Facing Flat Budgets, Kohler’s Cyber Chief Looks to Do More With What’s On Hand

With money tight, security chiefs should examine how they operate, Ms. Huth says, including how they recruit, hire and train staff, and how they justify costs to the board. 

This interview has been edited for style and clarity.

WSJ Pro: In this uncertain economic environment, are security chiefs likely to face budget cuts?

Ms. Huth: I don’t know that people are needing to cut things, but I do see we are being asked to try to get to flat. But following this huge inflationary period, all of my vendors are up with 7% to 8% increases on my maintenance contracts, and I can’t get out of those. That could be problematic in terms of how we’re being good partners and making sure that our vendors can work closely with us. They need to cover their cost, but again, it’s how do we get to a place where we can both move forward in a good way?

WSJ Pro: If budgets are essentially flat, what should security teams focus on in 2023?

Ms. Huth: We’re making strategic investments, still very minor, but we have very clear exposures that we need to address and the business knows that we need to do that. But more than that, I’ve told my team, “You guys went a million miles per minute and you’re always telling me you don’t have time. 2023 is your opportunity to get your in-place processes optimized.” Let’s make sure we’re getting 100% value out of them. Are we using all the feature sets, is it updated? Those types of things.

WSJ Pro: How do you convey the importance of cybersecurity investment to your board, when the belt is tightening across a company and cyber insurance doesn’t cover all incident costs?

Ms. Huth: I actually talk to my board about how much will it cost if our [manufacturing] lines in China are down [after a cyber incident]. You know what that number is [and] it’s part of your disaster recovery plan. What’s the dollar amount that is impacting the business every hour that you’re not running? I work with one of our insurance brokers to get a probability index. If the probability of something happening is 90% every 200 years, they’re not going to pay for that. But 90% every five years? That might be something they want to fund. And so using those two factors, I try to help quantify it in terms that are very real for them.

WSJ Pro: Hiring difficulties in cybersecurity are real and hiring freezes make it worse. How are you managing that next year?

Ms. Huth: I always have at least two to three interns [budgeted] to hire full-time. I’m looking for people with motivation and aptitude because I can teach people cybersecurity, but I can’t teach you to be inquisitive or curious. I hope that people take this as an opportunity to think about that because it also lowers some of the cost pressures.

If you’re looking for a senior security analyst, it takes you a year to find somebody with that skill. In that year, I could have taken somebody fresh out of college and had them doing some of the tactical work, and then more value-added work.

Write to James Rundle at james.rundle@wsj.com