Boardroom Guidance on Economic Downturns for Cybersecurity

Despite forecasting, cyber risk can come from anywhere, often far outside the control and oversight of an enterprise.

In recent times, we've seen what a risky business cybersecurity can be. COVID-19 increased cyber-risk exposure for many organizations as a result of the rush to transition to working from home. The conflict in Ukraine then raised many organizations' cyber-risk profiles further. In fact, 54 percent of private company directors indicated in the 2022 NACD Private Company Board Practices and Oversight Survey that Russia's invasion of Ukraine will have an effect on their cybersecurity programs and plans; 54 percent of public company respondents said the same. Now, economic conditions, including the threat of an economic slowdown or recession, are uniquely impacting cyber risk.

In each of these situations, cybersecurity teams and the policies and procedures they implement have had to adapt the cybersecurity control environment to a rapidly changing cyber-risk environment. In particular, economic forces introduce impacts on cyber risk and cybersecurity that are unique.

As economic uncertainty continues, and some private companies find themselves in a lesser financial position to invest in cybersecurity programs than public company peers, boards should bear in mind that the threat landscape shifts as insider threats rise. They should consider, too, that spending cuts in the wrong areas of cybersecurity can weaken cyber controls and increase risk disproportionately. Finally, systemic risk can increase unexpectedly from unknown control changes throughout a highly connected digital business system.

Focus on Cybersecurity During Economic Uncertainty

So, what kind of measures should business leaders and boards put in place when economic uncertainty hits?

Mitigate the risk of insider threats. During periods of economic uncertainty, employees and other connected individuals are both well-placed to control systemic cyber risk and a prime target for cyberattackers who double down on exploiting human weaknesses. Strengthening related cyber controls, such as through employee cyber training as well as behavior analysis and monitoring, might be an important step toward reducing this rise in insider risk.

Apply the law of diminishing returns (in cybersecurity). Every organization wants to protect the business value that is directly and indirectly derived from its digital business system. But as the amount of business value that is dependent upon the digital business system grows, corporate boards need to understand how external threats impact the risk to that value and assess whether their cyber controls are effectively aligned.

The economic concept of diminishing returns suggests that returns decrease with ongoing investments. It's a general principle that is also true from a cybersecurity perspective­, though not always. Generally, the level of returns from initial cyber-risk controls are higher than the returns from subsequent investments. This principle also reflects the reality that no business can be 100 percent secure from cyber risk.

However, this rule doesn't apply when cyber risk is not static, such as in the rise of insider threats during times of economic disruption. Strengthening cyber controls where risks are rising could warrant an increase in cybersecurity spending and deliver increased returns (that is, better security) to the entire system by significantly lowering risk from this new threat vector.

Prioritize cost-cutting and cost-control measures. Spending cuts in cybersecurity need to be carefully considered to avoid weakening the wrong cyber controls as risks could rise disproportionately. Instead, consider several strategic and tactical opportunities in cybersecurity spending during periods of economic turmoil, such as the following:

• Consolidating the tools used in cybersecurity can deliver cost savings without removing cyber controls. "Cybersecurity tool bloat" happens in every organization as solutions proliferate. Often, functionality from certain tools can begin to overlap as products evolve. Rationalizing and consolidating the cybersecurity toolkit can identify opportunities for cost savings that may not necessarily impact a reduction in cyber control levels.
• Outsourcing cybersecurity can also make use of the scale of a partner, both strategically and tactically, to avoid or mitigate the balancing act between cybersecurity spending and controls alignment and impact. Taking advantage of the scale of a partner in a cybersecurity managed service environment can also mitigate the diminishing or increasing return and risk issues in cybersecurity.
• Accelerating or prioritizing digital transformation initiatives and budgets that are focused on delivering long-term cost savings or efficiencies may be beneficial during times of economic uncertainty. Cybersecurity costs can benefit from earlier scrutiny of the cybersecurity implications of these projects. Implementing cybersecurity controls after the fact costs more than integrating cyber-risk assessments and planning within the projects as they progress. Prioritizing cybersecurity early in any digital initiative is a leading practice that is also cost effective.

It is important to remember that cybersecurity controls and procedures are part of a larger, complex system working to defend the business value that is dependent on the digital business system. Budget impacts on one part of the system can have implications throughout a highly connected digital business system, as external or third-party partners adjust their cybersecurity controls environment. This can inadvertently create additional risks that creative attackers could exploit with significant systemic impact across a connected ecosystem.

Costs, Controls, and Opportunities

Cybersecurity budgets fund a wide range of controls that work together systemically to protect the organization. This presents boards and organizations with a challenge when economic conditions require budget freezes, reallocations, or reductions.

Budgets in cybersecurity encompass the system of technical, physical, and administrative controls that the organization has implemented to reduce its cyber-risk profile. The board's approach to cybersecurity governance is also a part of every organization's cybersecurity control system. Directors need to remember that every organization is largely self-insured for the vast majority of economic loss that could occur from a cyber incident. The organization's cybersecurity budget represents its self-insured "cyber insurance premium" that establishes and maintains controls that reduce its cyber-risk exposure.

Just as reducing third-party cyber insurance premiums results in lower coverage levels from the cyber insurance carrier, cybersecurity budget cuts, or reductions in an organization's self-insured "cyber insurance premium," that is, the cybersecurity budget, can impact cybersecurity control procedures that can change the organization's overall cybersecurity posture and level of controlled risk.

To handle cybersecurity in times of economic crisis, business leaders and boards can do the following:

1. Increase cybersecurity spending to add further controls in areas where cyber risk is growing.
2. Consolidate cyber tools to maintain similar control levels at a lower cost.
3. Outsource cybersecurity to take advantage of or eliminate scale issues while providing stronger cybersecurity controls more cost effectively.
4. Raise the priority and profile of cybersecurity, alongside digital implementations focused on improving efficiency or reducing costs, to deliver a faster path to capturing new value.

Unintended cybersecurity consequences can occur if cybersecurity budgets are not strategically and tactically adjusted in a dynamic risk environment. Fortunately, cyber-savvy boards, together with their information security teams, can be empowered to deal with them by considering the suggestions above.

Bob Kress is a managing director at Accenture Security, where he is the cochief operating officer and the global lead for quality and risk.