At the time of this writing, times are weird and they are only going to get weirder. Since initial identification in China in late 2019, the novel coronavirus COVID-19 has swept through most of the world. From prompting the virtual lockdown of hundreds of millions for weeks in China through the harrowing stories emerging of overwhelmed hospitals in Lombardy, the pandemic has uprooted lives and disrupted rhythms across the globe. In conjunction with medical and humanitarian impacts, COVID-19 has also produced follow-on economic impacts, from a complete collapse in demand for travel and related services through an oil price crash of near unprecedented scope and speed.
Amid overextended medical resources, the absolute failure in response by entities like the United States and the United Kingdom, and sheer uncertainty surrounding prevailing emotions around events are stressful, to say the very least. While we all must do our part to Flatten the Curve – to buy time for medical personnel and extend the efficacy of scarce resources – the very acts required also produce impacts of their own. Social distancing in all of its forms, from cancelling travel through self-isolation, removes critical support and undermines vital in-person communication networks just as they may be needed the most.
Furthermore, while most initial measures to fight against the spread of COVID-19 have adopted a 14-30 day outlook to “contain” the disease, most expert opinion indicates that truly cornering this infectious agent will take months. As a result, not only will disruption extend into periods of time unheard of for our modern, connected economy, but most existing messaging has set people up with expectations that events will be over far quicker than objective analysis would indicate. This disconnect between hope or expectation and likely reality sets up a majority of humanity for extreme disappointment, if not dispair, as disruptions extend from the Spring through the Summer and possibly into 2021.
But this is (primarily) an information security website, not a health or policy commentary page. While relatively small within the greater scope of the COVID-19 pandemic’s global impacts, this disease will undoubtedly have significant effects on the security industry. Understanding what those are – and preparing for them to avoid nasty surprises – therefore seems useful as we are still in relatively early stages for this event.
Business and Economic Effects
COVID-19 related concern (or panic) has already produced significant economic dislocation. We might sullenly laugh over panic buying of toilet paper or possess some degree of schadenfreude for all the investor types who took a collective bath when trillions of (nominal) wealth were wiped out in markets. Yet the impacts of COVID-19 on economics will be quite real, and are likely to get far worse as the social impacts of the pandemic (self isolation, depression, and decreased movement and activity) begin to reflect in overall economic importance.
The fate of airlines, cruise ship operators, hotels, and others seems pretty obvious as events and vacations are cancelled amidst increasingly rigorous controls on travel and public gatherings. Yet these are just the tip of a nasty iceberg of collapsing demand, observed in past crises such as the 2008 collapse, the Dot Com bust, and the post-9/11 market downturn. Discretionary, at times frivolous items may be first to go, but during an upheaval of uncertain duration and legitimately frightening impacts (e.g., the possibility that millions may be dead from this disease in a year’s time) we can almost certainly anticipate a broad-based collapse in consumer demand over the coming months. If people don’t buy stuff, organizations don’t generate revenue, employees get laid off, which leads to further depressed demand. Since so many governments (the US most notably) decided to take the benefits of the preceding ten year boom period and invest it in tax cuts and other demand-boosting items already while interest rates remain at staggering all-time lows, the scope for government intervention remains very small. Essentially, everyone is in for a likely world of hurt.
The past decade has been a boon for cybersecurity, both for the founding of new companies and the generation of generally lucrative, stable, and secure jobs within the field. While many intrinsically knew that the boom could not simply go on forever like some magical economic perpetual motion machine, the bursting of the security bubble still seemed a ways off given indicators like incredibly tight job markets and eye watering IPOs. With equity markets swooning and consumer demand disappearing, many organizations (including public bodies funded through dwindling tax revenue) will need to cut spending and economize services. As those of us who remember previous rounds of activity, such as the 2008 collapse, know security budgets are about to get a lot tighter.
While some degree of reckoning may be good as a market-driven mechanism to finally drive out so much snake oil that has accreted to the industry over the last ten years, at the same time companies looking to fundraise or even go public will face stiff headwinds for the foreseeable future. More concerning still, as budgets become tighter or are cut outright, we will start to see layoffs, hiring slow or stop, and various “perks” – from training to conferences to the company kitchen – disappear. The idea of rock-solid job security in this field will seem a fleeting item as well, and many of us will be asked to “give back” or “give up” for the sake of the larger organization.
