How Security Teams Should Prepare for Challenging Economic Times

This blog is not about COVID-19. This blog is about life after COVID-19. As a young man, I spent over a year deployed to Iraq in support of Operation Iraqi Freedom as part of the United States Army. The situation seemed hopeless at many times, the days seemed long, and there was no definite end in sight. One of the things that helped myself and my peers keep our sanity was thinking about what we were going to do when we got back from Iraq. As the shock of watching free societies devolve into semi-forced seclusion and massive changes to our way of life take root globally in order to slow the spread of COVID-19 wears off and we begin to adjust to our new normal of remote work and social distancing, it’s worth taking some time to prepare for life after the pandemic. We cannot control our current circumstances, but we are in full control over the ways in which we prepare for our future now, so we can be better prepared to help the economy heal when this is over.

I am neither an epidemiologist nor an economist, but I believe that at some point in the future this pandemic will pass, and when it does, there will be a lasting economic impact associated with the measures the global economy took in response to the novel coronavirus. Exactly when this pandemic will pass or how much economic damage is done is a matter that should be debated by people far more qualified than I.

In order to understand the Information Security as it exists today and how it may change in the future, it should be understood that we are exiting the longest running bull market in history at 11 years, and the overall awareness of Information Security and its place in an organization is vastly different than it was in 2008. As a result, no one knows for certain what will happen to the security market in an economic downturn, because the security market as it exists today has never co-existed with a similar downturn.

Additionally, when the world experiences something as jarring as the response to COVID-19 has been, it rarely emerges from the crisis without significant changes to everyday life. Whether it was the end of colonialism after World War I, the new world order and struggle between Communism and Democracy after World War II, or the fundamental change to transportation security after September 11, 2001, life did move on, but there was no return to the normalcy that existed before the event. It is highly likely there will be structural changes to the way people live and work as a result of the current crisis as well. I cannot predict what they all will be, but one seems obvious. The business world will no longer wonder which of their positions are well suited to remote work and which are not. How will that change Information Security?

Bulls and Bears

Over the last 11 years, during the longest bull market in history, Information Security spending has grown every year both overall and as a percentage of IT spending. With it, the number of products and vendors competing for the increasing wallet share has grown as well, but the efficacy of those solutions has not necessarily improved. As a result, many companies are doing business with 30 or more Information Security vendors and have rarely challenged their spending in these ever-expanding categories. Security professionals have even been so arrogant as to say that organizations cannot measure Return on Investment for security spending and they should not even try. While security investments will not yield revenue, there is a return on security investments in relation to risk mitigation that can and should be measured, but with budgets ever-expanding and very little oversight of how security investments were being made, many organizations continued to invest in more products with little regard for their efficacy.

Bear markets operate very differently. In times of economic hardship, most companies scrutinize all expenditures every year. In a bull market, “baseline budgeting” where run rate costs from the previous year are assumed in the next year’s budget, are common in the security space. I predict that in a bear market, Information Security leaders will be forced to defend their incumbent vendors every time the renewal comes in. In times of economic uncertainty, elasticity, flexibility, and liquidity are important. This is likely to drive organizations to embrace flexible pricing models with little capital expenditure. This is likely to drive the cloud adoption curve even faster than it has already been driven and put increasing pressure on hardware-based solutions. This trend will not only serve to accelerate the digital transformation of Information Technology spending but will also drive organizations to adopt more modern security architectures much faster than they have in the past. The combination of adopting new models and scrutinizing old incumbent products which may not be providing value commensurate to their cost will likely lead to segments and vendors struggling for survival.

Organizations have been talking about security vendor consolidation for several years, but a bear market may finally force consolidation in earnest. Not only to consolidate vendors, but to also consolidate products as the premise of the product itself and the problem it is solving may be challenged. Most security products do solve a problem, but in many cases, they are solving a small or highly specialized problem that does not pose a major risk to the organization. In more challenging economic times, those risks are likely to be accepted rather than mitigated.

So, what form does consolidation take and who wins in a consolidated world? In my view, there are two approaches that make sense. First, an organization can choose a single vendor with broad offerings and sign some version of an Enterprise License Agreement with that vendor. Vendors who can realistically compete for this business are large vendors with a breadth of offerings like Broadcom, McAfee, Palo Alto, and Microsoft. Since no vendor does everything well, the organization will then take stock of what gaps exist in the chosen portfolio and take a risk-based approach to deciding whether to accept those risks or mitigate them using a specialized product outside the portfolio. Such an approach would likely result in 10 or less security vendors for most organization, as well as considerable savings over their current approach.

