teams and the policies and procedures they implement have had to adapt the cybersecurity control environment to a rapidly changing cyber-risk environment. In particular, economic forces introduce impacts on cyber risk and cybersecurity that are unique.

As economic uncertainty continues, and some private companies find themselves in a lesser financial position to invest in cybersecurity programs than public company peers, boards should bear in mind that the threat landscape shifts as insider threats rise. They should consider, too, that spending cuts in the wrong areas of cybersecurity can weaken cyber controls and increase risk disproportionately. Finally, systemic risk can increase unexpectedly from unknown control changes throughout a highly connected digital business system.

Focus on cybersecurity during economic uncertainty

So, what kind of measures should business leaders and boards put in place when economic uncertainty hits?

Mitigate the risk of insider threats

During periods of economic uncertainty, employees and other connected individuals are both well-placed to control systemic cyber risk and a prime target for cyberattackers who double down on exploiting human weaknesses. Strengthening related cyber controls, such as through employee cyber training, behavior analysis, and monitoring, might be an important step toward reducing this rise in insider risk.

Apply the law of diminishing returns (in cybersecurity)

Every organization wants to protect the business value that is directly and indirectly derived from its digital business system. But as the amount of business value that is dependent upon the digital business system grows, corporate boards need to understand how external threats impact the risk to that value and assess whether their cyber controls are effectively aligned.

The economic concept of diminishing returns suggests that returns decrease with ongoing investments. It’s a general principle that is also true from a cybersecurity perspective, though not always. Generally, the level of returns from initial cyber-risk controls are higher than the returns from subsequent investments. This principle also reflects the reality that no business can be 100 percent secure from cyber risk.

However, this rule doesn’t apply when cyber risk is not static, such as in the rise of insider threats during times of economic disruption. Strengthening cyber controls where risks are rising could warrant an increase in cybersecurity spending and deliver increased returns (that is, better security) to the entire system by significantly lowering risk from this new threat vector.

Prioritize cost-cutting and cost-control measures

Spending cuts in cybersecurity need to be carefully considered to avoid weakening the wrong cyber controls as risks could rise disproportionately. Instead, consider several strategic and tactical opportunities in cybersecurity spending during periods of economic turmoil, such as the following:

• Consolidating the tools used in cybersecurity can deliver cost savings without removing cyber controls. “Cybersecurity tool bloat” happens in every organization as solutions proliferate. Often, functionality from certain tools can begin to overlap as products evolve. Rationalizing and consolidating the cybersecurity toolkit can identify opportunities for cost savings that may not necessarily impact a reduction in cyber control levels.

• Outsourcing cybersecurity can also make use of the scale of a partner, both strategically and tactically, to avoid or mitigate the balancing act between cybersecurity spending and controls alignment and impact. Taking advantage of the scale of a partner in a cybersecurity managed service environment can also mitigate the diminishing or increasing return and risk issues in cybersecurity.

• Accelerating or prioritizing digital transformation initiatives and budgets that are focused on delivering long-term cost savings or efficiencies may be beneficial during times of economic uncertainty. Cybersecurity costs can benefit from earlier scrutiny of the cybersecurity implication of these projects. Implementing cybersecurity controls after the fact costs more than integrating cyber-risk assessments and planning within the projects as they progress. Prioritizing cybersecurity early in any digital initiative is a leading practice that is also cost effective.

It is important to remember that cybersecurity controls and procedures are part of a larger, complex system working to defend the business value that is dependent on the digital business system. Budget impacts on one part of the system can have implications throughout a highly connected digital business system, as external or third-party partners adjust their cybersecurity controls environment. This can inadvertently create additional risks that creative attackers could exploit with significant systemic impact across a connected ecosystem.

Costs, controls, and opportunities

Cybersecurity budgets fund a wide range of controls that work together systemically to protect the organization. This presents boards and organizations with a challenge when economic conditions require budget freezes, reallocations, or reductions.

Budgets in cybersecurity encompass the system of technical, physical, and administrative controls that the organization has implemented to reduce its cyber-risk profile. The board's approach to cybersecurity governance is also a part of every organization's cybersecurity control system. Directors need to remember that every organization is largely self-insured for the vast majority of economic loss that could occur from a cyber incident. The organization’s cybersecurity budget represents its self-insured “cyber insurance premium” that establishes and maintains controls that reduce its cyber risk exposure.

Just as reducing third-party cyber insurance premiums results in lower coverage levels from the cyber insurance carrier, cybersecurity budget cuts, or reductions in an organization's self-insured “cyber insurance premium,” that is, the cybersecurity budget, can impact cybersecurity control procedures that can change the organization's overall cybersecurity posture and level of controlled risk.

To handle cybersecurity in times of economic crises, business leaders and boards can do the following:

1. Increase cybersecurity spending to add further controls in areas where cyber risk is growing.
2. Consolidate cyber tools to maintain similar control levels at a lower cost.
3. Outsource cybersecurity to take advantage of or eliminate scale issues while providing stronger cybersecurity controls more cost effectively.
4. Raise the priority and profile of cybersecurity, alongside digital implementations focused on improving efficiency or reducing costs, to deliver a faster path to capturing new value.

Unintended cybersecurity consequences can occur if cybersecurity budgets are not strategically and tactically adjusted in a dynamic risk environment. Fortunately, cyber-savvy boards, together with their information security teams, can be empowered to deal with them by considering the suggestions above.

About Accenture

Accenture is a global professional services company with leading capabilities in digital, cloud and security. Combining unmatched experience and specialized skills across more than 40 industries, we offer Strategy and Consulting, Technology and Operations services and Accenture Song — all powered by the world’s largest network of Advanced Technology and Intelligent Operations centers. Our 721,000 people deliver on the promise of technology and human ingenuity every day, serving clients in more than 120 countries. We embrace the power of change to create value and shared success for our clients, people, shareholders, partners and communities. Visit us at www.accenture.com.

Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter, LinkedIn or visit us at accenture.com/security.