The steadily unfolding COVID-19 pandemic continues to unleash chaos and uncertainty in tandem with the disease’s impacts on human health. In just the past few days, total US new unemployment numbers for the past two weeks increased by over 10 million people, the price of crude oil continues to crash, and global travel numbers have collapsed. All of these items are fueled by the unprecedented collapse – or outright disappearance – of consumer demand as individuals (correctly) self-isolate to limit the spread of the SARS-CoV-19 virus. While the information security industry typically insulates itself from other aspects of business operations (to its detriment), the astounding economic fallout of the COVID-19 pandemic is unavoidable.

Anecdotally, I have personally heard multiple stories of organizations already beginning retrenchment. Examples include fairly obvious items such as cancelling non-essential travel (both for economic and health reasons), and eliminating training budgets. More ominously, several individuals have told me of dedicated security shops investigating possible reduction in headcount, after we’ve spent the past several years hearing how it is impossible to hire security talent. Given these trends, prematurely ending product proof of concept (POC) testing or letting licenses for tools or software lapse seems not far off either – meaning the current pain felt by internal security teams will soon spread to vendors and service providers as well.

Driving some of the above decision-making is a seldom examined pseudo-truthism of information security specifically (and information technology more generally) within the business environment: that such areas represent “cost-centers”. In popular use, this term means just what it implies: parts of the organization that require funding, but generate no revenue. While superficially true, this sentiment does not adequately capture the true meaning of “cost-center” in the accounting or academic sense. Namely, such organizational subunits certainly incur costs and do not directly contribute to company revenue (or profits), but they are necessary business functions that often indirectly contribute to business success. While the manager of a cost-center’s primary responsibility is cost containment and control, this goal is contextual in that it requires that manager (and the department) to still accurately and consistently perform the center’s function.

For example, accounting, human resources, and marketing are all “cost-centers”. Yet a financial-only focus on the performance of these departments incentivizes stripping these to the minimum essential functions. While flattering to the short-term bottom line, such behavior sets up long-term consequences in poorly resourced accounting departments, minimally effective human resources, and a lack of significant market messaging. The implications are possible accounting violations or poorly kept books; failures in recruitment and personnel management; and an inability to position, describe, or sell a product. Even though costs may have been minimized, the indirect influence of these atrophied capabilities will produce an organization that is overall less effective and capable.

The same can be said for information security departments. While these items are certainly expensive, and there remain regulatory or similar requirements to meet certain minimums or standards (PCI, HIPAA, NERC-CIP, etc.), the degraded, minimalist conception of “cost-center” does little to encapsulate information security’s value prospect. For one, information security events, intrusions, and criminal actions do not seem to be receding along with the economy. Business email compromise (BEC), ransomware events, and similar all appear to have taken no note or heed of events, and continue robustly. Even pseudo-chivalric promises to spare critical medical-related entities from such attacks are quickly forgotten and broken.

From an adversary standpoint, the threat landscape therefore remains the same. However, from the business owner perspective, the threat landscape has actually become even more frightful than before. While many businesses would be endangered from a substantial BEC or ransomware event, in better economic times the prospects for recovery are relatively decent so long as the initial blow is not fatal. In present circumstances where many enterprises are now limping along amidst diminished prospects and evaporating consumer spending, what was once painful now becomes existential. The ability to “bounce back” from such a financially costly event may no longer exist, eroding any flexibility or leeway to weather such storms as the business recovers.

Thus, in many respects, present circumstances may be a terrible time to reduce investment in security as a single significant security incident may spell death for an organization barely surviving the current economic headwinds. Yet, while security teams certainly have a value-protecting function within the organization, it does remain true that such teams do not generate revenue on their own. Thus, while the “cost-center” view remains shortsighted, there remains a kernel of truth to the subject. And just as many other aspects of a business will need to tighten belts in hard times – reducing spend, lowering pay, extending hours, or whatever is necessary to squeeze greater value out of less – the same applies to information security.

Yet in cutting the proverbial “fat” from organizations, the previous observations on the evolving nature of the threat landscape in context of the economic environment remains. Thus, while some degree of reduction or sacrifice will be necessary, intelligent organizations will need to ensure that while trimming fat or bloat, they do not overzealously cut vital institutional muscle and bone as well.