The second approach is to separate security resources into groups. The best categories I have seen come from Sanjay Beri, CEO and Co-Founder of Netskope. Sanjay defines four core security categories, Data and Network Security, Endpoint Security, Identity and Access Management, and SIEM/SOAR. For organizations following this approach, they would choose one vendor in each of these four spaces and leverage their platform to solve these use cases. This approach will yield four core security vendors. An organization may need to augment those core vendors with point products but would be doing so only to fill gaps in the short term. Those point capabilities would be replaced by their strategic vendor when that vendor made those capabilities available.

Regardless of which approach is taken, I see security technology consolidation inside of organizations as being inevitable. I also don’t see it as a bad thing. I think that after consolidation occurs, it is more likely that the fewer solutions will be able to work better together, and efficacy is likely to improve. It could very likely be addition through subtraction.

Staffing in Uncertain Economic Times

It is no secret that when the economy is struggling, organizations hire fewer people. It is unlikely the security space will be any exception. However, that does not necessarily mean people will be laid off in security. Since there is such a massive shortage of qualified talent in the security space anyway, millions of jobs could be eliminated globally without a single person being laid off. Most companies will simply close their open positions they are unable to fill anyway and re-allocate the budget they had for staff to other initiatives.

Security roles will change, however. With fewer security roles, security practitioners will be asked to cover wider portions of the portfolio. Vendor consolidation will help with scope of control issues, but it is unlikely that security practitioners will be able to be an expert in every technology inside their purview. Instead security practitioners will likely be strategists and liaisons to business units. They will then outsource specialized skill sets to services providers.

Similarly to how organizations will approach technology consolidation, they will also either find a generalist security provider and augment their gaps in capabilities with a specialist, or they will find a single services provider in each of the four major technology categories to partner with. The latter approach seems to be best because what it essentially means is that an organization can be successful and gain comprehensive technology and services with only eight strategic relationships and a reasonable amount of internal staff. This is significantly less complex than the relationships that most organizations have today.

How Will Work Change?

I post all my predictions on my LinkedIn and I never take them down. You can still see my predictions from 2014 if you are so inclined to go look. As a result, I try not to make predictions that I don’t have a high degree of confidence in. I cannot predict all of the lasting workplace and societal impacts of the extraordinary times in which we live today, but I do predict there will be a significant rise in remote work that remains long after employees are permitted to return to the office.

There have long been theoretical debates regarding which positions can operate effectively in a remote work environment and which cannot. Within the next month, we will all know the definitive answer to that question. Some positions will return to the office as soon as they are permitted to do so, and some will never return. Far more will exist in a gray area where some organizations allow remote work, and some require the position to be office based. That’s where the free market will step in.

Organizations that embrace remote work where feasible will not only have access to the highest quality talent, they will be able to expand their talent pool at least nationally if not globally. If two San Francisco based companies are competing and one is favorable to remote work and hires a significant portion of its workforce in places like Omaha, Nebraska and another is not and sources all of their talent in the Bay Area, the labor costs will be significantly higher for one over the other. As a result, their prices will be higher, their quality likely lower, and they will lose in the marketplace.

These market changes will drive a significant increase in remote work which will change the way IT infrastructure is built, significantly accelerating Digital Transformation. Traditional security models that rely on traffic traversing a network segment like on premises proxies or firewalls will become far less relevant and Zero Trust Architectures and Secure Access Services Edge strategies will become more prevalent. This will not only improve all workers performance but also their security. The benefits will be shared amongst remote workers and office-based workers alike.

Conclusions

Human suffering is always tragic. Both the crisis we are currently dealing with and the likely resulting economic damage are likely to hurt a lot of people. My heart goes out to each of them. However, economic cycles are not always bad, they act as renewal agents for business processes and approaches. Down economies kill bad ideas, and bull markets often keep them afloat long past their usefulness. It is time for security architectures to modernize, become less complex and more effective. It is likely that years ahead will force that to happen. Many organizations are adapting to working remotely today. My advice is to think of this not only as a short-term challenge, but a strategic opportunity to begin thinking critically about your security infrastructure and whether it is built for the future or for the past.

Most importantly, it is important to give people hope and something to think about beyond the current crisis. Pondering life after the pandemic can be helpful. It is also important to check on each other. As a member of the veteran community, my life has been significantly impacted by undiagnosed and untreated mental illness. Social distancing is likely to make those problems worse. Call your friends and families to check on them during these challenging times. You never know the impact you can have. This will pass, lets all make sure we get to the other side together.