Security practitioners are well versed in the concept of risk. The risk that’s currently on everyone’s minds? If you guessed the possibility of an impending recession… you are correct! By now, reports of tech layoffs barely feel like news. Every day it seems, more companies are prioritizing profit over growth and trimming the fat so they have a better chance of weathering the storm. Budgets are being cut, and cybersecurity teams are just as vulnerable as any other team.
In July we spoke with CISOs and industry analysts about what security leaders can do to prepare for a recession during a Cloud Security Alliance (CSA) webinar. One topic that emerged was the idea of the cloud as a cost savings tool vs. a cost suck. With such a big push to adopt the cloud in recent years, it’s important to consider this question as we think about how to tweak our security priorities during a recession.
The takeaway is that the cloud can provide great cost savings and help us manage uncertainty during a downturn, when we don’t necessarily know what we need yet. But for that to be true, organizations must consider their needs in context and have the right controls in place to monitor and adjust.
When the Need for Speed Backfires
We turn to the cloud for speed because it reduces your capital outlay. By adopting the cloud, you remove the need for procuring, racking and stacking, and running cable, allowing your org to move faster while also saving massively in upfront capital expenditure and maintenance costs. And from a business perspective, it makes sense to want to produce more, faster. During a recession, the ability to do that is what can keep you afloat.
But just because you move to the cloud, it doesn’t automatically mean those cost savings will be realized. That can only happen if you have controls that allow you to spin down. Many organizations, however, don’t have those controls in place, or even on their radar, because of their focus on speed. We need to find a way for speed and security to work together if we want to avoid wasteful spending. Anne Marie Zettlemoyer, CSO at CyCognito, shed more light on this predicament during the panel:
“The idea of cost savings in the cloud can only happen if you spin the instance down and how many organizations are actually spinning anything down or throttling back anything? It doesn’t happen, right? … If you’re looking for cost savings … here with security, I think people are going to obviously try and automate and increase tooling. But you still need a body to tune that tool, to monitor that tool. You still need to make it work.”
It Comes Down to Two Things: People and Visibility
To make the cloud an avenue for cost savings, you need two things: people and visibility. Tooling and automation are essential, but at the end of the day you will always need somebody who knows how to monitor and tune the tools so they are operating efficiently.
Here’s an example in action: Organizations may forget to spin down, but it’s also possible that they provisioned instances incorrectly in the first place. The way that you design architecture for on premises is not usually how you want to architect for the cloud. If you only do a lift and shift to the cloud, what used to be a half terabyte of memory in an on-premise server is now a half terabyte of memory service on the cloud, when it could have been much less. That is an expensive mistake to make. You need a human who understands how to rearchitect, or you end up with high cloud costs. Another example is turning on services for redundancy. You need redundancy, but many organizations never turn off defaults like continuous snapshot, which is unnecessary and costly. As Fernando Montenegro, Senior Principal Analyst at Omdia, puts it:
“If you don’t have the human, if you don’t have the experience to understand how to rearchitect your application and your operations, you end up with extreme cost on the cloud because all of a sudden you’re paying for a massive server that … if you had rearchitected, would have been much, much less.”
If you treat the cloud as a persistent environment like your existing on-premise environment, it will be a cost suck. On the other hand, if you hire the right type of people who understand how to do cloud engineering properly and can scale as you need it or design backup environments quickly, you can capitalize on the true cost saving opportunities of the cloud. In preparation for a recession, organizations may scale down security resources while continuing to scale up in other places. Sounil Yu, CISO at JupiterOne, elaborated on this idea during the panel:
“In the context of if there were to be an upcoming recession and there’s a huge emphasis on cost reduction and cost savings, I would much rather be able to have a team of people … who understand how to build into our infrastructure better cost-saving measures.”
You also need to ensure other teams have visibility into cloud operations. Too many organizations work in silos, but accounting teams need to communicate with engineering teams and show them the cost impact of not monitoring and tuning their tooling so they can adjust their behaviors.
'You Can Do Cloud Wrong'
Below we’ve included an excerpt from “A CISO’s Guide to Security Strategy During a Recession,” a July 2022 webinar panel with the Cloud Security Alliance. This panel was moderated by Sounil Yu, CISO at JupiterOne, and featured Anne Marie Zettlemoyer, CSO at CyCognito, alongside Fernando Montenegro, Sr. Principal Analyst at Omdia.
You can find the full webinar here, but check out this clip to hear the panelists discuss the question of whether the cloud is a cost savings tool or cost suck in more detail, along with strategies for realizing cost savings on the cloud.
More Smart Strategies for Security During a Recession
No one has a crystal ball to tell us how the current economic climate will play out. But it’s smart thinking to prepare for the worst, hope for the best. That means evaluating your security strategies for their ability to withstand a downturn. You can watch the full CSA panel here for more insights on how to do that. The link also provides access to an interactive transcript so you can dig into the discussion in the way that works best for you.