When times are tough, business survival has to take precedence over security considerations. This logic suggests that security budgets will be severely squeezed in a major downturn. But is this really the case? Companies are downsizing, but many security functions and budgets have managed to survive the last six months relatively unscathed. How long can this trend last? And what will be the impact on security vendors?
The answers to these questions are more complex than we might imagine. There are several contradictory trends at play, some that boost security spending as well others that reduce it. Smart security functions should conduct an analysis of the threats and opportunities for their budget. Paul Dorey, former CISO for BP, has an excellent methodology for assessing the impact of the opportunities associated with the current downturn. It shows, amongst other things, that we can expect a combination of more and less demand for particular security services.
The most important trend is the simple fact that security continues to grow in significance, both in terms of risks as well as prominence on the Executive Board agenda. Fear of major incidents coupled with growing compliance demands should ensure that cutbacks in security are kept to an absolute minimum. But cancellations of new projects and budget reductions in operational services will also tend to squeeze security budgets.
Fortunately security is better placed to survive cutbacks. For one thing, the security function generally operates with backlog of initiatives. There is always more to be done than current resources allow. Unlike many other IT functions that might become idle when projects are postponed or services cancelled, security functions can always find useful work to do. And a general reduction in development projects can also mean that there is more money available to spend on security projects. No CIO wishes to see a complete decimation of the IT budget. They will support initiatives that remain compelling throughout the downturn.
Less demand for security support for new development projects might also free up existing security resources to launch new security initiatives that have been held up awaiting the availability of key staff to develop the necessary business case. It’s no trivial matter, however, to frame a business case against a background of across-the-board cutbacks in capital expenditure and external consultancy spending. But, whatever transpires, we’ll soon have a good idea of where things are heading. The start of the new financial year will set the tone for the next round of investments and cutbacks. Let’s hope that it’s positive for the security industry.