WEBVTT 1 00:00:00.540 --> 00:00:02.250 Anna Delaney: Hi, I'm Anna Delaney with Information 2 00:00:02.250 --> 00:00:06.240 Security Media Group. Economists have been predicting a downturn 3 00:00:06.240 --> 00:00:09.690 for months, but economic signs are still mixed. While 4 00:00:09.690 --> 00:00:12.750 employment remains strong in many sectors, tech companies 5 00:00:12.750 --> 00:00:15.960 have announced major layoffs and cutbacks. But what about 6 00:00:15.960 --> 00:00:19.680 spending on cybersecurity? We asked someone following the market 7 00:00:19.680 --> 00:00:24.060 closely, venture Capitalist Alberto Yepez about his outlook 8 00:00:24.090 --> 00:00:25.290 for 2023. 9 00:00:26.040 --> 00:00:28.440 Alberto Yépez: So the good news is security is one of those 10 00:00:28.440 --> 00:00:31.350 sectors that I wouldn't say is completely protected, but at 11 00:00:31.350 --> 00:00:35.760 least, it's not getting impacted and budgets are not necessarily 12 00:00:35.790 --> 00:00:40.110 down, they're staying the same or increasing maybe an eight to 13 00:00:40.110 --> 00:00:42.360 10%, not the 20% increase. 14 00:00:42.780 --> 00:00:45.300 Anna Delaney: Yepez advises fans to follow the mantra of 15 00:00:45.300 --> 00:00:50.160 Microsoft CEO Satya Nadella in announcing layoffs of 5% of 16 00:00:50.160 --> 00:00:53.850 Microsoft's workforce, that it's time to do more with less. 17 00:00:54.630 --> 00:00:57.480 Alberto Yépez: Any technology, any automation will be well 18 00:00:57.480 --> 00:00:59.970 received. And we're willing to invest in order to do more with 19 00:00:59.970 --> 00:01:02.880 less. So I think that's the model that even entrepreneurs at 20 00:01:02.880 --> 00:01:04.470 all sizes need to be able to do that. 21 00:01:05.250 --> 00:01:07.500 Anna Delaney: With that being said, we spoke with four chief 22 00:01:07.500 --> 00:01:10.890 security officers in a broad range of industries about how 23 00:01:10.890 --> 00:01:14.940 they would do more with less. Quentyn Taylor of Canon Europe, 24 00:01:15.210 --> 00:01:18.540 George Finney of Southern Methodist University, Niamh 25 00:01:18.570 --> 00:01:22.920 Muldoon of Fenergo, and Marcin Szczepanik of Essar Oil. From 26 00:01:22.920 --> 00:01:26.490 those candid conversations, we've compiled a list of 10 tips 27 00:01:26.520 --> 00:01:29.820 for belt tightening in the current economy. A recurring 28 00:01:29.820 --> 00:01:33.570 theme was managing growing portfolios of security tools, 29 00:01:33.810 --> 00:01:36.930 which leads to the number one tip: Look for ways to 30 00:01:36.930 --> 00:01:38.910 consolidate security tools. 31 00:01:39.360 --> 00:01:43.080 George Finney: We're taking a hard look at a lot of the tools 32 00:01:43.080 --> 00:01:48.090 that we use. You know, this happens all the time anyway in 33 00:01:48.090 --> 00:01:52.140 cybersecurity, right? Some tools, you know, come out, and 34 00:01:52.140 --> 00:01:56.310 they're awesome right out of the gate. Other tools, maybe they 35 00:01:56.310 --> 00:01:59.670 got acquired by other companies, and, you know, aren't as good as 36 00:01:59.670 --> 00:02:04.080 maybe they used to be. Sometimes you see companies get acquired, 37 00:02:04.080 --> 00:02:08.490 and they increase the price by 2 or 3x because they think they 38 00:02:08.490 --> 00:02:11.700 can get away with it. So all of those things, you know, from an 39 00:02:11.700 --> 00:02:16.950 economic perspective, they're really forcing us to, I think, 40 00:02:17.070 --> 00:02:21.180 take a hard look at our entire security program. And gosh, I 41 00:02:21.180 --> 00:02:24.570 think we're probably going to be replacing, you know, a quarter 42 00:02:24.600 --> 00:02:30.330 of all the tools that we use to both kind of save money and 43 00:02:30.390 --> 00:02:31.890 really become more effective. 