While the trajectory of the threat landscape means security is better understood and more valuable to an organization than it was in 2008, security remains a “cost center” in the minds of most executives. In times were businesses face existential threats, we will soon find ourselves in a moment where the tide of flush budgets and increasing spending goes out, and we will discover what organizations were wearing pants this entire time. Companies will fail, unemployment will increase, and good people will be out of jobs. This is going to suck.
In such times, we should all be certain to look out for one another. Mentoring and helping to develop the “next generation” of security is still important, but such care will need to extend to those who were once secure that now find themselves unemployed in a challenging marketplace.
Social and Community Impacts
One item that has already come to pass due to COVID-19 restrictions is a near wholesale evisceration of the information security conference circuit. First and foremost, many conferences and gatherings remain labors of love for those organizing and donating time, labor, and funds to ensure such events take place. Limited or no event insurance, inflexible contracts, and other considerations means that many of these events are about to take a proverbial “bath”, and those most involved in their execution and success will feel the most pain. For the next few years, I fully expect several events to collapse and disappear given the financial hit a cancelled event will deal to a non-commercial event’s finances, and a rebound may take some time.
In the grander scheme of human existence, this is a relatively small and insignificant matter. Yet for those organizers and volunteers impacted, it will be very significant indeed as noted above. But also, the conference and event “circuit” serves as a critical, difficult to replicate social “mixer” of security expertise, talent, and experience cutting across industries, companies, and in many instances cultures and countries. The sudden removal of events – and while cancellations and postponement thus far only extends through May or June, I fully expect events in the fall of 2020 to be impacted as well when COVID-19 flares up following insufficient containment mechanisms – also removes one of the critical social and cultural components of the information security field.
Employer-paid trips to interesting locations with large bar tabs are not necessarily important, or in the greater perspective even desirable necessarily. Yet in a burgeoning field still lacking agreed upon standards, rigor, or conventions on items such as information sharing, dissemination, and collaboration, the conference and event scene at least provided a mechanism for practitioners and researchers to interact, share knowledge, and build an intellectual community. Removing this at a stroke will retard the growth of information security and likely contribute to continued (and for geopolitical reasons, in some cases accelerating) balkanization of the field.
Yet aside from these considerations, there is also a fundamental social aspect that goes away. Especially in a time of enforced (or strongly encouraged) social distancing, people need personal interaction to maintain their sanity and sense of belonging to a broader community. For many (including myself) conferences and related items represent a rare occasion to interact with people in real life, make new contacts, and cement existing friendships. While we are blessed in this time with various technological solutions to reducing distance and isolation, from chat to video conferencing, such relationships are inherently not the same. We are thus left with a facsimile of reality, or an impoverished experience of what existed previously.
Based on this greater sense of isolation, combined with economic effects of greater pressure to do “more with less” and increased job insecurity, I fully expect a sharp increase in anxiety and related mental health issues within the information security space. While we can try to mitigate this through “virtual” gatherings and events (something I’m trying to do with CrisisCon), such efforts can only do so much in the face of increasing personal isolation and, depending on economic and related circumstances, even despair.
Conclusion
We are about to enter a very challenging time. While I’ve often pushed back against the idea of information security as representing a wholesome “community”, there nonetheless remains a sense of professional solidarity and shared experience that some sense of being “together” exists. When combined with our (sadly insular) tendency to mostly make friends and acquaintances within this field, the scope for lasting, impactful damage to lives and well-beings compounds.
At this critical time, we must all work together to look out for one another, support each other as best we can, and do our best to be “good citizens” within the information security space. Quite soon, we will begin feeling impacts that will bite, and bite hard, on both our economic well-being and social stability. Only by putting aside petty gripes and grudges, recognizing the shared pain of all, and taking advantage of the good circumstances some of us will enjoy to assist those less well-off will we get through this as a coherent, meaningful “whole”. Through crisis, we may ultimately build that which a decade of “good times” failed to meaningfully create: an actual, purposeful community of information security practitioners and professionals who have each other’s well-being at heart and will work to ensure the security and stability of all its members.
2 Comments
Security in a Time of Austerity – Stranded on Pylos · 04/03/2020 at 06:23
[…] I’ve written previously, the economic impacts of the COVID-19 pandemic will have profound repercussions for the […]
The Opportunistic Adversary and the Pressure of Events – Stranded on Pylos · 04/06/2020 at 10:18
[…] to spread throughout much of the world, I’ve covered how this slowly unfolding catastrophe will impact the business climate of information security, why cost-saving reductions in network defense may be deeply undesirable, and how responses to […]
Comments are closed.