Archistry

Survivability by Design™ since 2006

  • Home
  • About
    • Who Is Andrew?
    • C2T System™
    • The Agile Security System™
  • Contact
You are here: Home / Archistry Daily / Breaking: security team survives recession

May 15, 2020

Breaking: security team survives recession

Photo by Avel Chuklanov on Unsplash

No, I don’t mean everyone on the team gets a side-hustle and funnels the proceeds to prop up the security budget—but, in some cases, I suppose truth has been known to be stranger than fiction.

I mentioned this in passing the other day, but regardless of whether the economy springs immediately into shape (which ain’t gonna happen), or whether it’s a bit longer and more drawn out process to get the wheels of commerce and industry turning again, you can pretty-much bet there’s a recession ‘round the corner.

And, as security, this is going to pose a problem. Now, it’s not a problem we haven’t faced and managed in the past. But it’s a problem that – at least with some of the organizations I work with – is gonna come as a rather big shock, because some of our clients have had the good fortune of basically all the money they wanted for security thanks to some close calls close to home, and, in the interest of not wanting to be next, money flowed faster than the Congo river.

There’s a saying in entrepreneurial circles that goes something along the lines of recessions being crucibles where businesses will either succeed spectacularly or they’re gonna fail spectacularly. There’s no room for any in between.

Thinking about this, I think it’s also pretty true for security programs. Because those businesses who fail in a recession are generally over-extended, poorly managed and haven’t focused on the basics that keeps a business alive: cash flow. If you run outta cash, you’re dead.

On the other hand, if you enter into a recession with a healthy dose of cash reserves, and you have the foresight to recognize the opportunity you have and invest while everyone else is sitting around wringing their hands with sobs of woe and “Poor me,” then the ones that invest are generally way out ahead of everyone else. In some cases, permanently.

I think I mentioned this the other day, but the first rule of crisis management in organizations – and a recession is kinda like a mild, slow-burn crisis scenario – is to cut all non-essential spending. And, by now, you might’ve seen this yourself in your organization.

Now, the most dangerous predator on the planet is?

That’s right: man.

And for those who hunt for fun and profit (our dishonorable security adversaries) are like she-lions sniffing the butts of 1,000 wildebeest. They can smell weakness and fear a million miles away.

One of the endless litanies we hear as security professionals is “health and hygiene…focus on the basics…you know what to do, so why don’t you do it?” kinds of riffs. A lot of times, they’re perfectly right and justified.

Of course, they are endless riffs, because it seems that there’s a lotta people out there who don’t do it.

We also know that the vast majority of security teams out there claim to be stretched to their limits on talent, with people working flat-out nearly every day of the week…and that was before the current crisis.

So, our predators out there are basically having a party, because they know that a lot of organizations are going to look at their security programs as cost centers, and they’re going to freeze investment. And, not only that, there’s probably a good few out there who are going to have to start taking a long, hard look at their budget run-rates and think about making some reductions of some kind.

From my Twitter feed, this is already happening, and we’re still nowhere near getting things under control, because flattening the curve is stopping the bleeding for now, not keeping it stopped forever.

Anyway, so organizations on this side of the recession divide are going to be ripe targets for the bad guys, because they’re going to probably freeze security spending on closing some known control gaps, and they’re probably going to push their teams harder—and they’re also probably underestimating the psychological blow this will have on people who’ve been WFH for 30-60 days already, ready to take a sledgehammer to their walls and escape.

You can argue this is me doing some FUD-slinging of my own, but I don’t think so. I think these are facts, not fear-mongering. But, you’re free to be the ultimate judge, as you always are.

So what do you think is gonna happen to the credibility of the security team who gets overwhelmed during cost-cutting recession tacking?

I don’t know either, but I’m guessing it isn’t gonna go down so well. And the likelihood of it happening is probably going to go way up at the same time.

Some might say, “Well, Andrew. This is inevitable. Security doesn’t generate any revenue, so how can it be any other way?”

And this, dear reader, is EXACTLY the right question to ask: how can it be any other way?

The key to surviving and, dare I say, thriving, during the coming recession is re-thinking your contribution to the organization as security.

No, you don’t make or sell widgets. That’s true.

So, what do you do?

I’ll give you a hint: the answer isn’t really “we keep bad things from happening”—even though, that is a part of what we do.

But the trick isn’t talking about the activities we undertake each day. The trick is being able to discover the value of those activities to the people who care.

And we generally suck at this as an industry.

We’re all like, “Hey, look! We patched 452,319 critical vulnerabilities today! Isn’t that great?”

And the rest of the world, like the 1950s TV housewife goes, “Yes, dear.”

Because, It. Doesn’t. Mean. Anything. To. Them.

We could’ve said we impregnated a purple dragon who later spawned fire-breathing kittens, and it still wouldn’t matter, because we’ve already been tuned out.

Until we can actually figure out how to make what we do relevant to the people we work for, we’re going to forever be seen as a cost-center and a necessary PITA.

Question is: how, right?

Well, I’ve gotta solution for that. Now, mine isn’t the only solution out there, and, of course, you’re a clever individual, and so I’m sure, given enough time and motivation, you could fully-well figure it out on your own.