44 00:02:31.920 --> 00:02:34.890 Marcin Szczepanik: I know quite a few organizations that have 45 00:02:35.040 --> 00:02:39.300 hundreds of tools. But how many of them do they actually 46 00:02:39.300 --> 00:02:42.660 utilize? And that's the question that you need to ask yourself 47 00:02:42.660 --> 00:02:45.750 when you're looking at your own maturity, do you use your tools? 48 00:02:45.750 --> 00:02:50.040 Can you use them better? No, can you integrate them better? And 49 00:02:50.040 --> 00:02:53.250 who will use that information provided by those tools? 50 00:02:53.790 --> 00:02:56.820 Niamh Muldoon: Often in smaller organizations, your technology 51 00:02:56.820 --> 00:03:00.750 team is your security team. They're combined together. And 52 00:03:00.750 --> 00:03:06.510 so it's supporting them with single resources to monitor, 53 00:03:07.170 --> 00:03:10.350 have visibility monitoring, and management from the security 54 00:03:10.800 --> 00:03:15.510 side applied. And a lot of organizations struggle when they 55 00:03:15.510 --> 00:03:20.160 move toward the cloud on maintaining that single view of 56 00:03:20.160 --> 00:03:24.750 data and systems. And the best way to enforce that is through 57 00:03:24.750 --> 00:03:30.000 single sign-on, being very specific around how technology 58 00:03:30.000 --> 00:03:35.520 assets are to be accessed, and how to be protected from a 59 00:03:35.520 --> 00:03:38.490 multi-factor authentication perspective. 60 00:03:39.540 --> 00:03:42.240 Anna Delaney: Our second tip relates to budget cuts that may 61 00:03:42.240 --> 00:03:46.110 be out of the CISOs' control. The IT organization, a prime 62 00:03:46.110 --> 00:03:49.080 candidate for cutbacks, particularly in the wake of 63 00:03:49.080 --> 00:03:53.520 large-scale migrations to cloud. Our number two tip: Be prepared 64 00:03:53.520 --> 00:03:56.280 for vulnerabilities in IT operations. 65 00:03:56.730 --> 00:03:58.260 Quentyn Taylor: The cybersecurity organizations 66 00:03:58.260 --> 00:04:00.900 themselves, I don't think they're going to be so badly 67 00:04:00.900 --> 00:04:04.290 impacted. But where the danger comes is when the operational IT 68 00:04:04.290 --> 00:04:08.310 teams start to have their belts tightened and maybe you start to 69 00:04:08.310 --> 00:04:11.850 see things that you just took for granted, such as patching 70 00:04:12.090 --> 00:04:18.480 being at 99.99%, maybe it'll be at 99.9 or 98%. Security teams 71 00:04:18.480 --> 00:04:20.520 might be sitting there quite happily saying, "Our budgets 72 00:04:20.520 --> 00:04:22.920 haven't been cut, we're all okay." But actually, it's the 73 00:04:22.920 --> 00:04:25.410 operational IT teams that you might want to keep an eye on to 74 00:04:25.410 --> 00:04:28.830 say, are they still able to deliver the same level of 75 00:04:28.830 --> 00:04:32.220 quality that you would expect. If they've got two people less, 76 00:04:32.220 --> 00:04:35.370 or if they've been told not to recruit people, if they go on a 77 00:04:35.370 --> 00:04:38.760 hiring freeze, you can then very easily have a situation where 78 00:04:39.030 --> 00:04:42.150 they haven't finished applying the last set of patches by the 79 00:04:42.150 --> 00:04:45.240 time the next ones come through, that maybe they're not able to 80 00:04:45.240 --> 00:04:48.090 apply the same level of diligence to firewall change to 81 00:04:48.090 --> 00:04:51.780 decommissionings to migration. So you end up with firewall 82 00:04:51.780 --> 00:04:55.320 rules left in place, pointing at places that they shouldn't be 83 00:04:55.320 --> 00:04:56.040 pointing at. 84 00:04:56.280 --> 00:04:58.710 Anna Delaney: Next, a number of smaller organizations are 85 00:04:58.710 --> 00:05:01.800 already relying on managed security vendors to handle 86 00:05:01.800 --> 00:05:05.460 various aspects of security operations. The number three on 87 00:05:05.460 --> 00:05:09.690 our list, Finney, chief security officer at SMU, a private 88 00:05:09.690 --> 00:05:13.530 college in Dallas, Texas, says it may be time to renegotiate 89 00:05:13.530 --> 00:05:16.440 contracts with your managed services vendors. 90 00:05:16.890 --> 00:05:19.080 George Finney: For example, when you're talking about a SOC 91 00:05:19.080 --> 00:05:22.830 vendor, they're able to help you come in and do incident 92 00:05:22.830 --> 00:05:28.770 response, or a paring down of your logs even. And, I think, 93 00:05:28.800 --> 00:05:32.340 you know, we're definitely having success finding partners 94 00:05:32.970 --> 00:05:35.910 that have skin in the game, right? So, you know, it's not 95 00:05:35.910 --> 00:05:39.480 just that I'm paying a bill or/and you know, trying to maybe 96 00:05:39.480 --> 00:05:42.720 reduce spend or consolidate vendors. It's really about 97 00:05:43.140 --> 00:05:48.090 creating a partnership, where the partner coming in can help 98 00:05:48.090 --> 00:05:52.170 improve my overall security. And by doing that, they make my 99 00:05:52.170 --> 00:05:57.690 program more effective. But also, their costs go down. One 100 00:05:57.690 --> 00:06:00.720 of the biggest cost centers in security is just capturing all 101 00:06:00.720 --> 00:06:04.530 of the logs that you need to, and managing all of those flows, 102 00:06:04.530 --> 00:06:07.890 right? So that, again, is one of those sources, that's, I think, 103 00:06:07.890 --> 00:06:13.170 really ripe for cost reductions, especially with the way that the 104 00:06:13.170 --> 00:06:16.710 storage has gone down and cost so much lately, whereas, you 105 00:06:16.710 --> 00:06:19.710 know, a lot of those licensing costs or management costs have 106 00:06:19.710 --> 00:06:22.380 stayed the same or gone up, in some cases. 107 00:06:23.220 --> 00:06:25.968 Anna Delaney: No matter how sophisticated your defenses are, 108 00:06:26.028 --> 00:06:29.733 you're only as secure as your weakest partner. Next tip on our 109 00:06:29.793 --> 00:06:33.438 list: Quentyn Taylor, senior director of information security 110 00:06:33.498 --> 00:06:37.143 at Canon Europe. Number four: Take a hard look at your supply 111 00:06:37.203 --> 00:06:38.100 chain partners. 112 00:06:38.550 --> 00:06:40.110 Quentyn Taylor: People presenting at conferences are 113 00:06:40.110 --> 00:06:43.080 the people who have the budgets, who have the money, who can 114 00:06:43.080 --> 00:06:45.690 afford to go, "Hey, look what I developed and what I got budget 115 00:06:45.690 --> 00:06:48.540 for and what I spent, isn't this great?" So you tend to then 116 00:06:48.540 --> 00:06:51.600 completely forget about this whole sector of society who are 117 00:06:51.600 --> 00:06:54.900 not at this exact same level. And this is really worrying 118 00:06:54.900 --> 00:06:58.050 because ignore those people at your peril, because they form 119 00:06:58.050 --> 00:07:02.460 part of your supply chain. They form part of your supply chains' 120 00:07:02.490 --> 00:07:07.170 supply chain. Their machine, their systems can be used to 121 00:07:07.170 --> 00:07:10.680 attack you and your supply chain. So, even if you've got 122 00:07:10.680 --> 00:07:13.680 these small companies where you go, "Well, if they go bust, if 123 00:07:13.680 --> 00:07:15.660 they have problems with their security prompts, that's not 124 00:07:15.660 --> 00:07:19.500 going to affect us." No, but their infrastructure can be used 125 00:07:19.500 --> 00:07:23.160 to attack you. So I really do believe in starting to look at 126 00:07:23.160 --> 00:07:25.710 your supply chain and your supply chain's supply chain and 127 00:07:25.710 --> 00:07:28.890 start to work out how can I take some elements of our education, 128 00:07:28.890 --> 00:07:32.130 some elements of our information and start to pass it down the 129 00:07:32.130 --> 00:07:35.790 chain to hopefully for the good of society, improve their 130 00:07:35.790 --> 00:07:36.840 information security. 131 00:07:37.050 --> 00:07:39.360 Anna Delaney: Another major threat comes from within, your 132 00:07:39.360 --> 00:07:42.330 employees who are being bombarded by phishing emails, 133 00:07:42.450 --> 00:07:47.310 and a variety of scams. Muldoon, CISO at software vendor Fenergo 134 00:07:47.400 --> 00:07:51.270 shares number five: Now's the time to double down on cyber 135 00:07:51.270 --> 00:07:52.410 awareness training. 136 00:07:53.490 --> 00:07:55.680 Niamh Muldoon: I guess people think security is all around the 137 00:07:55.680 --> 00:07:59.220 latest and greatest technology tools. That is not the case. As 138 00:07:59.220 --> 00:08:03.240 I said, it's about people, processes and technology, and 139 00:08:03.240 --> 00:08:08.340 thinking about clever ways of integrating security first into 140 00:08:08.340 --> 00:08:12.240 everybody's day-to-day roles and recognizing people who 141 00:08:12.240 --> 00:08:16.290 demonstrate and live security first in those roles. And it's 142 00:08:16.290 --> 00:08:20.160 not necessarily about huge financial rewards, it is about 143 00:08:20.160 --> 00:08:26.700 recognizing them. True. A thank you, and how they've 144 00:08:26.700 --> 00:08:30.570 demonstrated security first, celebrating that, and the most 145 00:08:30.570 --> 00:08:33.780 obvious places to do that is maybe at your company, all 146 00:08:33.780 --> 00:08:41.970 hands, and at your celebrations to social and sporting outings, 147 00:08:41.970 --> 00:08:42.690 etc. 148 00:08:43.679 --> 00:08:45.989 Anna Delaney: Security leaders advise applying some of the 149 00:08:45.989 --> 00:08:49.109 lessons learned from the early months of the pandemic to budget 150 00:08:49.109 --> 00:08:52.979 planning. Szczepanik, CISO at Essar Oil, which supports the 151 00:08:52.979 --> 00:08:56.219 aviation industry, fell the impact immediately in March 152 00:08:56.249 --> 00:08:59.909 2020, when global travel abruptly stopped and flights 153 00:08:59.909 --> 00:09:03.389 were canceled. At the same time, ransomware attacks were rising 154 00:09:03.419 --> 00:09:08.189 at alarming rates. His response is number six on our list: Focus 155 00:09:08.189 --> 00:09:10.589 on incident response and resiliency. 156 00:09:11.160 --> 00:09:14.700 Marcin Szczepanik: So most of the budgets were put on hold and 157 00:09:14.700 --> 00:09:20.070 we had to still take some extra measures to survive. I couldn't 158 00:09:20.070 --> 00:09:25.110 invest into all this, you know, state-of-the-art AI-driven tools 159 00:09:25.110 --> 00:09:29.490 because there was just no budget for that. But I did invest into 160 00:09:29.490 --> 00:09:34.890 my time and my people at the time. So training them and being 161 00:09:34.890 --> 00:09:39.120 more proactive in spotting any threats was something that saved 162 00:09:39.120 --> 00:09:44.130 us. I also did a lot of sessions around the other departments, 163 00:09:44.130 --> 00:09:47.610 you know, making them more aware what to look for, what to avoid, 164 00:09:48.120 --> 00:09:53.130 and why cybersecurity mattered in those difficult times. Final 165 00:09:53.130 --> 00:09:56.580 thing that didn't cost us a lot was looking at the incident 166 00:09:56.580 --> 00:10:01.380 response plan. So we redesigned it completely, we did several 167 00:10:01.410 --> 00:10:06.240 tests of that incident response plan. And that also prepared the 168 00:10:06.240 --> 00:10:14.010 business for what may be like if the threats become real. The 169 00:10:14.010 --> 00:10:18.750 incident response plan that we developed covered not just IT, 170 00:10:18.780 --> 00:10:23.400 it also covered OT, but also key departments from the entire 171 00:10:23.400 --> 00:10:27.300 organization. So we were trying to