Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: How To Reduce Security Headcount While Mitigating Risk
Quick Take
On this episode of Compliance Unfiltered, the guys talk openly about the uncomfortable topic of reducing your internal security headcount while still mitigating risk along the way. Adam gives counsel on some of the key considerations to evaluate prior to making cuts. He shares some key tips on how to make cuts wisely and talks through some of the best practices on approaching cuts effectively.
Curious on where to start? The CU guys have got you covered there too, on this episode of Compliance Unfiltered!
Remember to follow us on LinkedIn and Twitter!
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow alongside your compliance sailing sexton, Mr. Adam Goslin. How the heck are you, sir? I’m good, Todd. How are you? Man, I can’t complain. I cannot complain. We’re going to get a little academic on the folks today. There was recently a study indicating about half companies were planning to reduce cybersecurity headcount coming up.
How are you going to reduce cybersecurity headcount while also mitigating risk, Adam? Easy for me to say. Yeah, I love them mitigating. That’s good. We’ll have to hold that one for the blooper reel. I was actually kind of, it was weird. I was kind of surprised and I was kind of not. You got to think about it, right? I mean, this study showed that half of organizations had game plans in 24 to reduce their cybersecurity headcount. Meanwhile, cybersecurity incidents continue to escalate number and severity every year. It didn’t make a ton of just abject logical sense. That said, it isn’t surprising organizations are feeling the need to tighten their belts. You’ve got cybersecurity personnel that are in high demand. There are a few of them that are available. If you happen to have a good one that you want to keep around, then they’ll command a hefty salary to keep them happy and keep them there. As the demand increases within the industry, their costs are going up. And at some point in the game, organizations, especially facing a number of challenges, could get the feeling that they’re paying the cybersecurity staff more than they can justify. And you’ve also got interest rates at play. You’ve got the general state of the economy at play with companies reducing spending, cutting expenses where they can, that type of thing going on. I’ve actually spoken with a number of organizations that have been struggling over the course of 2023. And certainly, that’s going to extend into 2024. So they’ll look at, typically, their biggest cost centers and that being people. Given you’re looking at a docket of folks that are commanding certain salaries, etc, there’s companies that are instituting hiring freezes. Others are downsizing. Cybersecurity is just one of what will be a lot of business areas that will get impacted by the state of the economy. And as understandable as the downsizing is, you don’t want to just lop off your cybersecurity staff and move on.
It’s the fortification around your castle. It’s eliminating these staff without a plan. It’s similar to emptying the moat and lowering the drawbridge. So you might not have a choice about reducing that headcount, but there’s right ways to do it and lots of wrong ways to do it, if you will.
Indeed. Now, what are some of the considerations before you actually cut personally? Well, in any organization, there’s various realms that you’re looking for. you know, that you’re needing to protect, you know, you got to protect your production environment, you need to protect your remote personnel, your offices, your headquarters, you know, etc. And there’s a lot of scope that needs some form of security attention. You know, there’s a lot of elements involved, you know, within those realms, you know, including outsourced cloud infrastructure devices, hardware, virtual and physical servers, workstations, printers, and a myriad of other devices that are on your networks. So there’s a broad spectrum of stuff that, you know, you need to, you know, have your eyeball on. And it’s difficult to combine, you know, all of the various reporting and detection mechanisms, you know, across the scope of what you need to have your eyeball on. There’s a lot of tools that people have. Those tools need to be able to work together to monitor and protect the whole environment. The difficulty is there’s a lot of companies that struggle with integrating those tools into compact, efficient, effective solutions. As a result, there’s inefficiencies and gaps in your cyber profile. Various companies are going to be in various states along that continuum. Not only are you struggling with sluggish, redundant processes, but you’ve got blind spots that may leave you vulnerable.
When organizations are considering the reduction to cyber personnel, you need to account for the various spinning plates that are in play and try to figure out how am I going to maintain what I have while fixing deficiencies that are already present and doing it in a way that makes sense.
Well, how does one go about making these cuts wisely? Well, if you’re an organization that does need to reduce cybersecurity personnel, then I’d recommend a two -prong approach. First, identifying, finding, implementing security tools that are going to… allow you to do more with less. So, you know, most organizations have a security tool problem. You know, they either have multiple tools in place performing the same functions or similar functions. We’ve got security gaps that no tools are covering. You’ve got misconfigured tools. You have a lack of cohesion between all these tools. You know, so, you know, I’m often seeing, you know, all of these issues, you know, in the same organization, you know, and having the misconfigured tools and unfilled gaps means your organization isn’t as protected as you might think. You know, it’s easy for somebody, you know, whatever, somebody at the top, near the top of the food chain to just be making decisions in a bubble, you know, in a bubble in a room about what they want to go do. And I’ve seen it happen more times than I can count, you know, but, you know, similarly, you know, redundant systems, you know, don’t provide double the coverage. They just slow down your network and reduce productivity across the organization. So, you know, you’re spending more than you need on the tools you’ve got and what it takes to maintain them. So, you know, if you’re gonna go through and reduce your security personnel, you need to make sure that you’ve got the right tools, the right tools in place, you know, and make sure that they’re all configured correctly beforehand, you know, find tools that are, you know, that are letting you do more with less.
