Con-slutants? Intimate with clients? I shiver to think what people are going
to have to do to get work soon...and I have stooped pretty low before ;-)

Great thought provoking post. I think there may be a spike in consolidation
projects too so consultants will be looking at a rise in projects in that
direction. Also, there's so much pushing at the whole power-saving green
thing. Cost and efficiency projects still need security.

My brother was about to head for an interview with Merril Lynch, consulting
on a project a few weeks ago-obviously that collapsed quicker than a banker
can say bailout.

Not related to Infosec but here's a link to a cartoon that explains the
whole crisis using hilarious stick figures(caveat: there is some swearing,
just in case you get into trouble at work):

http://bigpicture.typepad.com/comments/2008/02/how-subprime-re.html

>>The dangerous part is when such conslutancies get too many clients and
>>thus can't provide very good service at all. Which can you manage better
>>as a security conslutant: 4 clients with whom you are intimate, or 25
clients you barely know and have to rely on automated alerts and
uncustomized solutions?

> >-----Original Message-----
> >From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]]
> >On Behalf Of krymson (at) gmail (dot) com [email concealed]
> >Sent: Friday, October 10, 2008 5:07 AM
> >To: security-basics (at) securityfocus (dot) com [email concealed]
> >Subject: Re: Impact of Global recession on Security !
> >
> >Overall, I don't think the "global recession" will have any specific
> >impact on information security that any other sector of a business won't
> >already be feeling. If there is a difference, I think it will be
> >negative.
> >
> >
> >
> >Oh, I'm not a social science or economic researcher or even involved in
> >hiring and budget planning on an executive level. This is just me
> >rambling from my little corner in the basement listening to the thrum of
> >the network tubes...
> >
> >
> >
> >Security is a cost. When the belt needs to get tightened, costs are cut.
> >And cutting security a bit more than other areas means little impact to
> >the business. If you make widgets and your business feels budgets
> >dwindle, if your security budget decreases, will that negatively impact
> >how many widgets you can produce and/or sell? Not usually unless you have
> >lawyers, regulations, or strict internal morals forcing the bumper car
> >named "The Gamble of Insecurity" into the proper lanes.
> >
> >
> >
> >This might cause shift in security workers away from companies who have
> >this (arguably wrong) view of security over to companies that do have it
> >and still value it in times of recession. But otherwise, nothing much
> >difference than today or two years ago, imo.
> >
> >
> >
> >
> >
> >> 1) Increase on vulnerabilities, risks, threats, easy availability of
> >hacking tools, Cyber terrorism etc will demand strict countermeasures
> >
> >which cannot be ignored.These things will make sure that the security
> >budget will stay intact.
> >
> >
> >
> >RE1) This is pretty much the way it goes for us, recession or not. Risks
> >and vulns and threats increase in relation to our countermeasures, etc.
> >The only issue I see with this statement may be when some other influence
> >appears, like a new technology or a new threat or threat vector appears
> >which causes an increase. Recession or not, a few instance of "cyber
> >warfare" (real or perceived) could influence budgets in that direction
> >regardless of the constricting budgets.
> >
> >
> >
> >> 2) During the recession time, companies will not want their business to
> >be impacted due to security reasons and hamper the revenue even
> >
> >further.
> >
> >
> >
> >Do you spend more in a recession on assurances that your company will be
> >secure or do you spend more on making your sales? Do you cut costs that
> >might impact your ability to sell and manage accounts, or cut back on
> >your technology costs?
> >
> >
> >
> >If anything, I see big projects being put on hold, spending stagnating,
> >extraneous costs axed (useless software assurance agreements), raises
> >slowing to a trickle, and less hiring in security for companies that are
> >truly impacted.
> >
> >
> >
> >
> >
> >> 3) Need of Industry certifications will rise.
> >
> >
> >
> >I'm not sure about this. The contrarian that I am on this beautiful
> >Thursday will counter that certifications equate to higher salaries. When
> >higher is slowing and raises are dwindling, I would wonder if some people
> >find themselves asking for more than some orgs can stomach for now. This
> >won't lead to a decrease in certs at all, I just don't think it will lead
> >to any marked increase.
> >
> >
> >
> >Likewise, certs are not cheap (time+cost), and consumer spending will
> >also be impacted. There will be plenty of people who may put off a cost
> >like this in order to make ends meet today.
> >
> >
> >
> >
> >
> >> 4) Companies will invest in remote access solutions like SSL VPN etc so
> >that people can work from home than travel to office as a part of
> >
> >cost cutting.
> >
> >
> >
> >I don't think so. The gasoline cost issue is largely a consumer one
> >(although there are plenty of industries where logistics is feeling the
> >pressure of this cost as well). What I mean is that it is not a business
> >need that is driving the desire to work from home to save on gas, but
> >rather workers trying to get that benefit.
> >
> >
> >
> >After the US 9/11 event, the gov't pushed for mandates on supporting
> >teleworkers go gov't work could continue even in a crisis. I thought this
> >would carry over more into the private sector, but it really hasn't as
> >much as I thought. Part of me is not really surprised.
> >
> >
> >
> >The last time you worked from home, honestly, how effective were you? I
> >don't know about you, but I find the pull of a World of Warcraft or TF2
> >session to be pretty tempting. I think private sector managers understand
> >this tendency and will only allow regular working from home when
> >absolutely necessary. Not as a gesture of good will in a recession.
> >Allowing workers to work from home and be less
> >efficient/productive/useful is a cost, which is bad in a recession.
> >
> >
> >
> >From a cost and security standpoint, I find home workers to be one of the
> >most annoying use-cases to think about. Do you let them use their own
> >computers? Do you issue them all laptops or home systems? Do you have the
> >bandwidth to support a third of your workforce teleworking on a Monday?
> >If they use their own system, are you ready to block the
> >personal/gaming/questionable sites they visit that would otherwise be
> >blocked if they were in the office? Can you ensure they are not siphoning
> >data off your network through their computer or a removable media device?
> >Can you manage their system's security settings and protection software?
> >What about your phone system extending out...etc. It's all much more cost
> >than people think, if you want it done wholistically.
> >
> >
> >
> >BUT WAIT! DON'T STOP READING! I DO ACTUALLY THINK YOU HAVE A POINT! :)
> >
> >
> >
> >You briefly mention that conslutant groups may benefit from this, and I
> >think you have a point! Outsourcing costly security functions may
> >actually be a growth spurt in a recession. And not just security, but
> >many technology functions. It is expensive to maintain the technological
> >architecture for business these days, let alone the cost of doing it
> >securely. And unless you're in a tech industry, those costs do nothing to
> >improve your business bottomline. It might just make sense to out-source
> >these functions to groups that may cost less, may have more expertise
> >than you'd ever get internally.
> >
> >
> >
> >Is this an improvement? I'd say no, usually. I still feel you're better
> >off spending money on the salaries for security staff.
> >
> >
> >
> >The dangerous part is when such conslutancies get too many clients and
> >thus can't provide very good service at all. Which can you manage better
> >as a security conslutant: 4 clients with whom you are intimate, or 25
> >clients you barely know and have to rely on automated alerts and
> >uncustomized solutions?
> >

[ reply ]