look at what possibly would 172 00:10:27.300 --> 00:10:30.990 be required if we had a major compromise. And that involves 173 00:10:30.990 --> 00:10:34.950 things like legal teams, communication departments, HR, 174 00:10:35.160 --> 00:10:40.200 finance and to an extent, the top board members, if we had to 175 00:10:40.200 --> 00:10:44.550 make that decision on either paying random or shutting the 176 00:10:44.550 --> 00:10:47.310 business down, whatever the consequences could be. Other 177 00:10:47.310 --> 00:10:50.550 leaders, when they look at it, they think it's very complex. 178 00:10:50.580 --> 00:10:54.210 And it could be something that is not achievable. But what I 179 00:10:54.210 --> 00:10:58.950 would say nothing in life is perfect. And you just need to 180 00:10:58.950 --> 00:11:02.580 get on with it and do it. And once you do it, you will learn 181 00:11:02.580 --> 00:11:05.280 from what you could have done better and you will improve it 182 00:11:05.280 --> 00:11:05.910 next time. 183 00:11:06.780 --> 00:11:09.270 Anna Delaney: So what if you do have budget to spend on 184 00:11:09.270 --> 00:11:12.900 security? Where do you invest it? A tip number seven: 185 00:11:12.930 --> 00:11:16.500 Szczepanik recommends beefing up your email defenses. 186 00:11:17.100 --> 00:11:19.800 Marcin Szczepanik: I think that if the very first thing that I 187 00:11:19.890 --> 00:11:23.160 looked at with those limited resources was the email, you 188 00:11:23.160 --> 00:11:27.840 know, email is still 90% responsible for all your attack 189 00:11:27.840 --> 00:11:32.820 vectors. So we did quite significant work on upgrading 190 00:11:32.850 --> 00:11:36.810 our email security, but not just buying it, reviewing every 191 00:11:36.810 --> 00:11:39.810 single policy, talking to the business, what needs to be done, 192 00:11:39.810 --> 00:11:43.410 what are they doing. How can we define those rules to prevent 193 00:11:43.410 --> 00:11:47.520 those initial attack vectors? So that was the absolute minimum 194 00:11:47.520 --> 00:11:51.000 that I could not compromise, and I had to fight for the budget 195 00:11:51.000 --> 00:11:51.600 for that. 196 00:11:52.230 --> 00:11:54.870 Anna Delaney: Another potential investment is automation tools 197 00:11:54.870 --> 00:11:58.350 to speed threat detection and response. This could be crucial 198 00:11:58.350 --> 00:12:01.560 to organizations with limited resources in the midst of a 199 00:12:01.560 --> 00:12:06.180 hiring freeze. Tip number eight: Introduce more automation of 200 00:12:06.180 --> 00:12:07.710 security processes. 201 00:12:08.190 --> 00:12:09.810 George Finney: I give the example of our security 202 00:12:09.810 --> 00:12:16.050 operations center. You know, I think those are really expensive 203 00:12:16.890 --> 00:12:22.950 teams to kind of bring in, and what you're trying to do in a 204 00:12:22.950 --> 00:12:26.700 24/7 operations, you know, having a team of just five 205 00:12:26.700 --> 00:12:31.470 people, it's really hard to do. But I think, you know, those 206 00:12:32.340 --> 00:12:36.090 teams can add a lot of value. And sometimes it's just a matter 207 00:12:36.090 --> 00:12:40.530 of getting comfortable with that. So, for us in our journey, 208 00:12:41.070 --> 00:12:46.050 it's been a real challenge to implement automation. A lot of 209 00:12:46.050 --> 00:12:50.040 folks are nervous about it. And, you know, it's not like they're 210 00:12:50.040 --> 00:12:53.850 nervous that automation is going to steal the jobs. It's that, 211 00:12:54.720 --> 00:12:58.230 you know, automation can unnecessarily complicate a 212 00:12:58.230 --> 00:13:02.940 simple issue. Automation maybe makes it harder to troubleshoot 213 00:13:02.940 --> 00:13:06.900 if the automated tools are changing things and you don't 214 00:13:06.900 --> 00:13:12.180 have visibility into it. But