The other prong of that two -prong approach, you know, is you don’t necessarily need to stick with just your internal, a lot of companies get really, you know, get really get their arms around the notion of, well, we need this person to be ours and be, you know, an employee and, you know, and whatnot. And, you know, honestly, I’d recommend organizations consider, you know, leveraging a fractional cybersecurity consulting firm. We’ve actually, you know, done different, you know, done different pods and blogs on, you know, on this topic, but hiring an outsourced security compliance consultant on a fractional basis can help, you know, the organization meet their needs, but do it in a more cost -effective manner. You know, you’re not, you know, paying the full salary of a, you know, of a W -2, you know, type of thing that needs to be on staff. You know, you can do it with a, you know, with a fractional consulting firm. that can understand your current requirements, identifying gaps and giving you good advice and expert guidance for how to fix them and tools to use, et cetera, advising you on how to move forward in the right direction without wasting time. These organizations will also assist your company with migrating from identified gap resolution into a state where the organization’s taking proactive stances toward their security. So with a fractional security consultant, you get the full expertise of one or more seasoned security professionals, but you’re able to do it at an affordable cost in comparison to having those folks full -time on staff.
Sure. So should organizations simply reduce all of their cybersecurity staff? Are there certain roles that are easier to cover fractionally than others? How does that work? Yeah, I mean, I wouldn’t go about just eliminating your security staff, you know, for sure.
Yeah, no, no, no, especially, I mean, honestly, there are so many companies out there that frankly don’t have somebody that has security as their specialty. They have a bunch of people internally that are doubling the security people, you know, type of thing, but the vast majority of organizations, they couldn’t afford to go bring in a full -time security person. If you’re lucky enough to be an organization that has multiple of these individuals, yeah, I don’t know that I’d be seeking to completely abolish them. You may be able to reduce your security personnel, but in my opinion, be foolish to eliminate them altogether. You’re still gonna have security incidents and you need somebody to be able to handle them efficiently and competently. You need the right tools. place, which means that you’ve got somebody skilled that knows what they’re looking at when they’re looking at the tools. You know, the most of these tools are not just go set them and walk away and all of a sudden magically, you know, every security problem is just cured with a wave of a wand. Yeah, it doesn’t work like that. So, you know, even things like organizational change, you’re gonna need, you know, need some security influence internally that understands the, you know, the, the internals of the organization. So you think, you know, if you expand to a new, expand to a new product, or you layer on an additional facility, or, you know, you have some other major staffing changes within the organization, or, you know, all of those are areas where the security personnel are going to be able to leverage their experience with the company to be able to implement change and facilitate change in a secure manner. Even if you’re outsourcing your security monitoring aspects of your organization, you still need an internal team that can be the connection point between your company and the outsourced services. Somebody that understands, what does this really mean? How do I prioritize? The outsourced company is handing you 47 things. Without the internal knowledge and the internal expertise of what does this mean to this company, then somebody from the outside is really going to struggle with, how do I prioritize these things and whatnot? How do I need to go about resolving them? Who do I even speak to about this particular issue? There’s a lot of that that kind of plays into it. The one thing that I’ll reiterate, kind of touched on it a minute ago, but a lot of organizations, way more than I can count, have this notion that, oh, well, we have IT people, so they must know how to do things securely. It’s not the same. It’s not the same. Please, for the love of God, just you need somebody that actually knows what they’re doing in the security space. Just because I can spell IT doesn’t mean I know how to do it securely. Completely eliminating all the cybersecurity folks would be a really, really bad move, in my opinion.
