Last month, a Wall Street Journal article highlighted how chief information security officers (CISOs) will increasingly see budgets constrained based on the growing economic uncertainty facing companies in 2023. So, how should CISOs manage through this uncertainty? Let's start by acknowledging several planning constraints:

Given these constraints, here are three steps that could help better optimize cybersecurity investments in a constrained spending environment:

1. Shine a light on underlying business and technology complexity. Variances in the number of systems, applications, privileged users, third parties, employee attrition, and geographic presence all influence risk and what's required to defend an organization. Indeed, recent research by IBM Security highlights how increasing complexity (e.g., cloud migrations, third-party involvement, etc.) has tended to amplify incident response costs. It's foolhardy to impose limits on security spending without also considering whether at the same time, we are reducing complexity in the underlying business and technology environment that CISOs are being asked to defend. Measuring changes in the complexity of the underlying "attack surface" — that is, the set of points on the boundary of a system, a system element, or an environment where an attacker can try to enter, cause an effect on, or extract data from — should be a precondition to considering adjustments or restraints on cybersecurity resources.

2. Prioritize threat-informed defenses. Cost constraints put a premium on prioritizing defenses based on behaviors that adversaries are known to use and critical software systems they are likely to target (including, but not limited to, identity and access management systems noted above). MITRE's ATT&CK framework not only comprehensively maps out threats and how they link to specific mitigations and detections — many of these mitigations and detections are achievable through technologies already in place, particularly as infrastructure providers incorporate security features into their offerings. Investing in defenses against prevalent threats can provide outsized risk reduction benefit. The Cybersecurity and Infrastructure Security Agency (CISA) recently released a set of Cybersecurity Performance Goals intended to "help establish a common set of fundamental cybersecurity practices for critical infrastructure, and especially help small and medium-sized organizations kickstart their cybersecurity efforts." Each of the goals is mapped to specific MITRE threat techniques.

As important, companies should invest at least some resources in validating that the controls theoretically in place are there in practice and operating as intended. CISA, the FBI, and the NSA jointly issued guidance last fall where they "recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory." Too often, we see incidents where the initial access was achieved through a misconfigured asset or undocumented security exception. Finally, the resilience aspect of threat-informed defense is critical: If a ransomware incident occurs, offline backups and up-to-date incident response plans will be key to minimizing damage.

3. Rationalize third-party risk management. There are also several persistently vexing problems that no one organization can address and must instead be addressed at a sector or national level. Companies know that a cyber incident at a supplier can have cascading impacts on them, and they are increasingly mandating security audits and minimum baseline requirements as a condition of doing business. The problem is that there is no uniformity in this approach, leaving suppliers and customers to sort through a morass of requirements and attestations, which require more and more personnel resources to manage. Indeed "assessors" are increasingly becoming "assessees" when they are subjected to cyber-insurance renewal reviews. Sectorwide approaches are needed to bring greater uniformity to standards, reducing third-party compliance complexity and enabling repurposing of investment to threat-informed defense.

While many of these steps must be accomplished within the private sector, the federal government can help advance these steps. First, as we think about increased regulatory activity, we can help manage additional financial burdens by ensuring alignment on control expectations (in a manner that is threat-informed) across regulatory agencies (and ideally with sister programs in allied foreign governments) — i.e., so that companies subject to multiple regulatory programs can focus on a consistent set of expectations. Second, we should consider not just how regulations can penalize companies that fail to live up to expectations, but also how they can reward companies to go beyond them. Finally, by imposing standard baseline expectations and mechanisms for attestation across suppliers, as the federal government is trying to do with software security, we bring greater uniformity to third-party risk management.

Businesses are facing a highly complex business, technology, and threat environment. In a cost-constrained atmosphere, return on investment matters more than ever. We should thus be bringing as much accuracy as possible in how we align defenses to likely threats, and drive as much uniformity as we can in measuring cybersecurity performance in a transparent, accurate, and precise way.