yeah, I mean, we've automated 215 00:13:12.180 --> 00:13:17.850 some of our workflows in kind of key security areas, and it's 216 00:13:17.850 --> 00:13:21.900 been a real win, right? And I think from an IT perspective, 217 00:13:22.410 --> 00:13:25.410 they have fewer support hours that they have to put toward 218 00:13:25.410 --> 00:13:29.970 security. Because it's kind of - the responses are happening in 219 00:13:29.970 --> 00:13:35.100 real time. And security gets a better outcome. Calls were able 220 00:13:35.100 --> 00:13:39.810 to respond in machine time versus having to have a human 221 00:13:39.810 --> 00:13:42.480 take minutes or hours to maybe respond. 222 00:13:43.050 --> 00:13:45.090 Anna Delaney: Another security-related costs that 223 00:13:45.090 --> 00:13:48.690 shows no signs of declining is cyber insurance. With cyber 224 00:13:48.690 --> 00:13:51.930 attacks intensifying, cyber insurance companies are raising 225 00:13:51.930 --> 00:13:54.900 their rates, but rewarding organizations that invest in 226 00:13:54.900 --> 00:13:58.740 cybersecurity and risk management. Our number nine tip: 227 00:13:58.980 --> 00:14:02.730 Look for projects that will reduce cyber insurance costs. 228 00:14:03.120 --> 00:14:06.190 George Finney: We know, for example, cyber insurance, the 229 00:14:06.263 --> 00:14:10.796 cost has, you know, essentially quadrupled for the same amount 230 00:14:10.869 --> 00:14:15.401 of insurance, and deductibles have gone up, right? So at every 231 00:14:15.475 --> 00:14:19.203 level, we know there are challenges with supporting 232 00:14:19.276 --> 00:14:23.955 security. And, you know, I worry that if we're not continuing to 233 00:14:24.028 --> 00:14:28.488 invest in security, it's like Alice in Wonderland, you've got 234 00:14:28.561 --> 00:14:32.728 to kind of run to stay in the same place. So, you know, I 235 00:14:32.801 --> 00:14:37.333 think finding strategic ways of focusing your cyber program on 236 00:14:37.407 --> 00:14:40.770 what matters the most is what we've got to do. 237 00:14:41.400 --> 00:14:43.110 Anna Delaney: One of the biggest challenges facing the 238 00:14:43.110 --> 00:14:46.890 cybersecurity industry long before the downturn is finding 239 00:14:46.920 --> 00:14:50.790 and keeping skilled resources. But what happens when key people 240 00:14:50.790 --> 00:14:55.080 leave and you can't replace them. Tip number 10: Our experts 241 00:14:55.080 --> 00:14:59.250 advise: train and hire security specialists from within. 242 00:14:59.940 --> 00:15:01.680 Marcin Szczepanik: You know, some of the individuals that 243 00:15:01.680 --> 00:15:07.980 work in my teams, they actually are not 100% cybersecurity 244 00:15:07.980 --> 00:15:12.150 expert, they evolved. So I've trained some of the individuals 245 00:15:12.150 --> 00:15:16.050 that worked for me as part of the IT infrastructure, and they 246 00:15:16.050 --> 00:15:21.030 got developed into cybersecurity concept. I've got people who 247 00:15:21.030 --> 00:15:26.310 work with me that came from IT support environment, and we 248 00:15:26.310 --> 00:15:29.340 develop them into cybersecurity, and, you know, they're 249 00:15:29.340 --> 00:15:32.670 progressing quite well, some of them have been promoted and they 250 00:15:32.670 --> 00:15:38.250 enjoy the content of the job. So look at your staff within your 251 00:15:38.250 --> 00:15:41.400 business, do some training. You know, training sometimes cost 252 00:15:41.400 --> 00:15:45.030 less than recruitment process, going through the probationary 253 00:15:45.030 --> 00:15:48.990 period, going to the performance management with your new staff. 