Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Impact of Global recession on Security !

From: "Murda Mcloud" <murdamcloud () bigpond com>
Date: Fri, 10 Oct 2008 09:20:09 +1000
Con-slutants? Intimate with clients? I shiver to think what people are going
to have to do to get work soon...and I have stooped pretty low before ;-) 


Great thought provoking post. I think there may be a spike in consolidation
projects too so consultants will be looking at a rise in projects in that
direction. Also, there's so much pushing at the whole power-saving green
thing. Cost and efficiency projects still need security. 

My brother was about to head for an interview with Merril Lynch, consulting
on a project a few weeks ago-obviously that collapsed quicker than a banker
can say bailout.

Not related to Infosec but here's a link to a cartoon that explains the
whole crisis using hilarious stick figures(caveat: there is some swearing,
just in case you get into trouble at work):

http://bigpicture.typepad.com/comments/2008/02/how-subprime-re.html






The dangerous part is when such conslutancies get too many clients and
thus can't provide very good service at all. Which can you manage better
as a security conslutant: 4 clients with whom you are intimate, or 25

clients you barely know and have to rely on automated alerts and
uncustomized solutions?


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of krymson () gmail com
Sent: Friday, October 10, 2008 5:07 AM
To: security-basics () securityfocus com
Subject: Re: Impact of Global recession on Security !

Overall, I don't think the "global recession" will have any specific
impact on information security that any other sector of a business won't
already be feeling. If there is a difference, I think it will be
negative.



Oh, I'm not a social science or economic  researcher or even involved in
hiring and budget planning on an executive level. This is just me
rambling from my little corner in the basement listening to the thrum of
the network tubes...



Security is a cost. When the belt needs to get tightened, costs are cut.
And cutting security a bit more than other areas means little impact to
the business. If you make widgets and your business feels budgets
dwindle, if your security budget decreases, will that negatively impact
how many widgets you can produce and/or sell? Not usually unless you have
lawyers, regulations, or strict internal morals forcing the bumper car
named "The Gamble of Insecurity" into the proper lanes.



This might cause shift in security workers away from companies who have
this (arguably wrong) view of security over to companies that do have it
and still value it in times of recession. But otherwise, nothing much
difference than today or two years ago, imo.






1) Increase on vulnerabilities, risks, threats, easy availability of

hacking tools, Cyber terrorism etc will demand strict countermeasures

which cannot be ignored.These things will make  sure that the security
budget will stay intact.



RE1) This is pretty much the way it goes for us, recession or not. Risks
and vulns and threats increase in relation to our countermeasures, etc.
The only issue I see with this statement may be when some other influence
appears, like a new technology or a new threat or threat vector appears
which causes an increase. Recession or not, a few instance of "cyber
warfare" (real or perceived) could influence budgets in that direction
regardless of the constricting budgets.




2) During the recession time, companies will not want their business to

be impacted due to security reasons and hamper the revenue even

further.



Do you spend more in a recession on assurances that your company will be
secure or do you spend more on making your sales? Do you cut costs that
might impact your ability to sell and manage accounts, or cut back on
your technology costs?



If anything, I see big projects being put on hold, spending stagnating,
extraneous costs axed (useless software assurance agreements), raises
slowing to a trickle, and less hiring in security for companies that are
truly impacted.






3) Need of Industry certifications will rise.




I'm not sure about this. The contrarian that I am on this beautiful
Thursday will counter that certifications equate to higher salaries. When
higher is slowing and raises are dwindling, I would wonder if some people
find themselves asking for more than some orgs can stomach for now. This
won't lead to a decrease in certs at all, I just don't think it will lead
to any marked increase.



Likewise, certs are not cheap (time+cost), and consumer spending will
also be impacted. There will be plenty of people who may put off a cost
like this in order to make ends meet today.






4) Companies will invest in remote access solutions like SSL VPN etc so

that people can work from home than travel to office as a part of

cost cutting.



I don't think so. The gasoline cost issue is largely a consumer one
(although there are plenty of industries where logistics is feeling the
pressure of this cost as well). What I mean is that it is not a business
need that is driving the desire to work from home to save on gas, but
rather workers trying to get that benefit.



After the US 9/11 event, the gov't pushed for mandates on supporting
teleworkers go gov't work could continue even in a crisis. I thought this
would carry over more into the private sector, but it really hasn't as
much as I thought. Part of me is not really surprised.



The last time you worked from home, honestly, how effective were you? I
don't know about you, but I find the pull of a World of Warcraft or TF2
session to be pretty tempting. I think private sector managers understand
this tendency and will only allow regular working from home when
absolutely necessary. Not as a gesture of good will in a recession.
Allowing workers to work from home and be less
efficient/productive/useful is a cost, which is bad in a recession.



From a cost and security standpoint, I find home workers to be one of the
most annoying use-cases to think about. Do you let them use their own
computers? Do you issue them all laptops or home systems? Do you have the
bandwidth to support a third of your workforce teleworking on a Monday?
If they use their own system, are you ready to block the
personal/gaming/questionable sites they visit that would otherwise be
blocked if they were in the office? Can you ensure they are not siphoning
data off your network through their computer or a removable media device?
Can you manage their system's security settings and protection software?
What about your phone system extending out...etc. It's all much more cost
than people think, if you want it done wholistically.



BUT WAIT! DON'T STOP READING! I DO ACTUALLY THINK YOU HAVE A POINT! :)



You briefly mention that conslutant groups may benefit from this, and I
think you have a point! Outsourcing costly security functions may
actually be a growth spurt in a recession. And not just security, but
many technology functions. It is expensive to maintain the technological
architecture for business these days, let alone the cost of doing it
securely. And unless you're in a tech industry, those costs do nothing to
improve your business bottomline. It might just make sense to out-source
these functions to groups that may cost less, may have more expertise
than you'd ever get internally.



Is this an improvement? I'd say no, usually. I still feel you're better
off spending money on the salaries for security staff.



The dangerous part is when such conslutancies get too many clients and
thus can't provide very good service at all. Which can you manage better
as a security conslutant: 4 clients with whom you are intimate, or 25
clients you barely know and have to rely on automated alerts and
uncustomized solutions?
Previous By Date Next
Previous By Thread Next

Current thread: