What We Do
How We Do
Get Started

Security Capabilities CISOs Should Invest in During a Recession

BY eSentire

February 2, 2023 | 9 MINS READ

Cyber Risk

Managed Detection and Response

Cybersecurity Strategy

Want to learn more on how to achieve Cyber Resilience?


The looming potential of a recession and the ongoing macroeconomic downturn suggest that many organizations will be looking to trim unnecessary spending in favor of business-critical operations in 2023. This economic uncertainty will no doubt lead to restricting IT and cybersecurity department budgets, tasking security leaders to do more with less.

As a result, investing in cost-effective cybersecurity tools and capabilities will be crucial to maximizing ROI while maintaining a strong security posture.

Adding to the challenge, recessions incentivize cybercriminals to develop new and destructive types of cyber threats. During the 2008 recession, the FBI reported a 22.3% increase in online crime complaints, resulting in twice as many losses associated with these attacks, reaching $559.7 million.

Despite the rising pressure to cut costs, the commitment to cyber resilience should not be left out if organizations are looking to minimize the risks of business disruption. This blog discusses the cybersecurity capabilities you should prioritize as a CISO when your resources are limited to ensure your organization can build cyber resilience and prevent disruption.

Capability #1: The ability to detect threats in real-time

Cybercriminals don’t work 9 to 5, so your cybersecurity capabilities shouldn’t be limited to office hours either. In fact, many organizations don’t recognize they’ve been attacked until months after the incident, leaving them more susceptible to reputational damage and financial loss. According to a recent IBM study, in 2022, it took an average of 277 days to identify and contain a breach.

This means that your organization should allow for continuous security event monitoring across various signals and respond to any anomalies rapidly.

One crucial metric to ensure the effectiveness of your security event monitoring is a short Mean Time to Detect (MTTD) for all cyber incidents. A shorter MTTD means your organization can kickstart the response and remediation process as soon as the threat happens, which is key to minimizing the damage.

In the always-on world, preventing cyber incidents during non-business hours is increasingly difficult. For example, the Kaseya VSA Platform was a victim of a zero-day cyberattack that occurred on a Friday afternoon right before the July 4th long weekend. The threat actors were able to exploit a zero-day vulnerability and gain access to Kaseya’s internal environment, resulting in thousands of downstream organizations being impacted.

As soon as our 24/7 SOC Cyber Analysts and the Threat Response Unit (TRU) were alerted of the attack, they responded immediately by conducting regular sweeps for all our customers, based on any indicators of compromise (IOCs) associated with this REvil campaign, in addition to any IOCs known from previous REvil-affiliated campaigns. We also took action to block any REvil-related infrastructure detected from our customers’ environments.

“I don’t think it's responsible for a business to say we can wait until staff come in, in the morning, or wait until Monday if an event happens on a Saturday. If you can't respond quickly, you will likely have a business-impacting event,” Greg Crowley, Chief Information Security Officer (CISO) at eSentire, says.

Capability #2: The ability to investigate cyber threats effectively

Rapid threat detection is only one part of the solution. Threat investigation capabilities are critical for robust, complete threat response since effective threat investigations allow your team to collect and analyze evidence to inform response and remediation efforts.

For example, if ransomware has been deployed into your environment, it’s not enough to only investigate which endpoint the ransomware infected first. You also need to analyze data across multiple signals – cloud, log, network, etc. – to determine how the threat actors gained initial access into your network, which hosts they compromised first (and why), and how they moved across your environment. If taken at face value, automated alerts often miss the full scale of a cyberattack so it’s critical to have a team of security experts to conduct a thorough human-led investigation when necessary.

This capability allows your security team to link seemingly separate incidents and paint the complete picture of the cyberattack. As a result, your team can validate, understand, and contain threats before they become major business-disrupting incidents that impact revenue.

Effective investigation relies on strategic threat intelligence, including real-time and historical data analysis, to gain telemetry across siloed signals and perform large-scale threat sweeps. You should analyze information about the threat from multiple sources — endpoint, network, log, cloud, and even your existing vulnerabilities — to compile evidence and understand the scale of the attack. This level of investigation requires a deep level of security expertise and knowledge of Tactics, Techniques, and Procedures (TTPs) employed by threat actors.

Threat investigation takes your response capabilities to the next level by allowing your security team to develop targeted, actionable recommendations for incident recovery and remediation.

In other words, the depth of the threat investigation dictates the depth of the response.

Capability #3: Prioritizing fast, effective response to cyber threats

If an attacker manages to get through your first line of defense, you need to act fast to quickly contain and remediate the threat. After all, an experienced attacker can deploy ransomware in under 45 minutes, and if left undetected, threat actors can cause widespread damage across a company’s networks, resulting in high incident recovery costs.

When your business’ reputation and operations are under attack, every minute matters, so a rapid Mean Time To Contain (MTTC) is vitally important to minimize disruption. In 2022, the average ransomware payment was $925K. However, the most significant financial damage from cyberattacks is attributed to the downtime costs, leading to revenue disruption when organizations lose their productivity. In many cases, the resulting downtime alone can cost organizations upwards of $225K per day.

Automated solutions can be a great starting point to gain visibility across your company’s entire threat surface. But many traditional Managed Security Service Providers (MSSPs) lack true response capabilities and instead overwhelm you with automated alerts. When it comes to building a responsive security operation, you need more than just alerts. It’s essential that you have access to the right expertise and multi-signal visibility to deliver a complete and robust response.

“If you don’t have the ability to analyze those alerts, then you need to hire for threat intelligence. You're going to be paying a lot for those skill sets as well, because those are usually not entry-level positions,” says Crowley.

Your team should be able to rapidly detect, investigate, isolate, contain and remediate a security incident before it impacts the business. These capabilities ensure that your team can isolate compromised endpoints, quarantine malicious files and prevent threats from moving laterally across your network within minutes. Rapid response capabilities have tangible security and business outcomes – organizations that are able to contain a data breach in 200 days or less save $1.12M on average compared to organizations that leave threat actors in their systems for longer.

Capability #4: Shifting to a risk-based approach to build cyber resilience

As IT environments continue to grow in complexity, the use of ransomware-as-a-service keeps rising, and state-sponsored cyberattacks grow in frequency and sophistication, it becomes nearly impossible to stop new cyber risks from impacting your organization.

Instead of aiming for complete elimination of cyber risk, your organization should focus on building a risk-based approach that allows you to anticipate, withstand and recover from cyberattacks while keeping up with the evolving threat landscape. After all, no matter how robust your cyber defenses are, they will eventually break down under a new and advanced threat.

Cyber resilience represents your ability to avoid business disruptions and maintain growth in the context of accelerating attacks. Achieving cyber resilience is an ongoing process involving regular assessments of the security gaps specific to your industry, operational environment, and security maturity. Here, 24/7 ongoing visibility across all signals is crucial because you need to proactively detect threats coming from new and anticipated attack vectors. Your team must conduct preventive activity and ensure readiness to defend your organization against an ongoing attack and limit its impact.

Preventative measures only go so far when building holistic cyber resilience. If your organization manages to contain and remediate a cyberattack, your work is far from over. Learning lessons from the attack and collecting post-breach evidence is a crucial step to minimizing the risk of future intrusions. Lastly, as part of your cyber resilience efforts, you have to work with your business leaders to implement the processes, policies, and technologies required so your organization can continuously adapt to the threat landscape.

Solutions to fit the (shrinking) bill

As expectations from cybersecurity and IT leaders continue to grow, achieving a strong cyber defense program that prioritizes building resilience with limited resources and a shrinking budget becomes increasingly difficult. Appropriate tooling and staffing of in-house SOC may be prohibitively expensive for organizations.

According to the (ISC)² Cybersecurity Workforce Study, the cybersecurity workforce gap reached 3.4 million people in 2022. As a result, many security departments are chronically understaffed and operate at reduced efficiency.

Leveraging automation for threat detection is often seen as a solution to augment limited in-house resources and reduce the burden of manual monitoring required from security teams. Even if an organization has a robust threat monitoring system, security teams challenged with alert fatigue and false positives struggle to respond to alerts promptly. Additionally, in-house SOCs often lack the resources and expertise to fully observe the scale of the cyberattack and eliminate any backdoors that hackers may exploit in the future.

Outsourcing security operations can help reduce in-house cybersecurity costs, make the most of a limited budget for your cybersecurity program, and enable your team to do more with less. A Managed Detection and Response (MDR) service provider will allow your team to leverage 24/7 threat detection, investigation, and response capabilities to build cyber resilience and prevent disruption. All this at a fraction of the cost associated with building in-house solutions.

“Don’t wait until something happens to allocate budget to it,” advises Crowley. “Make the budget part of every business goal and initiative and understand that security needs to be 24/7/365. You need that quick response and 15-minute mean time to contain that MDR provides.”

Outsourcing MDR services allows security leaders to answer some of the most pressing security needs in a cost-effective manner by:

However, despite the advantages of security outsourcing compared to in-house security operations, CFOs may be hesitant to add the cost of another vendor during these uncertain times. As a security leader, it’s your responsibility to build alignment with your CFO to ensure you get the budget you need to invest in cybersecurity programs that strengthen your security posture.

So, how can CISOs manage increased cyber risk without overloading employees or spending recklessly? The answer lies in tying cyber risk and business risk together. Your cybersecurity investment should be aligned with core capabilities that build cyber resilience and prevent business disruption.

To get the cybersecurity investments they need for true 24/7 threat detection, investigation, and response capabilities, CISOs must learn to speak the language of their CFOs and align on what business disruption means to your organization from a dollars and cents perspective. In our latest white paper, Make the Business Case for MDR, we provide actionable steps to build alignment with your CFO and make the business case for investing in MDR.

eSentire’s multi-signal MDR service provides improved detection, 24/7 threat hunting, deeper investigation, end-to-end coverage and, most of all, complete response.

To learn how eSentire MDR can help you build a more resilient security operation and prevent disruption, connect with an eSentire cybersecurity specialist.


eSentire, Inc., the Authority in Managed Detection and Response (MDR), protects the critical data and applications of 2000+ organizations in 80+ countries, across 35 industries from known and unknown cyber threats by providing Exposure Management, Managed Detection and Response and Incident Response services designed to build an organization’s cyber resilience & prevent business disruption. Founded in 2001, eSentire protects the world’s most targeted organizations with 65% of its global base recognized as critical infrastructure, vital to economic health and stability. By combining open XDR platform technology, 24/7 threat hunting, and proven security operations leadership, eSentire's award-winning MDR services and team of experts help organizations anticipate, withstand and recover from cyberattacks. For more information, visit: www.esentire.com and follow @eSentire.

Read the Latest from eSentire