As I write this, the Dow is down nearly 600, Congress struggles to pass a bailout bill, and both the Broncos and Buffs lost over the weekend.

Bad times my friends, bad times.

Like many of you, although my current financial situation is pretty solid, I can’t help but wonder what the future holds. We’re not merely entering uncharted territory, we’re headed straight for that big black circle marked “There Be Monsters Here”. That doesn’t mean we won’t make it to the other side, but the journey is fraught with danger and challenge.

First, a couple of assumptions:

Some sort of bailout package will pass.
Times will get tough, but we won’t enter a full depression.

If we hit a depression all bets are off- since, at that point, much of society essentially collapses. But short of total economic collapse, or a miracle economic recovery, we can somewhat effectively follow the trends and postulate some conclusions.

I lost my crystal ball years ago during a wild night with Hoff and Amrit involving some bottles of 40 year old scotch, the real Travelosity gnome, and a Vegas cab driver snorting pure ground Brazilian sugar cane, but if we step back we can probably make a few guesses as to the collective future of the security world.

First, our starting assumptions:

We’ll continue to see severe credit restrictions- even tighter than now.
With limited credit and a weak stock market, the economic effects will spread beyond the financial sector. Retail, auto, and other credit-heavy industries will suffer the most.
We will see no decline in security threats, but the threats will morph to adapt to changing market conditions.

We don’t need to get fancy; belts will tighten, credit will be harder to obtain, the bad guys will keep adapting, and business will continue, albeit more slowly.

These lead directly to some conclusions about the security market:

Startup cash will dry up, and IPOs are no longer an exit strategy option. There will be less security product innovation, and what is created will be bought earlier, and cheaper, by established players who can’t afford big acquisitions anymore.
We will see continued, massive, consolidation as small companies struggle to survive and larger players can’t create growth. These won’t be big buyouts with happy founders retiring on the beach, but survival consolidations. Think Symantec buying Checkpoint, or Oracle buying Symantec. More middle players will consolidate as well, like the Sophos/Utimaco deal. We’ll have a few big generalists, a smattering of middle-sized guys glomming together, and the occasional small company that bootstrapped with a couple paying clients and isn’t dependent on external financing.
Best of breed loses to security suites. Users will demand more suites from their vendors, and “good enough” will be the name of the game. If you have a technologically superior solution no one will care. To be honest, no one really cares today, but they’ll care less in the future.
Large price pressure. Users will demand these suites at no (or minimal) additional cost. Vendors will grind over each other in a race to the bottom just to keep customers. It may not look like it on the surface price sheets, but in the nitty gritty street battles on deals you’ll see sales guys tossing in their firstborn essentially for free.
A continued obsession with compliance, cost reduction, and obvious threats. If a tool isn’t required by the auditors, doesn’t reduce ongoing operational costs, or stop a threat (like spam/viruses) that knocks people offline, it won’t sell very well. Vendors who don’t solve a clear and present business problem are in trouble. It will be nearly impossible to get budget for anything else.

We’ll also see some threat evolution:

Tighter credit issuing will reduce new account fraud. If it’s harder for the good guys to get credit, it will also be harder for the bad guys.
Existing account fraud will increase. It isn’t like the bad guys will go get some non-existent legitimate jobs. They’ll hammer the financial system, especially phishing/preying on financial fears. As any historian will tell you, fraud tends to increase during times of economic extremes- good and bad.
Major attack vectors will be similar to what we see today- clientside and web application. I don’t see anything in an economic downturn that changes the technical nature of the attacks we see today- they’ll continue to get more sophisticated, but that’s happening regardless of any economic issues.

And, of course, this will impact security professionals and how we do our jobs:

The bad guys will keep us employed, but salaries will be under pressure. “Good enough” applies to us as much as it does to our tools. We’ll see a little professional erosion as underexperienced newbies enter the market to stay employed, and non-security IT folks take added security responsibility. Now will be a good time for a diverse skill set to survive fat trimming.
We’ll have to do more with less. That’s so obvious I’m embarrassed to write it.
We’ll be under even greater pressure to justify what we do, and what we spend on. Again, really obvious, but as we’ve been talking about long before these economic troubles, the most successful security professionals will be those who can clearly communicate with the business and articulate their value.
Get used to accepting more risk. We’ll have to take hits on the small stuff to focus our efforts on the biggest risks.
Pragmatic wins. The broader your skill set, the less you cost the company while stopping most of the bad stuff; and the better you can communicate all of this the happier you’ll be. It’s always been about getting the job done, but let’s be honest and admit that it isn’t always about getting the job done. While internal politics and BS will never go away, odds are those who take a practical approach will survive better, and perhaps thrive, during tough economic times.

In other words, get used to people trying to nibble at your job, tighter belts in general, and doing more with less. Pet projects will fade and you’ll be forced to use suites more, as we try to reduce both what we spend on tools, and the people to manage those tools. Threats won’t fade, and we’ll focus more on the large obvious stuff that doesn’t obviously affect the balance sheet. Compliance won’t go away (it will be worse in some sectors) and will continue to define much of what we do.

The need for security doesn’t diminish, but the way it’s delivered has to change during tough times. Security practitioners, vendors, and bad guys alike will be pressured to solve obvious business problems while proving their value (preferably with numbers and pretty charts). In other words, the more practical you are (except for you back stabbing wizards of internal politics), the better you’ll be. Focus on the basics, keep the skill set up, and learn to talk to management and make nice looking charts.

As for me? I, like everyone, worry. As an expectant parent I’m starting to worry in ways I never imagined before. But I also know that if I continue to focus on helping my readers and clients save money, and am able to articulate said savings, I should be fine. I’m fairly pragmatic myself.

Oh- and I think we need a complete reboot of our fracking country and government, and fully intend on voting that way.