Vulnerabilities, Security Control, Security Awareness
Recessions stink. Business contracts, companies pull back and attempt to shrink inventories, employees lose their jobs. As revenues decline, it’s harder to fund the key aspects of the business. But recessions also embody the creative destruction inherent to market forces whereby those who prepare and those who innovate come out of a recession with products that do more and cost less. The question is, are you prepared to survive?
Historically, the U.S. economy has dipped into recession every four to five years. Unfortunately, this cannot happen on a regular schedule that we can all plan for. Back in the early 1980s, the U.S. entered a recession less than a year after coming out of the previous one. Today, we are in an equally extreme and uncertain time. The Great Recession of 2008-2009 was the longest period of economic retraction since World War II. And it has been followed by the longest, though not largest*, period of economic expansion in the post-war period. But the truth is, the economy is long overdue for a recession, and companies that are not prepared will suffer.
So, what does this have to with your information security? Several things happen during recessions that heighten everyone’s risk. The most obvious impact is that budgets shrink. CIOs and their management teams are expected to provide the same high levels of protection while also contributing to cost containment. If staff cuts are necessary, the knowledge and experience of your teams can suffer as well.
Unfortunately, budget issues are not our only concern. There is limited research to be sure, but several studies have found an increase in malware and evil hacking during times of recession, which makes sense. Great programmers and sophisticated technologists can mostly weather a recession, but those with more rudimentary skills are both more likely to be laid off and exactly the sort of person who can take advantage of existing vulnerabilities and evil hacking tools available on the Internet.
Additionally, if during a downturn, your company goes through a round of layoffs, those former employees each represent a potential risk. Those laid off during a recession are more likely to have been let go simply as a matter of cost-cutting and not due to performance failures on their part. Unfortunately, they’ll also find it harder to land a new job than in times of economic expansion. These two factors mean that some employers will be facing disgruntled employees about to make poor choices. And as any good security professional knows, human beings and the knowledge they possess are far more dangerous than mere software code.
If a recession is inevitable at some point in the future, what is a CIO to do? Well, the simple answer is to make sure your security house is in order now! Here are some suggestions:
- Take advantage of available budgets to fill any gaps in your layered security strategy. With today’s next-generation firewalls, is your organization really taking advantage of everything they can do?
- Analyze the processes that go with your security solutions. Your tools are flagging activity and providing reports but are you able to digest that information and act? Have you implemented an effective SIEM? Is your SOC able to analyze and respond?
- Evaluate your cost of delivery and your return. Can you manage the scale of risks with existing staff or should you consider external, specialist partners in certain areas allowing your staff to focus on managing the process and containing verified threats?
- Make sure your approach is comprehensive, layered and well-structured. Do you have a true security strategy operating under a defined and fully assessed security framework? Does your staff understand their roles in this strategy? Has your company taken an organization-wide approach to security-awareness?
The truth is that when the next recession comes, even if your budgets are safe and your company’s position is strong, the organization will be distracted by the heightened competitiveness of the market and the uncertainty of the subsequent recovery. This means your ability to get the attention of executive leadership will be curtailed. Taking steps now will not only help shield your company as a whole during tumultuous times but will make the CIO and the IT Security operations look both prescient and prepared. And if your company and your IT operation do face budget cuts, you will be glad you were several years ahead of the game rather than finding yourself many more years behind.
* The economic expansion of the 1990s, for example, saw the economy grow by almost 45% and that of the 1960s by over 50% while the current expansion though longer has only seen overall growth of 27%.
