Let’s face facts: It’s a hard economy right now. For those of us in the security business, a down economy hits us harder than most other areas of the business. Not only does our budget wallow in the doldrums just like other areas, but at the same time that we’re stuck with less funding, the overall risk increases as well.
It works like this: Less funding for security, of course, means that we have less to spend on critical upgrades and new projects to address known gaps, and reduced operating budget to maintain the status quo. However, there’s a more insidious impact as well.
Since we’re not the only area feeling the pinch, other areas have less to spend as well. Reduced investment in other areas means longer lifespans for problematic legacy systems as well as reduced budget for maintenance activities that might be done outside of the security organization (think patching and user provisioning). In severe cases, the reduced spending can translate to layoffs — and believe me, nothing scares the pants off a security pro more than a trusted insider with an axe to grind.
So you can see the problem. However, there are forces outside our organizations that ebb and flow with the economy as well; specifically, financially motivated attacks increase during periods of economic decline. So while we’re fighting our battles internally, there’s also increased malware and increased fraud activity (for example, phishing and account harvesting) to deal with at the same time.
It sounds grim, but believe it or not, there’s a potential upside as well. It’s harder to see, but there are actually some areas where security can benefit from a down economy. In other words, just like there are factors that are unfavorable to security in a downturn, there are also some areas that are favorable — we just need to know where to look and how to capitalize on them.
First and foremost, as we’ve already touched on, a down economy means less investment in technology overall within most firms. While the security downsides of this are obvious (notably that legacy applications now have a longer lifespan, justifying expenses in a cost center like security is more difficult, etc.), there’s also a potential upside. Namely, the reduced activity rolling out new projects frees up specialized resources that would otherwise be fully engaged.
At a macro level, the equation is simple: The workload of certain areas in our security organization is directly tied to business activity. So when business activity is down — as is the case right now — organizations that were staffed to capacity prior to the downturn now have slack space in the workload of these folks. Since the cost of replacing these resources is high, it’s probably cost-prohibitive to adjust levels of staff to meet the change in the short-term demand.
So what happens? These folks have time to work on things that they wouldn’t be able to under normal circumstances. This is a good thing.
Consider application security, for example. In a boom, when the pace of change in the organization is high and new applications/systems come in rapid-fire fashion, folks who specialize in appsec usually have their hands full. They’re busy monitoring all the new applications coming out of development, they’re busy with architecture reviews and development meetings, and they’re strapped keeping up with changes to existing applications. But turn down the dial on development? This means fewer new apps and fewer changes to existing apps. As a result, the application security workload goes down.
The same is true of project management. At a larger firm, where the security roster includes resources specifically dedicated to project management of security-related initiatives, less activity from business partners means fewer projects for these folks to manage. Which means they have less on their otherwise-full plate.There are numerous other examples as well. Basically, any area in security that’s driven by spending on the business side is going to be less active right now. This means opportunity for investment in the long-term: thinking strategically, building better methodologies, planning ahead, and building the tools to help them deal with the backlogged work that builds up during a more active cycle.
Investments made now could very well translate into a more efficient process down the road — so that once the business does start getting back to the “rapid fire” pace we’re used to, these folks are optimized to be able to better shoulder the load when things pick up. The specifics of what improvements make sense will depend on the particular area, but now is probably a good time to set some goals that aren’t directly tied to what the business is (or isn’t) doing.
Get on the Train
Second, an economic downturn is the best opportunity you have to train security staff. Some people have the mistaken belief that investment in training is a bad idea during a downturn. In reality, nothing could be further from the truth. Now, it’s true that justifying training costs in the current climate can be challenging, but you’ll find that training investments during a downturn means more “bang for your buck” than investments made during a boom.
Why? There are a few reasons for this. First, many organizations that specialize in training are offering their services at reduced rates to generate business. So in many cases, it literally is just plain old cheaper to train folks given the current circumstances. Really, though, reduced cost from educators is just the gravy. The real savings are on the back end.
Think about it this way — much of your staff will have that “slack” in their workload that we talked about earlier due to the decreased business spend. Also, there’s a back-end opportunity cost to training — namely, the work that doesn’t get done when your staff is in training. The potential slack in the workload means that training a resource now is less likely to take them away from some other critical task.
In a boom, the opportunity cost of training is high because every hour spent not pushing the business’ agenda is an hour you have to make up somewhere else. But if the business isn’t generating as much work for specialized resources? Well, the opportunity cost goes down. This is true whether you’re talking about computer-based training or face-to-face training, industry seminars, or even cross-training within the firm. Training now is a good idea.
Moreover, don’t underestimate the goodwill generated by investing in your personnel at this time. Folks are worried about their jobs. It’s human nature for them to worry since everywhere they turn, people are talking about the sour state of the economy. So if you’re not going to lay off staff, an investment in training sends a clear message — after all, why would you invest in them if you’re just going to lay them off next week? This keeps morale up and quells water-cooler rumor-mongering (damaging both to security and productivity.)
The point? Right now, training is as cheap as it’s going to get — and the impact is magnified because of the goodwill factor. So why wouldn’t you do it?
Ed Moyle is currently a manager withCTG’s information security solutions practice, providing strategy, consulting and solutions to clients worldwide, as well as a founding partner ofSecurity Curve. His extensive background in computer security includes experience in forensics, application penetration testing, information security audit and secure solutions development.