Do a quick Google search for the terms “security” and “safety,” and this is what you’ll get:
Security: the state of being free from danger or threat
Safety: the condition of being protected from or unlikely to cause danger, risk, or injury
At first glance, the two definitions might sound the same, but there’s something that feels a little more urgent about the second. While security simply means to be free from danger or threat, the definition of safety includes the added layer of being protected not just from danger, but from injury. With that deeper reading, safety sounds just a little more pressing, right?
Words matter, and that’s exactly what some cybersecurity leaders believe we need to remember. In July, we hosted a Cloud Security Alliance (CSA) webinar to chat with CISOs and industry analysts about how organizations should adjust their security practices in advance of a recession. They discussed whether reframing security as “safety” can help us better communicate the security team’s value to the rest of the organization and make it more recession-proof. We’ll explore this idea below.
Why we may want to shift from 'security' to 'safety'
We take risks when it comes to security. Speed is often valued over security, and we saw this during the COVID-19 pandemic when companies took shortcuts with security so they could quickly shift to remote work. But we don’t take the same risks when it comes to safety, says Sounil Yu, CISO and Head of Research at JupiterOne:
“Physical safety … is something that people don't make shortcuts on. In the context of even the baby formula shortage here in the U.S., that stemmed from an initial safety issue and that caused the plant to shut down and the net revenues and that ability to make sales went away as a result of that, too, of course. But the point is that we tend to not make shortcuts. We tend to not cut back on safety measures during a recession.”
Sounil suggests that we need to characterize some of our regular cybersecurity practices as safety-oriented. We must communicate to other teams that compliance and hygiene practices are standard safety measures that help us operate in a safe digital environment.
Ultimately, it's about learning to speak the right languages
But according to Anne Marie Zettlemoyer, CSO at CyCognito, we do take risks when it comes to safety:
“I talk about safety and security hand-in-hand. … We want to make sure that our company is safe, that the products that we build are safe. ... Safety and security for me are the same thing. The sadness, though, or the reality is that people do make choices about safety, even human safety. I mean, there's so many stories of people cutting back on testing, people doing whatever acts that they know are going to affect consumer health or their employee health. … Humans are humans and they don't always make the right decisions and certainly very rarely on virtue.”
Still, the panelists agreed that the key is learning how to speak the right languages and tell stories that convey the value of cybersecurity to the rest of the org. Security teams must understand how they help sustain the business, protect its reputation and brand trust, manage operational risk, and ultimately empower the company to continue to sell in times of uncertainty and chaos. If your security team is armed with stories and evidence that demonstrate why these things are important, there’s a better chance security will continue to be prioritized.
As Fernando Montenegro, Sr. Principal Analyst at Omdia, noted: “It’s about providing safety for the organization overall in terms of reducing the volatility that they need to expect in the sense that you don’t want to wipe out your net income. … We are here to protect the organization, to continue to operate throughout the downturn. The recession is a stress test, right? It’s an unplanned stress test on the organization. And you want to be able to demonstrate that … we are preserving the capability of the organization to endure through this.”
'We tend to not cut back on safety measures during a recession'
Below is an excerpt from “A CISO’s Guide to Security Strategy During a Recession,” a July 2022 webinar panel with the Cloud Security Alliance. This panel was moderated by Sounil Yu, CISO at JupiterOne, and featured Anne Marie Zettlemoyer, CSO at CyCognito, alongside Fernando Montenegro, Sr. Principal Analyst at Omdia.
You can find the full webinar here, but check out this clip for more discussion about the difference between safety vs. security and how security teams should communicate with the rest of their org to make their work more recession-proof.
For more recession-ready security strategies
To help their organizations maintain business viability and weather a downturn, security teams will need to get creative. Not just in the way they speak with other teams but also in how they evaluate their entire security posture. To gain more insights into how your team should prepare for a recession, watch the full CSA panel here. You’ll also receive access to an interactive transcript so you can browse the takeaways at your leisure.