The Security Pro's Guide To Thriving In A Down Economy

Let's face it: Even if this isn't the worst economic crisis since the Great Depression, the financial engine clearly isn't running on all cylinders. At best we can assume some sort of recovery over the course of the next year or so, and at worst...well, I don't really want to think about that. I think it's safe to say that not only do none of us know where this is headed, but that the picture will remain opaque until after the election and the winners take office.

As security professionals, risk management lies at the core of what we do. And while we mostly apply those skills toward entertaining stuff like penetration tests, hunting down 0-days, and keeping our users safe, there's nothing wrong with a little self preservation once in a while. Since every source I have is reporting cost cutting and tight credit across all industries, it's time we all engaged in some personal risk management and asset protection.Being an analyst, here are the assumptions I'm going by:

1. It's safer to assume the economy will get worst before it gets better, and the downturn will last long enough that we'll need to take action to get through it. 2. Since this isn't a tech bubble, the effects will be everywhere. 3. Most organizations will experience some sort of cost cutting, which will be generalized in nature and, at the least, flatten security budgets. 4. With a turbulent market, vendors won't be able to IPO. With tight credit, they won't can't sustain unprofitable operations.

I like the kinds of risk assumptions where you win even if you're wrong. Hopefully I don't need to preach the value of planning for the worst to a security audience.

So play along and assume I'm right. As I wrote about in a little more depth on my blog, we can draw some simple conclusions:

1. If it doesn't stop an obvious threat (by obvious, I mean anything that kills e-mail or the Web site), meet a compliance requirement, or reduce existing costs, odds are it's a bigger budget-cutting target. This includes you. 2. It's a buyers market for big security vendors with spare cash as a lot of startups can't afford to stay in business and are selling out for pocket change.

The easiest way to thrive in an environment like this is to become indispensable. I don't mean you start hoarding all the admin usernames and passwords, but you prove to the business your value. You can't do this with technical jargon or FUD, but by directly targeting the areas we know the business cares about. The biggest heroes will be those that do more with less. Take a look at your job -- even if you are the bottom of the totem pole, I bet there are chances to either increase productivity or reduce costs.

For that to work, it's absolutely critical to also communicate your value without coming across as a self-aggrandizing ass. And said value needs to be communicated in business terms, which preferably involves dollar signs. I'm not saying you start writing up the classic (and mostly bogus) "potential losses," but that you show where you saved costs by cutting costs, or saved costs by increasing productivity. After that, you can start showing value in how you've defended the organization from real threats and met mandatory compliance requirements. Finally, the reality is that once you learn to communicate in business terms and help them understand what it is you do, you'll quickly find them relying on you when they have problems or questions.

Never underestimate the ability to translate between geek and business: Avoid Chicken Little arguments, effectively communicate risks, and learn to accept compromise, and you'll find yourself last in line for the chopping block. Heck, you might even find yourself first up for a promotion when the purse strings loosen up.

If you are a pen tester, provide reports rating business risk, not detailing specific vulnerabilities. If you are an incident responder, focus on how efficiently, quickly, and cost effectively you manage incidents. If you manage network security, start hunting for ways to reduce costs -- maybe simplify part of your topology or show your effectiveness in reducing successful attacks.

This holds true for vendors just as much as practitioners. If your product doesn't reduce costs, meet a mandated compliance requirement, or keep critical (and obvious) business functions running, you need to change your product. Just like the security pros, you can't rely on FUD, and overly technical products business management can't easily understand will be a tough sell.

Believe me, I'm taking my own advice to heart. We're retuning our entire business to take advantage of a down economy. An analyst is a really easy cost to cut if he's not saving you money or filling another indispensable need.

It's rare that security is anything but a cost center, but a large percentage of what we provide is also essential. As long as we both align our needs to those of the business and communicate our value, we should be more than safe. It's actually an environment we can thrive in -- an opportunity to show value in ways we tend to neglect. Instead of resenting us, the business will learn to rely on us not because they have to, but because they trust we know what's really important to the business.

Rich Mogull is founder of Securosis LLC and a former security industry analyst for Gartner Inc. Special to Dark Reading.