Preserving jobs is always a top priority, and to do so, it may be essential to demonstrate that you've got your eye on the bottom line and are willing to make tough choices for the benefit of the organization. For example, if you've budgeted an expensive firewall upgrade this year, it's smart to consider whether that upgrade cycle can be extended by 12 months. Moving from a four-year to a five-year hardware replacement cycle is equivalent to a 20% cost savings. If after an analysis it's determined that the upgrade needs to happen now, be prepared to explain to the CIO exactly why the new product should take priority over others being considered.
Several vendors will close their doors or consolidate. The tough economic times won't be limited to those of us on the client side. Our shrinking budgets will cause a ripple effect in the security vendor community, and several vendors currently "on the bubble" may slip off the radar. Those with solid products and/or customer bases may be purchased by larger firms seeking to expand. I've already seen this happen once in late 2008 when High Tower Software suddenly ceased operations and announced its intent to sell its Cinxi SIEM platform. This is an important trend to keep in the back of your mind if you're lucky enough to be in purchasing mode right now. Buyers may want to think twice before entering into a long-term relationship with a smaller firm that may not survive the year. The loss of a vendor can have a serious effect on network security operations. Depending upon the type of device and its role in the infrastructure, it could severely affect the organization's security posture. For example, a firewall vendor going out of business is a big deal; if the device malfunctions or fails altogether, support will no longer be available, and this could jeopardize the availability of the entire infrastructure. That said, the failure of an antivirus vendor is a catastrophe; virus definition updates would no longer be available and the effectiveness of the organization's malware defense system will degrade rapidly. In addition to considering financial stability as a criteria during any vendor selection process, now would be a good time to take stock of the financial status of all current vendors to determine whether you need to re-evaluate those relationships.
Our mindset will shift from compliance to operations. Whether you like it or not, many of us have spent the last three to five years focused on compliance issues. PCI DSS, Sarbanes Oxley, HIPAA and GLBA are just a few of the laws and regulations that security managers have been tasked with managing or helping with. Now that the industry has focused on compliance for some time, the urgency to comply by and large has lessened to a degree. Expect to see pressure from within the organization to move your security resources back into a supporting role, providing security consulting support to business initiatives.
I don't mean to paint a "doom and gloom" picture for 2009; the coming 12 months will be full of opportunities to grow and excel. Take the opportunity to streamline the use of both human and financial resources. It's healthy for any organization to periodically re-evaluate expenses, vendor relationships and business priorities. However, it would be ignorant to stick our heads in the sand and attempt to ignore the state of the economy and the potential impact it will have on our business. Rather, it's important to adopt an opportunistic attitude and prepare for the inevitable changes we'll face. Best wishes for a happy and prosperous 2009!
About the author: This was first published in January 2009
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity.com, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated. He also answers your questions on network security.
This was first published in January 2009