But…

…do you have time?

If you don’t, or you’ve struggled with this for long enough and really want to get some concrete answers you can put to use immediately, then it is the reason that we spend the 2 weeks of Module 2 in the Building Effective Security Architectures program on understanding the business – and how value is perceived – so that we can more easily talk about the value of what we protect…

…than how many phishing emails we’ve stopped or how many unpatched systems there are.

Those are just numbers. Without context, they’re basically worse than useless.

But after the 2 weeks of module two and the exercises you’ll do with your fellow peers in the cohort, you’re going to have a much better understanding of what matters to our customers…

…so you can connect the output of our security activities…

…squarely with the things that matter to the business.

And if we can do that, well, then the question of budget cuts vs. investment as a way to help the organization establish a new competitive advantage in the market or pivot based on economic uncertainty is a whole different conversation than it would’ve been before.

Maybe it won’t help, because maybe your organization’s in fight-or-flight mode for survival based on the markets it serves and the industry it’s in.

It doesn’t matter how protected and enabled you are if the thing you’re protecting and enabled gets eaten by the wolves from the inside out—independent of anything you could’ve ever done.

But, if you can’t at least paint the picture, have the conversation and articulate the value of what you do in your security program, then it won’t matter either way.

To really understand the fundamentals and start developing the skills to position security as a true enabler to the organization, you’ll want to visit this link:

https://archistry.com/besa

And, by my updated calculations (using the correct timezone this time), you have just over 8 hours left if you decide you’d like to join us in July and still get the $2,000 discount off the regular price of the course. In 9 hours, it’ll cost you $1,000 more—and you might forget about it, because I won’t be talking about it for a couple of weeks at least. By then, it might again be too late to work through whatever internal approval process you’d need to complete to get that discount too, forcing you to either a) give it a miss until probably next year, or b) end up paying the full $2,000 more than you could’ve joined for today.

I’m not judging either way. I’m happy if you want to join, because it’s shaping up to be a great cohort. But, I’m not gonna be upset if you don’t, because everyone’s in their own space, and everyone’s gotta make the decisions they need to make.

But if you’re on the fence, the clock is ticking, and the price most certainly does go up at midnight US/Eastern (see, twice I got it right in the same email).

What are you going to do?

Stay safe,

ast
—
Andrew S. Townley
Archistry Chief Executive

Article by Andrew Townley / Archistry Daily / Agile Security, BESA, Crisis Management, Economics, Security Architecture, Security Budgets, Security Controls, Security Value

  • Email
  • LinkedIn
  • Twitter
  • YouTube

EMAIL NEWSLETTER

Want to get DAILY email tips on how to build a more effective security program so you can prove your security investments deliver value to the business?

You can always unsubscribe at any time, and we won't sell your data to third parties.

About Us

Archistry works with you to ensure what you want to achieve actually gets done, linking strategy, risk, governance and compliance to enable sustained exceptional performance Read More…

Testimonials

Andrew is a highly skilled and experienced information systems architect and consultant, which in my view is a rare thing. He is innovative in his thinking and merits the title of 'thought leader' in his specialist domains of knowledge—in particular the management of risk. Andrew has embraced SABSA as a framework and, in doing so, has been a significant contributor to extending the SABSA body of knowledge."

— John Sherwood, Chief SABSA Architect

"Fabulous person to work with. Very engaging and insightful. Extremely good technical knowledge with ability to relate concepts together and overcome differing opinions. Makes things work."

— Kevin Howe-Patterson, Chief Architect, Nortel - Wireless Data Services

"Andrew was able to bring clarity and great depth of knowledge to the table. His breadth of thinking and understanding of the business and technical issues along with a clear and effective communication style were of great benefit in moving the process forward towards a successful conclusion."

— Doug Reynolds, Product Manager, MobileAware

"Andrew is a fabulous consultant and presenter that you simply enjoy listening to, as he manages to develop highly sophisticated subjects in very understandable way. His experience is actually surprising and his thoughts leave you without considerable arguments for any doubts in the subjects he covers."

— Biljana Cerin, Director, Information Security and Compliance

Recent Posts

  • If you want better security, you’d better have a better security architecture
  • The ultimate security song to keep you focused on what you’re doing
  • Security heroes
  • There’s always a people problem
  • Putting your data flow diagrams out to pasture…for good

Looking for something else?

  • Home
  • About
  • Contact

  • Terms of Service
  • Privacy Policy
  • Cookie Policy
  • Copyright © 2006-2025 Archistry Incorporated or its affiliates

"Archistry", the stained glass window logo, "Pragmantix" and the Pragmantix™ logo, "Archistry Execution Framework (AEF)", "Archistry Execution Framework, Cybersecurity Edition (ACS)", "The Agile Security System", "The Agile Business System", "Baseline Perspectives", "Architecture Wall", "Archistry Execution Engine", "Renegade Security", "Renegade Security System", "Security Value Delivery System (SVDS)" "Collapse-to-Traction", "Collapse-to-Traction System", "Adaptive Trust & Governance Model (ATGM)", and "Adaptive Trust & Governance Model for Organizations (ATGM4O)" are trademarks of Archistry Incorporated or its affiliates.