As the U.S. economy points in the direction of slowing, cybersecurity resource cuts threaten teams’ ability to fight increasing threats. Before you cut your security budget, consider the history of other crises. Make a plan that right-sizes both the economic and technological risks for the upcoming quarters.
How Economic Conditions Affect Cybersecurity
Prior to the disaster of the pandemic and the follow-on turmoil in the economy, there was a massive talent gap in cybersecurity. These crises didn’t make things any better. In 2022, the number of unfilled U.S. cybersecurity jobs was estimated to be over 400,000.
As businesses prepare for what is likely to be a recessionary environment in the latter half of 2023, hiring freezes and budget cuts are on the horizon. Companies will be asking security teams to do more with (even) less.
In March, HackerOne surveyed companies and found that despite the fact that half of organizations were seeing an increase in system vulnerabilities, 39% of companies had already made security headcount cuts. And 40% plan to make cuts in the next 12 months.
Backing up these survey results, a report from GitLab showed that 85% of security leaders say they have the same or less budget than in 2022.
Why would having the same budget as in 2022 be an issue? As usual, cyber criminals are keen to exploit misfortune and mistakes. They see recessions and other crises as an opportunity.
Crises = Opportunity for Hackers
During past crises, the FBI reported massive increases in cybercrime. The 2008 recession–triggered by the lending crisis–resulted in a 22.3% increase in complaints to the Internet Crime Complaint Center (IC3). Financial losses in 2008 were reported at $265 million. The number ballooned to $559 million in 2009. The first year of the pandemic yielded 300,000 more complaints to IC3 than the year prior, with phishing scams, non-payment/non-delivery scams, and extortion topping the list of reported crimes.
If we are truly entering a recession, it’s important to keep in mind that scammers and hackers will find any and all ways to exploit businesses and individuals when they are at their lowest. Companies must balance their need for budget cuts with the heightened risk of costly data breaches and other events. The cost of the average data breach in 2023 is $5 million. Any money saved on staffing will be quickly gobbled up by a breach of such expense.
News of cybersecurity layoffs can also diminish trust in your organization. If your cuts are likely to make news, be prepared to answer for the ways in which your organization will continue to keep customers and partners safe in the course of doing business. If your security reputation is harmed by layoffs, you may also find it hard to hire high quality staff for other departments.
Judicious Cost Savings
Dire warnings aside, there are ways to save money on cybersecurity. If cuts are necessary, prioritize not burning out your remaining staff.
As more employees take advantage of working from home, focus limited investment in the security of your remote applications and other infrastructure. Hackers are waiting to pounce on ill-configured systems and ill-trained employees.
If you’re in the business of writing software or developing any product that lives online, security should be integrated into your entire process. Consider evolving your DevOps team into a DevSecOps team. The cross-functional makeup will ensure that the software development life cycle always includes security. Early integration of security will prevent costly rework that may imperil budgets and timelines.
Another way that DevSecOps helps companies run lean is the integration of machine learning and artificial intelligence into testing efforts. This is a new method of working that not all companies have embraced despite the cost efficiencies.
AI and ML augment human resources, freeing them to focus less on busy work and more on mission-critical tasks. Automation can help with tasks like patch management, vulnerability management, SOC, and gap/compliance management. Chatbots, machine learning, smart algorithms, and natural language processing can be integrated into processes that will help free staff for other tasks.
Consider consolidating security services. Vendors (like Asylas) can provide end-to-end solutions that are flexible according to your needs, taking the place of an internal team or FTE and lowering the costs of staffing overhead.
A recession that results in private sector layoffs may finally help to close the talent gap in the government. Private companies usually have an easier time hiring because they are able to offer candidates higher salaries. Private sector employees generally earn 14% more than their public sector counterparts.
It’s possible that as private sector companies tighten their purse strings in accordance with market forces, the government will come out the winner. Public sector jobs are less influenced by macroeconomic factors, and the government is adjusting its policies to help fill positions that are critical to national security.
In March, the Defense Department released its long-awaited cybersecurity workforce strategy. The document outlines a plan to identify, recruit, and retain a more efficient defense cyber workforce. Just as a possible recession is becoming a reality, the government plans to focus on remote work flexibility. And “potential flexibility” around security clearances is aimed at improving recruitment and retention. The new plan also offers a mechanism for a part-time network of “surge support” based on emergent needs. If you are laid off from a private sector job due to the recession, government work may be your savior.
Cybersecurity resource cuts in the latter half of 2023 will expose new and existing vulnerabilities in public and private sector security. Smart organizations will plan carefully to mitigate the risks of diminished budgets and increased malicious activity.