Are Cuts Inevitable, or is Cybersecurity Recession Proof?
By Jeffrey Wheatman
I’ve been in cybersecurity for so long that it used to be called information security. Cyber was a term only used in science fiction. During that transition, we have seen numerous economic cycles. While folks seem to loath the term recession, everyone – well almost everyone – agrees that an “adjustment” is coming – and sooner rather than later.
I’ve ridden the waves of numerous economic recessions during my career.
In the past they all have gone pretty much the same way –
- No Budget Cuts or Layoffs. Management says ‘we are cool, it might be a bit tough, but we are looking to the future, and we aren’t cutting budgets, or laying people off!’
- Reviewing Budgets. Management soon follows that up with ‘hhhm, this looks worse than we expected. We MIGHT have to cut a little deadweight, but we won’t cut security – we know how important it is.’
- Reducing Headcount After Quarterly Reporting. Quarterly earnings are released and it’s most definitely worse than expected. Management says ‘we need to tighten our belts.’ ‘We need to cut 10% of the budget company wide, but we won’t cut security … on another note, why do you have so many people in the security department?’
- Budget Cuts and Layoffs to Security. Management tells the CIO she needs to cut 15% of the security team, but it’s OK because there are enough people in IT to close the gaps and all requests for project funding over a buck eighty need to have a 400 page business case and the CFO needs to sign off before anything gets approved.
Effects of Downsizing on Surviving Employees
The downturn ends; the hockey stick turns back up and, in their generosity, the CFO tells the CISO – wait, we don’t have a CISO? She quit?
She left because she couldn’t secure us with all the cuts … Well, we did tell her we all needed to bite the bullet … OK, well, tell whoever is running the security team they can increase their headcount by 7% over the next 6-9 months. All requests for project funding still must be approved by a committee and just for fun we are going to throw bundles of cash into the Thunderdome and anyone that needs money can fight for it.
Okay, we had a breach. Now, who is responsible for a data breach?
Three months later, there is a data breach and management says … ‘How did this happen? Who can I blame? CISO? CIO?’ ‘Who cares, let’s fire a bunch of people! Wall Street loves when we blame the technical folks!’ ‘When are bonuses paid – my bonus will be awesome since we saved all that money cutting.’
I will say, my experience has been that every economic dip has gotten incrementally better, and I feel like this time we have crossed the threshold. Regulators won’t tolerate the excuses. Boards won’t tolerate the exposure, CxOs won’t tolerate the exposure. CISOs now have better visibility. So far, we are hearing good things. Let’s cross our fingers. When we see the other side, come back and reread this and see if I was right … this time.
Stay safe, stay healthy, say secure!