As I’ve written previously, the economic impacts of the COVID-19 pandemic will have profound repercussions for the cybersecurity industry – as well as its practice within organizations. While some degree of change is necessary, avoiding the elimination of core or critical abilities is equally important. Namely, businesses will need to critically evaluate their value structure – as well as the identity and nature of their revenue-generating functions – and determine what security investments are required to ensure their continued operation. Based on an unemotional examination of such centers of value and the capabilities required to secure them, organizations can identify priorities for maintaining security posture – while also determining what capabilities are mere “nice to haves” for less critical times.

For many small to medium organizations, this likely means holding the line on critical areas like endpoint security, email security, and internal patch and vulnerability management. Given the nature of most threats facing these organizations, identifying the mechanisms through which criminal actors seeking monetization of compromise typically operate and marrying these to likely intrusion pathways will identify key security terrain. Ensuring that BEC email gets blocked or that external-facing services are patched and have some degree of visibility are not simple niceties, but critical needs to ensure that a potential business-killing event does not take place.

Larger organizations both enjoy greater flexibility (e.g., access to more financing options through troubled times, more assets to liquidate to preserve critical value sources, etc.) and more diverse risks. For the latter, in addition to financial crimes, there are risks of reputational loss through data theft or disclosure, or espionage (state-sponsored or otherwise) to collect vital information on company operations and intellectual property. Like the enterprising criminals still conducting BEC and ransomware operations, the state-sponsored teams performing cyber-nexus industrial espionage are unlikely to go away. One possibility, given circumstances, is a perception of chaos, unsettled remote work conditions, and lower security investment providing greater opportunity for such entities to operate. Thus, large organizations – from manufacturing conglomerates to financial institutions to oil and gas majors – will need to maintain some security baseline given persistent threats to critical sources of value. Yet just as with smaller organizations, “nice to haves” and similar non-critical investments might require sacrifice to ensure the overall health of the organization.

Based on the above observations, I can see niche business models and untested technologies being the first to suffer from reduced company spend as the value proposition for such items is either small or unclear at present. While this seems fairly obvious – and will result in significant turnover in the venture capital funded crowd – there are other items which have obvious value, but which may need to be curtailed or limited in times of duress.

One example that hits home for me is threat intelligence. While threat intelligence serves as a “force multiplier” in that it can enable organizations to learn more of the overall threat environment to prioritize investments and orient defenses, organizations in full-on crisis mode may not have the luxury of such spending. Large organizations facing diverse threat landscapes from criminal activity through state-sponsored espionage (or even disruption) likely don’t have much of a choice in continuing to invest in such services given the potential for loss and the ability to better economize on other investments through knowledge. But smaller organizations with leaner budgets and a more circumscribed threat environment may no longer be able to justify such investment as they move into security triage mode for the sake of overall business health.

Overall, many of the judgments above fall into the trap of “all generalizations are stupid”, and specific answers to questions of what to cut, what to maintain, and what to expand in times of economic crisis will depend on the particular needs and abilities of a given organization. Nonetheless, I strongly feel that traditional business leaders and card-carrying MBAs will do well by their shareholders or owners to take an expansive view of security operations as not being just a line item for reduction. Rather, an intelligent view of security’s contribution to the business means understanding just where security resources are necessary to ensure the long-term health, availability, and integrity of value-producing segments of the organization. Stripping security to the bone for short-term balance sheet reasons increases organizational risk at a time where incidents that were once recoverable now become fatal. While security practitioners must understand that sacrifices will be necessary and that the long “boom” in security investment is likely at an end, business leadership must also accept that hollowing out this supposed “cost-center” can produce significant business negative impact.


1 Comment

The Opportunistic Adversary and the Pressure of Events – Stranded on Pylos · 04/06/2020 at 16:19

[…] how this slowly unfolding catastrophe will impact the business climate of information security, why cost-saving reductions in network defense may be deeply undesirable, and how responses to certain actions in a pandemic landscape will be difficult to say the least. […]

Comments are closed.