On Twitter and LinkedIn, I am seeing furloughs and outright terminations of security roles at a volume I’ve never seen before.
If fear of this pandemic’s economic impact is causing you to consider large-scale tactical reductions, first consider these three implications.
Maslow would tell you to think it through
In 1943, Abraham Maslow came up with a hierarchical model that described the various needs that drive human behavior. Briefly, we humans need to satisfy the lower level before we will take on behaviors at the next level up. Our most fundamental need is survival; we need to eat, to sleep, and to be sheltered from the elements, or we die. So, we first act to cover those needs before we move on. Once we have that, we act to acquire security, or safety. With our physiological needs satisfied, at this level we protect ourselves. Clearly, if we are constantly looking over our shoulder, or risking being eaten in our sleep, we aren’t going to move on to more fulfilling activities. These two levels are described as humans’ “basic needs”, followed by “self-fulfillment needs” like love, esteem, and eventually, self-actualization.
Businesses have a similar hierarchy of needs. The business hierarchy also starts with survival, but now the business leader has to ask, “Do I have a source of sufficient funds and something to sell?” The second basic need is also the same; security. The question here is, “Can I safely transact my business in order to have something to sell and to get those funds?” These are the two basic needs; product/revenue and security. Self-fulfillment, or in this case, business potential-fulfillment is different. The needs that follow are trusted customer relationships, a recognized brand, and lastly, business expansion and corporate citizenship.
If you are currently thinking seriously about slashing your security spend, remember Maslow. Debilitating security capability creates a serious risk of failing to achieve higher-level goals like customer satisfaction and a winning brand. If the outcome of security reductions is a breach or public embarrassment, organizations will find themselves forced back to level two, establishing a secure foundation before they can get back fulfilling their potential.
Security reduction and reparation are a sawtooth, not a curve
You may be thinking that you can reinvest in security as finances improve, but during that time, the attackers are no less active, and you are now exposed. Large-scale tactical reductions in your security spend and capability result in a sawtooth wave of vulnerability. If you make an uncompensated reduction in security (furlough of security staff, for example) that happens as a step function. Your preparedness or response capability is immediately impacted, and your eventual reconstituting that protection will take place over time. Particularly where security team members are concerned, there will be at least a six-month gap between recruiting, interviewing, hiring, and ramping new security staffers.
If you’ve got the right budget for protection now, doing less is probably not enough
In the MDR Manifesto, I put together a chart that showed the relationship between the trends in security investment and costs of cybercrime. They track unpleasantly, with the growth in cost of crime finally surpassing the growth in investment. I think it’s predictable that the increase in cybercrime will accelerate during widespread slowdowns and even decreases in investment.
I am not an attorney, so caveat emptor on this liability analysis.
In 1947, Judge Learned Hand (what a great name)“proposed an algebraic formula to determine if the standard of care has been met.” Simply, if the cost of prevention is less than the cost of the damage multiplied by its likelihood, then the defendant was guilty. If we put this equation into place on the day after a large-scale reduction, we can see there is an issue. Unless the organization was seriously overpaying for their security, a major reduction will now have them spending much less on prevention while the damage, and the likelihood of damage have not changed. An increase in damages following a decrease in spending points to classically negligent behavior.
If you are currently thinking seriously about slashing your security spend, remember Judge Hand and the formula:
We can assume that security buyers have current investment levels relatively correct. If those investments in protection are cut (in this example by 25%) without reducing exposure or introducing other controls, it creates an imbalance in the calculation of negligence. Protection costs are reduced, but the likelihood of breach has, at very least, stayed constant. Projecting forward using growth rates from the past 10 years’ data, you see that the 25% one-time reduction results in liability for 40% of cybercrime costs in 4 years.
Be thoughtful about any moves in chaotic times
Periods of high stress cause us to lean towards major moves to relieve that stress. If you are finding yourself in a budget bind because of current economic conditions, take the time to think through the impacts. Security is an easy target. Security is a cost center, and weaker security isn’t obvious to customers or external observers. Unfortunately, security is a competency that takes time to develop and where gaps can result in out-sized consequences. So, think about your choices, and if you need to reduce investment, make sure that you’ve identified the resulting gaps, and have found ways to close them, before you act on any reductions.