No, I don’t mean everyone on the team gets a side-hustle and funnels the proceeds to prop up the security budget—but, in some cases, I suppose truth has been known to be stranger than fiction.
I mentioned this in passing the other day, but regardless of whether the economy springs immediately into shape (which ain’t gonna happen), or whether it’s a bit longer and more drawn out process to get the wheels of commerce and industry turning again, you can pretty-much bet there’s a recession ‘round the corner.
And, as security, this is going to pose a problem. Now, it’s not a problem we haven’t faced and managed in the past. But it’s a problem that – at least with some of the organizations I work with – is gonna come as a rather big shock, because some of our clients have had the good fortune of basically all the money they wanted for security thanks to some close calls close to home, and, in the interest of not wanting to be next, money flowed faster than the Congo river.
There’s a saying in entrepreneurial circles that goes something along the lines of recessions being crucibles where businesses will either succeed spectacularly or they’re gonna fail spectacularly. There’s no room for any in between.
Thinking about this, I think it’s also pretty true for security programs. Because those businesses who fail in a recession are generally over-extended, poorly managed and haven’t focused on the basics that keeps a business alive: cash flow. If you run outta cash, you’re dead.
On the other hand, if you enter into a recession with a healthy dose of cash reserves, and you have the foresight to recognize the opportunity you have and invest while everyone else is sitting around wringing their hands with sobs of woe and “Poor me,” then the ones that invest are generally way out ahead of everyone else. In some cases, permanently.
I think I mentioned this the other day, but the first rule of crisis management in organizations – and a recession is kinda like a mild, slow-burn crisis scenario – is to cut all non-essential spending. And, by now, you might’ve seen this yourself in your organization.
Now, the most dangerous predator on the planet is?
That’s right: man.
And for those who hunt for fun and profit (our dishonorable security adversaries) are like she-lions sniffing the butts of 1,000 wildebeest. They can smell weakness and fear a million miles away.
One of the endless litanies we hear as security professionals is “health and hygiene…focus on the basics…you know what to do, so why don’t you do it?” kinds of riffs. A lot of times, they’re perfectly right and justified.
Of course, they are endless riffs, because it seems that there’s a lotta people out there who don’t do it.
We also know that the vast majority of security teams out there claim to be stretched to their limits on talent, with people working flat-out nearly every day of the week…and that was before the current crisis.
So, our predators out there are basically having a party, because they know that a lot of organizations are going to look at their security programs as cost centers, and they’re going to freeze investment. And, not only that, there’s probably a good few out there who are going to have to start taking a long, hard look at their budget run-rates and think about making some reductions of some kind.
From my Twitter feed, this is already happening, and we’re still nowhere near getting things under control, because flattening the curve is stopping the bleeding for now, not keeping it stopped forever.
Anyway, so organizations on this side of the recession divide are going to be ripe targets for the bad guys, because they’re going to probably freeze security spending on closing some known control gaps, and they’re probably going to push their teams harder—and they’re also probably underestimating the psychological blow this will have on people who’ve been WFH for 30-60 days already, ready to take a sledgehammer to their walls and escape.
You can argue this is me doing some FUD-slinging of my own, but I don’t think so. I think these are facts, not fear-mongering. But, you’re free to be the ultimate judge, as you always are.
So what do you think is gonna happen to the credibility of the security team who gets overwhelmed during cost-cutting recession tacking?
I don’t know either, but I’m guessing it isn’t gonna go down so well. And the likelihood of it happening is probably going to go way up at the same time.
Some might say, “Well, Andrew. This is inevitable. Security doesn’t generate any revenue, so how can it be any other way?”
And this, dear reader, is EXACTLY the right question to ask: how can it be any other way?
The key to surviving and, dare I say, thriving, during the coming recession is re-thinking your contribution to the organization as security.
No, you don’t make or sell widgets. That’s true.
So, what do you do?
I’ll give you a hint: the answer isn’t really “we keep bad things from happening”—even though, that is a part of what we do.
But the trick isn’t talking about the activities we undertake each day. The trick is being able to discover the value of those activities to the people who care.
And we generally suck at this as an industry.
We’re all like, “Hey, look! We patched 452,319 critical vulnerabilities today! Isn’t that great?”
And the rest of the world, like the 1950s TV housewife goes, “Yes, dear.”
Because, It. Doesn’t. Mean. Anything. To. Them.
We could’ve said we impregnated a purple dragon who later spawned fire-breathing kittens, and it still wouldn’t matter, because we’ve already been tuned out.
Until we can actually figure out how to make what we do relevant to the people we work for, we’re going to forever be seen as a cost-center and a necessary PITA.
Question is: how, right?
Well, I’ve gotta solution for that. Now, mine isn’t the only solution out there, and, of course, you’re a clever individual, and so I’m sure, given enough time and motivation, you could fully-well figure it out on your own.
…do you have time?
If you don’t, or you’ve struggled with this for long enough and really want to get some concrete answers you can put to use immediately, then it is the reason that we spend the 2 weeks of Module 2 in the Building Effective Security Architectures program on understanding the business – and how value is perceived – so that we can more easily talk about the value of what we protect…
…than how many phishing emails we’ve stopped or how many unpatched systems there are.
Those are just numbers. Without context, they’re basically worse than useless.
But after the 2 weeks of module two and the exercises you’ll do with your fellow peers in the cohort, you’re going to have a much better understanding of what matters to our customers…
…so you can connect the output of our security activities…
…squarely with the things that matter to the business.
And if we can do that, well, then the question of budget cuts vs. investment as a way to help the organization establish a new competitive advantage in the market or pivot based on economic uncertainty is a whole different conversation than it would’ve been before.
Maybe it won’t help, because maybe your organization’s in fight-or-flight mode for survival based on the markets it serves and the industry it’s in.
It doesn’t matter how protected and enabled you are if the thing you’re protecting and enabled gets eaten by the wolves from the inside out—independent of anything you could’ve ever done.
But, if you can’t at least paint the picture, have the conversation and articulate the value of what you do in your security program, then it won’t matter either way.
To really understand the fundamentals and start developing the skills to position security as a true enabler to the organization, you’ll want to visit this link:
And, by my updated calculations (using the correct timezone this time), you have just over 8 hours left if you decide you’d like to join us in July and still get the $2,000 discount off the regular price of the course. In 9 hours, it’ll cost you $1,000 more—and you might forget about it, because I won’t be talking about it for a couple of weeks at least. By then, it might again be too late to work through whatever internal approval process you’d need to complete to get that discount too, forcing you to either a) give it a miss until probably next year, or b) end up paying the full $2,000 more than you could’ve joined for today.
I’m not judging either way. I’m happy if you want to join, because it’s shaping up to be a great cohort. But, I’m not gonna be upset if you don’t, because everyone’s in their own space, and everyone’s gotta make the decisions they need to make.
But if you’re on the fence, the clock is ticking, and the price most certainly does go up at midnight US/Eastern (see, twice I got it right in the same email).
What are you going to do?
Andrew S. Townley
Archistry Chief Executive