The senior leadership team of your organization just announced there will be a five percent cut in staff levels across the board. At the same time, the organization is growing, regulation and compliance obligations are increasing, and threat actors have no intention of hanging up their keyboards. Unfortunately, it happens. What’s most important is what you do next.
Before starting the journey toward downsizing, make a final pitch to keep current staffing levels. In my October 2, 2023, blog post, “Moving Past Fear: How to Gain Support for Your Cybersecurity Program,” I provide some recommendations for communicating the value of your cybersecurity program. Now is the time to pull out all the stops. There is no guarantee, but you may end up unscathed or with smaller targets.
Left with no other options than to cut, senior cybersecurity and risk management leaders know that reduced staffing levels do not correspond to reduced responsibilities.
People First
Spending cuts are a gut punch to morale. As a senior cybersecurity leader your duty is to the organization, but the focus should now shift toward maintaining calm among your teams. Ideally, there will be a message from senior organizational leaders stating the company is strong, but adjustments are needed to align with the business environment. At the department level, leaders must reinforce this message and provide the necessary assurance that the remaining team is valued and necessary. Small group, casual settings that are away from the office are best as long as it stays professional. Negative talk about the business or other employees only fosters animosity. Instead, focus on the future and emphasize new opportunities for the department and individual team members.
Control Creep
While your organization is “right-sizing” so too must your risk management practices and addressing control creep is a good place to start. Control creep is common for organizations with mature risk management systems. Over time, controls are brought online after an incident or audit finding. They are created, assigned, and monitored but the original conditions that required the control ceased to exist months or years ago. Just like anything else, resolving them requires a risk-based approach. Start by identifying low-impact risk controls with a higher cost to maintain. These are often so-called legacy controls that fall into the bucket of “We’ve always done it this way.”
Evaluate each low-impact risk control as follows:
- Is the control mitigating a current, realistic and practical risk?
- If no, propose the control be removed.
- If yes, propose accepting the risk or avoiding the risky activity.
- Does the mitigation require a specific piece of software of service?
- If yes, can it be handled in-house with scripts, log hooks, etc., to save the service or licensing costs?
- Is the control applied manually?
- If yes, consider automating the control if it can be achieved without increasing costs.
- Will changes to the control result in actual savings?
- If no, move to the next low-impact risk candidate.
Also consider non-technical controls like the internal audit function. Changing the frequency or scope of internal audit can be an effective way to reduce resource requirements. For example, changing the frequency of a full audit from semiannually to annually. Alternatively, identify and prioritize critical controls to assess on a more frequent basis and assess low-impact risk controls less frequently.
Once you have a few low-impact risk candidates that will result in savings, tabulate the total of all the potential savings including software, service, and personnel costs. The next step should be a risk/benefit discussion with senior IT leaders and/or a risk committee. The final decision should be carefully documented in a risk assessment and potential changes recorded in the risk register.
Managing Change
“The devil is in the details,” they say, and this is especially true for changes relating to cyber-risk. Just because you’ve been given a mandate to cut staff doesn’t mean the organization expects any less. Continuity is king, so during the transition it’s essential that documentation be created and maintained for the processes conducted by the exiting staff. It’s a good operational practice to have some cross-training in place if it doesn’t create any issues with segregation of duties (SoD) and that investment really pays off when there are significant personnel changes. Leverage resources in other departments, if possible, to help maintain SoD or implement dual control for high-risk processes.
Any amount of change will have some turbulence so it’s important to reflect periodically to ensure business goals are still being met. In addition to regular change management checkpoint meetings, set aside time at least every quarter to revisit the most significant changes. Is risk being effectively addressed according to the organization’s risk appetite? Did the anticipated savings materialize? It’s likely that some changes will be less effective than expected. A healthy organizational culture rewards occasional failure as part of the natural course of business. What’s must important is that something is learned through the process of failure and avoiding a repeat performance.
If you would like to know more about ways to manage your cybersecurity program effectively and efficiently, please contact me.