Home > Uncategorized > A Realiistic Look at Cutbacks in Information Security Practices

A Realiistic Look at Cutbacks in Information Security Practices

I read with some dismay a recent report by Foote Partners that said that the IT and IT security market is not likely to improve from its current dismal state until the end of this calendar year. Let’s face it—the last 18 months have been anything but ideal for information security professionals. I know many highly knowledgeable and accomplished information security professionals who have been out of work for a prolonged period of time now. Some are just about ready to give up—a real shame not only in terms of a psychological perspective, but also from the standpoint that their knowledge and skills are going unused when they could instead greatly contribute to risk management efforts and business enablement within organizations.

As I have said before, a certain amount of whining concerning the status of information security within organizations exists. The reasoning goes something like this: “Information security is really critical given the level of risks that my organization faces, but executive management remains clueless and indifferent about it.” I’ve also previously said that I believe that (as the CISM exam preparation materials state) if executive management does not really understand and value the contribution of information security to a business, it is imperative that the information security manager initiates an concerted effort to educate executives concerning what information security has accomplished and promises to deliver in the future. Doing this is no easy task, as face-to-face time with executive management is generally extremely limited, but somehow “best-of-breed” CSOs manage to succeed in this task.

There should be no mysteries concerning cutbacks in information security staffing. Bad economic times foster cost cutting measures, and seldom is any function or group within an organization spared from them. But then I got to thinking that groups and functions within organizations that are perceived to be extremely valuable from a business perspective generally fare better when it comes to staffing than those that are not. Staffing cutbacks within information security may thus be unusually easy for executive management to make when they do not really understand what information security brings to the table, so to speak. The fact that some of the top information security practices in the world are currently hiring information security professionals instead of laying them off serves as strong proof-in-point.

There is an old saying, one that I do not completely agree with, that goes like this: “Every victim participates in his own victimization.” I wonder to what degree this saying applies to some information security practices today. I wonder how many CSOs have viewed cutbacks as inevitable and, accordingly, have waited with dread until cutbacks have actually occurred in a kind of self-fulfilling prophecy scenario. I wonder how much different the staffing cutback situation in these practices might have been had there been more of an effort to fight the downsizing trend by instead attempting to educate executive management concerning the value of information security to the organization. The task is not by any means easy, true, but the effort is more than justified by the fact that the reward, if obtained, is so great.

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.