Patreon security cuts spark backlash

Yesterday, Patreon decided to part ways with their ENTIRE security team. Yes, 100% of their security team was laid off. Patreon said that they will be using an external security vendor instead. Now, I might not understand the full reasoning behind this decision, but I DO know that getting rid of the people at the front lines - the folks that fight to keep businesses safe day in and day out - is not the greatest idea in the world. Why? Because security teams do a lot of "invisible", yet critical, work for the business. Work that doesn't normally show up as bullet points in a board deck. Work that isn't seen as "revenue generating". Security operations, security reviews, implementation guidance, endpoint protection, asset management, configuration management, IT security, data security, incident response. Security teams perform dozens of security tasks and manage hundreds (if not thousands) of assets. Security might not make companies money, but security teams surely SAVE companies money - hundreds of thousands, even hundreds of millions, of dollars through risk mitigation. This is money that businesses have to SPEND if something bad were to happen. Which is why I think letting go of an entire security team is an extremely poor business decision. You might *think* you're saving money, but you're going to *spend* that same amount of money (and more) to fix future security problems that could have been caught much earlier. I hope we can work together to help these ex-Patreon employees land on their feet quickly. What happened to them shouldn't have happened at all. #cybersecurity

This may seem like a conflict of interest, since I run a managed security team. We offer managed security services, but that does not mean I recommend you fire your internal security team and hire external. When we look at market segment - teams like mine fill a very particular need, high security requirements, but not necessarily the budget nor the revenue to justify hiring security engineers/building a SOC. Patreon is not the first company that has let go their security team for cheaper alternatives, and won't be the last. Internal security teams for large organizations have institutional knowledge, workflows and processes that will be lost to the sands of time. While friction is to be expected in any organizational change - this type of shift specifically causes a decrease in efficiency and efficacy of the organization. Managed security teams like ours are successful when we have the ability to create the structure and grow with the company, or work to augment teams that already exist. Now there are managed security providers out there that may do enterprise swap out of bodies/tech stack/services well, but there are not many reputable ones that will tell you to fire your entire security team and insert themselves as the provider. (glaring issues and malfeasance aside) While security is an investment, a lack of security is a cost most will not be willing to bear. #Cybersecurity #infosec

The interesting thing about “Security” is that no matter the size of the company most need the same security functions to be in place which require varying levels of skill and expertise. From physical access, data security, network security, endpoint security, security awareness, vulnerability management, as well as IAM and compliance functions. Even for a small company you would need a handful of people to effectively and efficiently perform all of these functions. Then there is cloud security which is its own beast. I say all that to say, I only see the need for skilled security professionals continuing to grow and companies will move to outsource or partner with MSSPs where possible. However, I’m having a hard time wrapping my mind around a change in stategy that would result in removal of the majority of security roles in any org. Weigh in. https://lnkd.in/gJAbirX2

Yesterday, Patreon decided to part ways with their ENTIRE security team. Yes, 100% of their security team was laid off. Patreon said that they will be using an external security vendor instead. Now, I might not understand the full reasoning behind this decision, but I DO know that getting rid of the people at the front lines - the folks that fight to keep businesses safe day in and day out - is not the greatest idea in the world. Why? Because security teams do a lot of "invisible", yet critical, work for the business. Work that doesn't normally show up as bullet points in a board deck. Work that isn't seen as "revenue generating". Security operations, security reviews, implementation guidance, endpoint protection, asset management, configuration management, IT security, data security, incident response. Security teams perform dozens of security tasks and manage hundreds (if not thousands) of assets. Security might not make companies money, but security teams surely SAVE companies money - hundreds of thousands, even hundreds of millions, of dollars through risk mitigation. This is money that businesses have to SPEND if something bad were to happen. Which is why I think letting go of an entire security team is an extremely poor business decision. You might *think* you're saving money, but you're going to *spend* that same amount of money (and more) to fix future security problems that could have been caught much earlier. I hope we can work together to help these ex-Patreon employees land on their feet quickly. What happened to them shouldn't have happened at all. #cybersecurity

Yesterday, Patreon decided to part ways with their ENTIRE security team. Yes, 100% of their security team was laid off. Patreon said that they will be using an external security vendor instead. Now, I might not understand the full reasoning behind this decision, but I DO know that getting rid of the people at the front lines - the folks that fight to keep businesses safe day in and day out - is not the greatest idea in the world. Why? Because security teams do a lot of "invisible", yet critical, work for the business. Work that doesn't normally show up as bullet points in a board deck. Work that isn't seen as "revenue generating". Security operations, security reviews, implementation guidance, endpoint protection, asset management, configuration management, IT security, data security, incident response. Security teams perform dozens of security tasks and manage hundreds (if not thousands) of assets. Security might not make companies money, but security teams surely SAVE companies money - hundreds of thousands, even hundreds of millions, of dollars through risk mitigation. This is money that businesses have to SPEND if something bad were to happen. Which is why I think letting go of an entire security team is an extremely poor business decision. You might *think* you're saving money, but you're going to *spend* that same amount of money (and more) to fix future security problems that could have been caught much earlier. I hope we can work together to help these ex-Patreon employees land on their feet quickly. What happened to them shouldn't have happened at all. #cybersecurity

