Where to Focus Security Resources Mid- and Post-Pandemic

By Steve Durbin, CEO of the ISF

Business leaders will inevitably need to make difficult decisions with implications for budgets, resourcing and program prioritization. However, this is not the time to cut security budgets and put business protection initiatives on hold.

Steve Durbin, CEO of the ISF

Release from COVID-19 lockdowns across the globe will be complex and drawn-out with several ‘false starts,’ resulting in restrictions being re-imposed. Fears of a further outbreak and reluctance to return to the office will cause delays to resuming normal operations.

As CISOs and other business leaders reflect on their efforts to keep the business running, the next phase – adapt – presents another set of challenges. It is a critical time for organizations that will determine their long-term recovery and future success. As organizations adjust to a new operating environment, the CISO’s role in resuming normal business operations remains vital. As a function leader tasked with protecting the organization’s information assets and technical infrastructure, CISOs need to understand board-level concerns. This involves taking a business view, which relies on close engagement with business leaders and other senior stakeholders. The task ahead is now greater than ever before.

Many circumstances remain outside the control of the organization, but where possible, CISOs need to accommodate the business requirements both inside the organization (e.g. operations, workforce and technology) and beyond (e.g. suppliers, business partners, regulators, customers and even the public). Against this backdrop, a unique situation has arisen for the CISO. Unlike many other functions where the nature of the work has shifted, the workload and expectations for the security function have dramatically increased. While new risks have emerged and are receiving prompt attention, CISOs must also keep existing risks within acceptable levels – all while the organization’s risk profile continues to change, forcing the board to re-evaluate its risk tolerance.

Applying established risk management principles will act as a strong guide during these difficult times. Good risk management will enable meaningful engagement with business leaders on key issues such as:

•           Prioritizing business assets for protection

•           Profiling threats

•           Reducing exposure of assets

•           Estimating financial loss

Business leaders will inevitably need to make difficult decisions with implications for budgets, resourcing and program prioritization. However, this is not the time to cut security budgets and put business protection initiatives on hold. CISOs play a pivotal role in helping business leaders make informed decisions about risk. Although a great deal of focus and attention is directed towards supporting and protecting an organization during a time of significant disruption, proactive CISOs are already pursuing opportunities and planning for the future.

Whether budgets increase or decrease, risk management and security functions will need to prepare for long-term cost savings, redirection of investment and process efficiencies. The results of these and related benefits will need to be demonstrated to business leaders and stakeholders. Risk management will play a pivotal role in the success of organizations as they resume normal operations.