That makes a ton of sense, but how should organizations approach the trimming of cybersecurity again? Well, I don’t rush it. Before you’re even embarking down the path of making those cuts, you want to take the necessary time to make really careful decisions. Your goal is to strengthen the company’s financial position, but not put the entire company at risk by weakening its security stance. It’s a balancing act. Quite frankly, the folks in the corner office, that honestly, no offense to the corner office people. I happen to be one of them. But they really don’t understand what the hell is going on day by day, boots on the ground level. While you still have all those security people at the organization, using them, leveraging them, tasking them with looking at the tool sets and finding tools that will work with your environment and perform functions the company needs, using them to vet and qualify good vendors that you can count on, there’s a lot of underpinning legwork that needs to be done. And again, every company is going to be starting in a different position. But I guarantee you that your security people haven’t just been sitting around twiddling their thumbs, wondering what to do next. There’s probably a whole docket of things that they’ve got on their to -do list, some of which they haven’t had the time to get to done. So you’ve got a lot of factors that come into play when you’re hiring a fractional security consultant and finding those tool sets. And it’s not like just going and purchasing a hammer. A lot of people look at it, whatever. Generally speaking, a hammer is a hammer is a hammer, right? Yeah, there’s some particular nuances and the other some that have a little bit better quality, whatever. But generally speaking, a hammer is a hammer. But when you’re talking about these tools, I can’t just go and Google logging solutions and just pick one off the shelf and know that it’s gonna be just as good as the one next to it. There are a ton of factors that are gonna come into play. There’s variability, different ones are excelling in different areas, the state of your own organization, things that you have that you need this tool to interface with and be able to interpret properly. So relying on those internal cybersecurity personnel while you still have them to establish that suite of tools to make sure you don’t have gigantic gaping holes, etc, it’s gonna take some time.
The one recommendation and one thing I’d say to,to the corner office would be, I’m not talking about weeks, I’m literally talking about months. So if you’ve got your eyeball the word, hey, it would be really cool would be to save by lopping off half our cybersecurity staff.
That sounds great from a financial perspective, but just walk into it in an appropriate manner, realizing that to do this properly, to do this while mitigating risk, which for those in the corner office, that’s also your job, is to mitigate risk to the company. That’s maybe even your primary job type of thing. And so depending on your role. So once your team’s gone in, identify the right tools and gotten them implemented and gotten them working together, whatnot, now I can start sensibly, dialing back on, number one, dialing back on my kind of internal security personnel, while meanwhile dialing up a fractional security consultant to help with basically plugging part of that whole type of thing. But it’s going to take a bit for that transition to happen and what that transition looks like, timing, et cetera. Again, it’s just going to depend on the organization and what they’ve got going on so that you can put together a game plan for this process. You don’t need to lay it out to them that, oh, by the way, we got a game plan to go lop off half the security department type of deal, but just straight up prioritize, I want these projects front and center, let’s get through those, et cetera.
And then you can go ahead and make the moves that you need to make. Parting shots and thoughts for the folks this week, Adam. Well, if your company is thinking about reducing cyberhead count, you got to figure out carefully how to do it and what that process looks like.
If you do it too quickly, you’re very likely dialing way up the risk to the organization. Certainly, TCT has people in technology to help organizations do more with less. So, if you haven’t come and taken a look at some of the things that we have in play, like the compliance management software, TCT portal, or fractional consulting services, then those tools literally, directly and indirectly, have the capability to save organizations, literally thousands of dollars a year, you know, with less manual time and less effort.
You know, the reality is that the TCT portal can be licensed standalone. So, organizations don’t, it’s not like the two have to come combined. You know, they can just license the portal and take advantage of the efficiencies they could gain there. However, if they also happen to need consulting services, you know, then we can help them there too. At the end of the day, we got into this space to help people and certainly organizations that are eyeballing security headcount staffing cuts, yeah, that’s probably a conversation where you’re going to want somebody to give you some feedback, direct input, etc. One of the other joys about dealing with the external fractional security consultant style organization is that they don’t have a vested interest in shielding you from the truth. Their job is to come in and give you the brass tacks about what’s up, what do you need to do, where are your problems, etc. So they don’t have the same inherent human limitation that typically exists with internal personnel where they’re concerned about, well, jeez, is somebody going to think I should have done this four years ago, I’ve dropped the ball, do they feel like I’m not doing my job, should I really say this, whatever.
The person on the outside, they don’t get hung up by that stuff, they have nothing invested, short of wanting to do their job to take care of you. And so it does mean that you’ve got somebody that’ll give you some real good firm directional guidance and they typically have a lot of experience as they go through it.
We talked earlier about IT personnel and they’re not security people, etc. The other area, honestly, where I’ve seen the relationship with fractional security and compliance consulting, being a very powerful tool for organizations is, quite frankly, when the leadership of the organization has their head screwed on properly. What I mean by that is that. But there’s a knee jerk reaction, especially with management, to want to go, well, geez, why didn’t you think of that, and kind of giving their people a hard time, or thinking less of them, or whatever. And again, I just reiterate to folks, I’m like, you might have IT people, but it doesn’t mean you have security people. It can be an amazing experience to work with an organization, teach their people stuff, improve their capability, especially where the organization itself is kind of backing the security approach to how they want to do things. It’s a really powerful tool to kind of migrate an organization from struggling with their security to really excelling at it. It’s awesome watching that all come together.
And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we help to get you fired up to make your compliance suck less.