254 00:15:49.200 --> 00:15:51.900 If you can develop somebody within your team and they are 255 00:15:51.900 --> 00:15:54.660 willing to be developed, why wouldn't you do that? 256 00:15:55.530 --> 00:15:59.670 George Finney: One of the things we did is we help pay for people 257 00:15:59.670 --> 00:16:03.060 outside of the security team to go out and get cybersecurity 258 00:16:03.060 --> 00:16:06.300 certifications, right? They feel great about it because, you 259 00:16:06.300 --> 00:16:08.520 know, it's something that they'll take with them through 260 00:16:08.520 --> 00:16:12.180 the rest of their career. But we're also building security, 261 00:16:12.210 --> 00:16:16.290 you know, bench depth, I guess, or, better security knowledge 262 00:16:16.320 --> 00:16:18.720 across the organization, right? Again, we're maturing the 263 00:16:18.720 --> 00:16:22.740 organization, we're supporting our individuals. But maybe we're 264 00:16:22.740 --> 00:16:26.550 also supplementing cybersecurity staff with those individuals, 265 00:16:26.550 --> 00:16:29.880 kind of deputizing them, if you will, so that we're not having 266 00:16:29.880 --> 00:16:33.540 to add extra headcount. Again, I think, lots of different 267 00:16:33.540 --> 00:16:35.100 creative ways to do that. 268 00:16:36.180 --> 00:16:38.280 Anna Delaney: While organizations of all sizes are 269 00:16:38.280 --> 00:16:41.820 likely to feel the bite of an economic downturn, experts 270 00:16:41.850 --> 00:16:45.570 advise: don't forget that economic conditions will change. 271 00:16:45.690 --> 00:16:48.570 It's okay to respond to short-term needs. But keep 272 00:16:48.570 --> 00:16:49.830 thinking long term. 273 00:16:50.220 --> 00:16:53.460 George Finney: I go back to the Patreon example, and I apologize 274 00:16:53.460 --> 00:16:56.460 to anyone at Patreon if I'm mispronouncing your company 275 00:16:56.460 --> 00:17:00.690 name, but yeah, you know, they laid off their entire 276 00:17:00.690 --> 00:17:04.620 cybersecurity staff, right? But I worry, you know, after this 277 00:17:04.650 --> 00:17:08.610 economic downturn is over, Patreon is still going to have 278 00:17:08.640 --> 00:17:11.850 that reputation of being the company that laid off their 279 00:17:11.850 --> 00:17:15.030 entire cybersecurity staff. I think we can't forget that, you 280 00:17:15.030 --> 00:17:19.470 know, for the last, I think, five years, cybersecurity has 281 00:17:19.470 --> 00:17:25.290 been a top concern for CEOs, for boards. And I think, if you're 282 00:17:25.290 --> 00:17:29.970 opening yourself up to potential lawsuits, you know, for being 283 00:17:29.970 --> 00:17:33.810 negligent around cyber, that could haunt you for a long time. 284 00:17:33.900 --> 00:17:36.870 Niamh Muldoon: I say that I was born to protect. I protected the 285 00:17:36.870 --> 00:17:40.110 goals and my sporting life, I protect my son and my personal 286 00:17:40.110 --> 00:17:44.010 life, and I protect data in my professional life. Not everybody 287 00:17:44.010 --> 00:17:48.270 has that naturally, and/or, you know, lives and breathes it 288 00:17:48.270 --> 00:17:50.580 naturally. So it's helping them on the journey. 289 00:17:51.090 --> 00:17:53.280 Marcin Szczepanik: So the solution is not to have 290 00:17:53.310 --> 00:17:59.160 unlimited budget. The solution is to have somebody who knows 291 00:17:59.160 --> 00:18:04.260 how to use that budget, to have a team of individuals that not 292 00:18:04.290 --> 00:18:07.140 only can do the job, but they are passionate about this. 293 00:18:08.010 --> 00:18:10.680 Anna Delaney: No one knows for sure how deep the downturn will 294 00:18:10.680 --> 00:18:14.790 be or how long it will last, but security teams are already doing 295 00:18:14.820 --> 00:18:18.210 what they do best: planning for the worst and, of course, 296 00:18:18.300 --> 00:18:21.780 expecting the worst. We'll be sure to keep you up to date on 297 00:18:21.780 --> 00:18:25.740 the impact of the economy on the cybersecurity industry. For 298 00:18:25.740 --> 00:18:27.840 ISMG, I'm Anna Delaney.