Yesterday, Patreon decided to part ways with their ENTIRE security team. Yes, 100% of their security team was laid off. Patreon said that they will be using an external security vendor instead. Now, I might not understand the full reasoning behind this decision, but I DO know that getting rid of the people at the front lines - the folks that fight to keep businesses safe day in and day out - is not the greatest idea in the world. Why? Because security teams do a lot of "invisible", yet critical, work for the business. Work that doesn't normally show up as bullet points in a board deck. Work that isn't seen as "revenue generating". Security operations, security reviews, implementation guidance, endpoint protection, asset management, configuration management, IT security, data security, incident response. Security teams perform dozens of security tasks and manage hundreds (if not thousands) of assets. Security might not make companies money, but security teams surely SAVE companies money - hundreds of thousands, even hundreds of millions, of dollars through risk mitigation. This is money that businesses have to SPEND if something bad were to happen. Which is why I think letting go of an entire security team is an extremely poor business decision. You might *think* you're saving money, but you're going to *spend* that same amount of money (and more) to fix future security problems that could have been caught much earlier. I hope we can work together to help these ex-Patreon employees land on their feet quickly. What happened to them shouldn't have happened at all. #cybersecurity

Yesterday, Patreon decided to part ways with their ENTIRE security team. Yes, 100% of their security team was laid off. Patreon said that they will be using an external security vendor instead. Now, I might not understand the full reasoning behind this decision, but I DO know that getting rid of the people at the front lines - the folks that fight to keep businesses safe day in and day out - is not the greatest idea in the world. Why? Because security teams do a lot of "invisible", yet critical, work for the business. Work that doesn't normally show up as bullet points in a board deck. Work that isn't seen as "revenue generating". Security operations, security reviews, implementation guidance, endpoint protection, asset management, configuration management, IT security, data security, incident response. Security teams perform dozens of security tasks and manage hundreds (if not thousands) of assets. Security might not make companies money, but security teams surely SAVE companies money - hundreds of thousands, even hundreds of millions, of dollars through risk mitigation. This is money that businesses have to SPEND if something bad were to happen. Which is why I think letting go of an entire security team is an extremely poor business decision. You might *think* you're saving money, but you're going to *spend* that same amount of money (and more) to fix future security problems that could have been caught much earlier. I hope we can work together to help these ex-Patreon employees land on their feet quickly. What happened to them shouldn't have happened at all. #cybersecurity

Yesterday, Patreon decided to part ways with their ENTIRE security team. Yes, 100% of their security team was laid off. Patreon said that they will be using an external security vendor instead. Now, I might not understand the full reasoning behind this decision, but I DO know that getting rid of the people at the front lines - the folks that fight to keep businesses safe day in and day out - is not the greatest idea in the world. Why? Because security teams do a lot of "invisible", yet critical, work for the business. Work that doesn't normally show up as bullet points in a board deck. Work that isn't seen as "revenue generating". Security operations, security reviews, implementation guidance, endpoint protection, asset management, configuration management, IT security, data security, incident response. Security teams perform dozens of security tasks and manage hundreds (if not thousands) of assets. Security might not make companies money, but security teams surely SAVE companies money - hundreds of thousands, even hundreds of millions, of dollars through risk mitigation. This is money that businesses have to SPEND if something bad were to happen. Which is why I think letting go of an entire security team is an extremely poor business decision. You might *think* you're saving money, but you're going to *spend* that same amount of money (and more) to fix future security problems that could have been caught much earlier. I hope we can work together to help these ex-Patreon employees land on their feet quickly. What happened to them shouldn't have happened at all. #cybersecurity

Yesterday, Patreon decided to part ways with their ENTIRE security team. Yes, 100% of their security team was laid off. Patreon said that they will be using an external security vendor instead. Now, I might not understand the full reasoning behind this decision, but I DO know that getting rid of the people at the front lines - the folks that fight to keep businesses safe day in and day out - is not the greatest idea in the world. Why? Because security teams do a lot of "invisible", yet critical, work for the business. Work that doesn't normally show up as bullet points in a board deck. Work that isn't seen as "revenue generating". Security operations, security reviews, implementation guidance, endpoint protection, asset management, configuration management, IT security, data security, incident response. Security teams perform dozens of security tasks and manage hundreds (if not thousands) of assets. Security might not make companies money, but security teams surely SAVE companies money - hundreds of thousands, even hundreds of millions, of dollars through risk mitigation. This is money that businesses have to SPEND if something bad were to happen. Which is why I think letting go of an entire security team is an extremely poor business decision. You might *think* you're saving money, but you're going to *spend* that same amount of money (and more) to fix future security problems that could have been caught much earlier. I hope we can work together to help these ex-Patreon employees land on their feet quickly. What happened to them shouldn't have happened at all. #cybersecurity