Re: Impact of Global recession on Security !

[krymson () gmail com]

Overall, I don't think the "global recession" will have any specific impact on information security that any other 
sector of a business won't already be feeling. If there is a difference, I think it will be negative.

Oh, I'm not a social science or economic  researcher or even involved in hiring and budget planning on an executive 
level. This is just me rambling from my little corner in the basement listening to the thrum of the network tubes...

Security is a cost. When the belt needs to get tightened, costs are cut. And cutting security a bit more than other 
areas means little impact to the business. If you make widgets and your business feels budgets dwindle, if your 
security budget decreases, will that negatively impact how many widgets you can produce and/or sell? Not usually unless 
you have lawyers, regulations, or strict internal morals forcing the bumper car named "The Gamble of Insecurity" into 
the proper lanes. 

This might cause shift in security workers away from companies who have this (arguably wrong) view of security over to 
companies that do have it and still value it in times of recession. But otherwise, nothing much difference than today 
or two years ago, imo.


> 1) Increase on vulnerabilities, risks, threats, easy availability of hacking tools, Cyber terrorism etc will demand 
> strict countermeasures
which cannot be ignored.These things will make  sure that the security budget will stay intact.

RE1) This is pretty much the way it goes for us, recession or not. Risks and vulns and threats increase in relation to 
our countermeasures, etc. The only issue I see with this statement may be when some other influence appears, like a new 
technology or a new threat or threat vector appears which causes an increase. Recession or not, a few instance of 
"cyber warfare" (real or perceived) could influence budgets in that direction regardless of the constricting budgets.

> 2) During the recession time, companies will not want their business to be impacted due to security reasons and 
> hamper the revenue even
further.

Do you spend more in a recession on assurances that your company will be secure or do you spend more on making your 
sales? Do you cut costs that might impact your ability to sell and manage accounts, or cut back on your technology 
costs?

If anything, I see big projects being put on hold, spending stagnating, extraneous costs axed (useless software 
assurance agreements), raises slowing to a trickle, and less hiring in security for companies that are truly impacted.


> 3) Need of Industry certifications will rise.

I'm not sure about this. The contrarian that I am on this beautiful Thursday will counter that certifications equate to 
higher salaries. When higher is slowing and raises are dwindling, I would wonder if some people find themselves asking 
for more than some orgs can stomach for now. This won't lead to a decrease in certs at all, I just don't think it will 
lead to any marked increase.

Likewise, certs are not cheap (time+cost), and consumer spending will also be impacted. There will be plenty of people 
who may put off a cost like this in order to make ends meet today.


> 4) Companies will invest in remote access solutions like SSL VPN etc so that people can work from home than travel to 
> office as a part of
cost cutting.

I don't think so. The gasoline cost issue is largely a consumer one (although there are plenty of industries where 
logistics is feeling the pressure of this cost as well). What I mean is that it is not a business need that is driving 
the desire to work from home to save on gas, but rather workers trying to get that benefit.

After the US 9/11 event, the gov't pushed for mandates on supporting teleworkers go gov't work could continue even in a 
crisis. I thought this would carry over more into the private sector, but it really hasn't as much as I thought. Part 
of me is not really surprised.

The last time you worked from home, honestly, how effective were you? I don't know about you, but I find the pull of a 
World of Warcraft or TF2 session to be pretty tempting. I think private sector managers understand this tendency and 
will only allow regular working from home when absolutely necessary. Not as a gesture of good will in a recession. 
Allowing workers to work from home and be less efficient/productive/useful is a cost, which is bad in a recession.

> From a cost and security standpoint, I find home workers to be one of the most annoying use-cases to think about. Do 
> you let them use their own computers? Do you issue them all laptops or home systems? Do you have the bandwidth to 
> support a third of your workforce teleworking on a Monday? If they use their own system, are you ready to block the 
> personal/gaming/questionable sites they visit that would otherwise be blocked if they were in the office? Can you 
> ensure they are not siphoning data off your network through their computer or a removable media device? Can you manage 
> their system's security settings and protection software? What about your phone system extending out...etc. It's all 
> much more cost than people think, if you want it done wholistically.

BUT WAIT! DON'T STOP READING! I DO ACTUALLY THINK YOU HAVE A POINT! :)

You briefly mention that conslutant groups may benefit from this, and I think you have a point! Outsourcing costly 
security functions may actually be a growth spurt in a recession. And not just security, but many technology functions. 
It is expensive to maintain the technological architecture for business these days, let alone the cost of doing it 
securely. And unless you're in a tech industry, those costs do nothing to improve your business bottomline. It might 
just make sense to out-source these functions to groups that may cost less, may have more expertise than you'd ever get 
internally.

Is this an improvement? I'd say no, usually. I still feel you're better off spending money on the salaries for security 
staff.

The dangerous part is when such conslutancies get too many clients and thus can't provide very good service at all. 
Which can you manage better as a security conslutant: 4 clients with whom you are intimate, or 25 clients you barely 
know and have to rely on automated alerts and uncustomized solutions?