As I write this, the Dow is down nearly 600, Congress struggles to pass a bailout bill, and both the Broncos and Buffs lost over the weekend.
Bad times my friends, bad times.
Like many of you, although my current financial situation is pretty solid, I can’t help but wonder what the future holds. We’re not merely entering uncharted territory, we’re headed straight for that big black circle marked “There Be Monsters Here”. That doesn’t mean we won’t make it to the other side, but the journey is fraught with danger and challenge.
First, a couple of assumptions:
Some sort of bailout package will pass.
Times will get tough, but we won’t enter a full depression.
If we hit a depression all bets are off- since, at that point, much of society essentially collapses. But short of total economic collapse, or a miracle economic recovery, we can somewhat effectively follow the trends and postulate some conclusions.
I lost my crystal ball years ago during a wild night with Hoff and Amrit involving some bottles of 40 year old scotch, the real Travelosity gnome, and a Vegas cab driver snorting pure ground Brazilian sugar cane, but if we step back we can probably make a few guesses as to the collective future of the security world.
First, our starting assumptions:
We’ll continue to see severe credit restrictions- even tighter than now.
With limited credit and a weak stock market, the economic effects will spread beyond the financial sector. Retail, auto, and other credit-heavy industries will suffer the most.
We will see no decline in security threats, but the threats will morph to adapt to changing market conditions.
We don’t need to get fancy; belts will tighten, credit will be harder to obtain, the bad guys will keep adapting, and business will continue, albeit more slowly.
These lead directly to some conclusions about the security market:
Startup cash will dry up, and IPOs are no longer an exit strategy option. There will be less security product innovation, and what is created will be bought earlier, and cheaper, by established players who can’t afford big acquisitions anymore.
We will see continued, massive, consolidation as small companies struggle to survive and larger players can’t create growth. These won’t be big buyouts with happy founders retiring on the beach, but survival consolidations. Think Symantec buying Checkpoint, or Oracle buying Symantec. More middle players will consolidate as well, like the Sophos/Utimaco deal. We’ll have a few big generalists, a smattering of middle-sized guys glomming together, and the occasional small company that bootstrapped with a couple paying clients and isn’t dependent on external financing.
Best of breed loses to security suites. Users will demand more suites from their vendors, and “good enough” will be the name of the game. If you have a technologically superior solution no one will care. To be honest, no one really cares today, but they’ll care less in the future.
Large price pressure. Users will demand these suites at no (or minimal) additional cost. Vendors will grind over each other in a race to the bottom just to keep customers. It may not look like it on the surface price sheets, but in the nitty gritty street battles on deals you’ll see sales guys tossing in their firstborn essentially for free.
A continued obsession with compliance, cost reduction, and obvious threats. If a tool isn’t required by the auditors, doesn’t reduce ongoing operational costs, or stop a threat (like spam/viruses) that knocks people offline, it won’t sell very well. Vendors who don’t solve a clear and present business problem are in trouble. It will be nearly impossible to get budget for anything else.
We’ll also see some threat evolution:
Tighter credit issuing will reduce new account fraud. If it’s harder for the good guys to get credit, it will also be harder for the bad guys.
Existing account fraud will increase. It isn’t like the bad guys will go get some non-existent legitimate jobs. They’ll hammer the financial system, especially phishing/preying on financial fears. As any historian will tell you, fraud tends to increase during times of economic extremes- good and bad.
Major attack vectors will be similar to what we see today- clientside and web application. I don’t see anything in an economic downturn that changes the technical nature of the attacks we see today- they’ll continue to get more sophisticated, but that’s happening regardless of any economic issues.
And, of course, this will impact security professionals and how we do our jobs:
The bad guys will keep us employed, but salaries will be under pressure. “Good enough” applies to us as much as it does to our tools. We’ll see a little professional erosion as underexperienced newbies enter the market to stay employed, and non-security IT folks take added security responsibility. Now will be a good time for a diverse skill set to survive fat trimming.
We’ll have to do more with less. That’s so obvious I’m embarrassed to write it.
We’ll be under even greater pressure to justify what we do, and what we spend on. Again, really obvious, but as we’ve been talking about long before these economic troubles, the most successful security professionals will be those who can clearly communicate with the business and articulate their value.
Get used to accepting more risk. We’ll have to take hits on the small stuff to focus our efforts on the biggest risks.
Pragmatic wins. The broader your skill set, the less you cost the company while stopping most of the bad stuff; and the better you can communicate all of this the happier you’ll be. It’s always been about getting the job done, but let’s be honest and admit that it isn’t always about getting the job done. While internal politics and BS will never go away, odds are those who take a practical approach will survive better, and perhaps thrive, during tough economic times.
In other words, get used to people trying to nibble at your job, tighter belts in general, and doing more with less. Pet projects will fade and you’ll be forced to use suites more, as we try to reduce both what we spend on tools, and the people to manage those tools. Threats won’t fade, and we’ll focus more on the large obvious stuff that doesn’t obviously affect the balance sheet. Compliance won’t go away (it will be worse in some sectors) and will continue to define much of what we do.
The need for security doesn’t diminish, but the way it’s delivered has to change during tough times. Security practitioners, vendors, and bad guys alike will be pressured to solve obvious business problems while proving their value (preferably with numbers and pretty charts). In other words, the more practical you are (except for you back stabbing wizards of internal politics), the better you’ll be. Focus on the basics, keep the skill set up, and learn to talk to management and make nice looking charts.
As for me? I, like everyone, worry. As an expectant parent I’m starting to worry in ways I never imagined before. But I also know that if I continue to focus on helping my readers and clients save money, and am able to articulate said savings, I should be fine. I’m fairly pragmatic myself.
Oh- and I think we need a complete reboot of our fracking country and government, and fully intend on voting that way.
Reader interactions
5 Replies to “Impact of the Economic Crisis on Security”
Define “compliance”. Good enough “what”?
I have long held to a tradition of not jumping into the fray on these sorts of issues. For whatever reason—perhaps my years as an economist or the desire to share in some [albeit virtual, darnnit] 40 year old scotch—I feel a need to make a few brief comments. It is not like me to be brief, but here is my attempt:
You make some excellent points. That said, you have largely ignored what Compliance will be [or morph into] in a serious recession. In fact, your last sentence seems to indicate that you are interested in voting for “Change”, which would seem to imply jumping onto the somewhat irresponsible bandwagon of delta gratia deltis—ignoring the likely onslaught of government intervention and the commensurate fiscal pressures associated with free stuff (and ignoring the de-stability that change brings, especially when stability and predictability are needed to calm stuff down). Regardless of how you personally vote, and even somewhat regardless of which party wins the party, the tell tales are flapping and indicating a strong shift towards government oversight—desired by both the people and the state. The “$700B” Bailout package is a harbinger of the squall. I am not intending to make a political point, but rather that the next generation of SOX is on the horizon. The generation in which “good enough security” is eclipsed by “good enough story”. We scotch drinkers all agree that “good enough” will be even more the order of the day, but we need to be clear about what it is that will need to be good enough. Without prejudice, here are a few possibilities for consideration:
Regulatory compliance and associated audits will torque down making discretionary spending for [improved] security even less available;
Major breaches and events will become more frequent and more publicized making certain types of security spending obligatory;
Organizations will be increasingly interested not in “good enough security” but in “good enough [SOX Gen2] audit proofing” driving creative ways to shift responsibility (especially in investing in “not-good-enough-but-demonstrably-believable-common-market-practices (especially those promoted by well-known analysts)”;
Risk tolerance will increase in focus and therefore good enough protection through professional liability insurance will become a key replacement for good enough security. Mostly due to the degrees of separation between business management and IT security budgets, organizations have not [yet] done a good job of internalizing the costs and benefits of security. We should not expect improvement in systematic internalization in the near term. The credit crisis—stemming from incomplete linkages, implicit guarantees, inadequate accountability, and insufficient foresight—establishes a pattern for a security crisis evolving from the same factors. The credit market did not invest in good enough risk management. The reaction has not been about good enough controls. It has been about blaming an amorphous body of greedy rich people and establishing invasive government action. As the grizzly bear closes in, the smart credit market players are already deriving new ways to run faster than their brothers. In summary, we ought to consider the possibility that a severe recession will actually decrease a focus on good enough security and rather expand an emphasis on spin and appearances. In the face of this possibility, some can lead others to do the right thing and some can follow the pack. The challenge will be in knowing the probability that leading will succeed. This is hard to predict, especially when one has lost his crystal ball. As some are seeking to have good enough appearances, some of us are counting on diligence by market analysts to clarify what is good enough to comply with.
[…] Rich: Impact of the Economic Crisis on Security. It doesn’t matter if you are a vendor or practitioner, we’ll feel the effects of this […]
[…] I largely agree with the analysis in this blog: Impact of the Economic Crisis on Security, I do think that Boards and IT management teams have it within their power to avoid the […]
Buffet says (something like) a receding economic tide shows who’s been swimming naked. Well, that certainly turns out to be true for a growing number of financial ‘‘institutions’‘, as around the world one after another of them collapse or seek emergency (government) funding. So one of the boom areas of the next few years will be in selling services that help institutions crash their new and their old systems together as they try and achieve the synergies they’‘re betting on.
The other area of growth (apart, of course, from security and compliance) is going to be risk management – although we’‘ve still got to work out how to get the stable door bolted first.
Good points—I espically liked the use of “fracking” 🙂