Recession. Low consumer spending. Collapse of the financial sector.
These are terms everyone’s buzzing about. They are a reality that seemingly affects everyone. This year we have seen large companies being bought out, big names with a lot of tech behind them mash up their systems, and even Silicon Valley bigwigs shaking in their boots.
Security Aegis wanted to know what some outstanding industry professionals had to say on some of the key points in this storm. Below are excerpts from interviews with Stephen Northcutt (president of SANS and founder of the GIAC certifications), Justin C. Klein Keane (Vulnerability researcher and owner or MadIrish.net), Andre Gironda (Vulnerability researcher and member of OWASP Tools Team), and Chris Gates (VP of Operations for LearnSecurityOnline.com and monthly columnist for EthicalHacker.net), as well as my own perspectives on the topics.
With IT scare articles everywhere I wanted to know how they thought the
“I think the downturn will affect security in a rather profound way. Security is an intangible investment for many companies, meaning when it works you aren’t ever aware of it. I think many companies will be tempted to slash their security budgets to save money” Keane said. Gates responded similarly, “I think people will be less inclined to purchase new security appliances and will put off any non critical work in their enterprises.”
Although these responses were bleak we were inspired by Gironda’s vision, which became a hopeful mantra, “It means more crime both online and off. More people will be desperate, from white-collar to blue, and even the poorest classes of people. This will lead to more crime, id-theft, and many other issues. IT Security will become as important and more strained, as would law enforcement and hospitals.”
I felt a dark tone throughout the interviews, pointing towards fear for statically employed InfoSec professionals who would have budget cuts and layoffs, but then also hearing promise of contract work rise as the nature of pay-for-service would prevail. So naturally we asked the contractors what they thought. In a surprising show of confidence most of them were not phased. “I am relatively lucky that being in NoVA and government contractor I haven’t seen much in the way of any slowdown. Probably because monies for the contract I am on hav(ing) already been awarded” said Gates. Gironda citing a multitude of smart investing options put it very simply “…The stock market has always, and will always be, crap. It will never affect me.”
I moved back to a core question we thought was important enough to single out: do you foresee hiring and raise freezes for IT security folk?
Northcutt responded, “Certainly Jason, not for all IT Security folk, some stocks are up, some organizations are doing well, but here is my take. The financials have been hit very hard. Now some of them such as Goldman Sachs are well positioned to make investments for the future, but mostly even the ones with minimal subprime exposure were caught in the down draft. Business in general is hurt by the credit crunch, so that slows them down. The government will not be hit immediately, but as lower tax receipts happen, we will start to see cutbacks. But, I certainly do not expect this to last forever.”
To me this was bittersweet. Of course recessions don’t last forever, of course there is an end in sight, but hard times fall and sometimes render people useless. The dotcom crash had big-time webapp folks, sys admins, and internet engineers looking for work at K-Mart. Keane added, “Hiring and salary freezes are definitely on the horizon for everyone in IT, especially security. I think many people in security will be lucky to keep their jobs, so not getting a raise will be more palatable.” Gironda took the diversification route, “For network security people: yes (it will affect them), Appsec security people: no.” Gates added “…(it) sucks because most IT security people are underpaid”
With 4/4 worried I tried to bring some different questions to the table, I asked about the value of certifications in hard times, open source/volunteer projects, pricing for security resources, and the ever constant fear of outsourcing.
I’m a fan of certification, some aren’t. That’s ok. Every time a position has come down to two candidates who were similarly skilled, certifications will show that a potential employee is dedicated to excellence and has the drive to excel. The idea can be seen in the current state of the American education system undergrad programs, many employers just want to see a degree regardless of what it is, some people would argue the same principle about the CISSP, but thats a discussion I wont get into here). Regarding certification Northcutt said “Sadly, the biggest value is in layoff situations. If you are on the street, anything that makes your resume stand out is a benefit.” With Keane following in, “I don’t think the value of certification is going to change much. The cert is still only going to be valuable in certain sectors. However, when the economy slows and more people are looking for work employers can be more discriminating. With a large pool of applicants
, HR departments will have the luxury of requiring certifications.” “It is best to get certs during a recession, but do not expect them to get a job until the recession ends. It’s called “planning for the future”. The best plan is to make sure that you are working and making money” added Gironda.
On a side note I wanted to ask about open source projects, volunteer projects, and paid tools like Core Impact. These are things important to a thriving security web community. Keane said, “Open source tends to do fairly well through recessions. If nothing else there are more out of work programmers around to contribute. Making an investment in open source is especially safe in a down economy because you don’t risk becoming locked in to an unsupported product because a vendor went out of business.” On paid tools Gironda chimed in with “Core Impact has recently split their product line into a primary tool and the ‘Impact Essential’ cheaper product. We’ll see more splits like this for companies like Core who spend too much money on research for products that don’t sell, don’t work, and cause more problems than they solve.”
When asked how they saw state of affairs related to out sourcing of vulnerability assessments and pentests we got different viewpoints ranging from a very capitalistic view from Gates, “I think the best person for the price should do the work… (I)t’s all about what the client wants and needs to protect against” to statements of warning from Gironda, “SaaS and other outsourcing models are bad for organizational risk. Black box testing only finds 0-10 percent of the vulnerabilities that they cover (which are about 1 percent or less of the total vulnerabilities possible). The information discovered could be subverted. Remote vuln assessments and pen-tests are dangerous and many organizations are beginning to realize this.”
We also inquired about the corporate mergers/mashups and change in big enterprise networks. Are they an opportunity for attackers?
Gironda had this to say, “Mergers/takeovers ruin audits, especially things like patching initiatives. Both sides expect that the other has done their jobs, when in fact, neither have. It delays and prolongs security initiatives, which raises risk higher than most other scenarios.” Keane added, “Network merging is certainly an opportunity – for attackers. It’s going to be a nightmare for support folks.”
Gates response gave a little hope,
“It should be a great chance for some security companies to do great things. Whether or not those people actually do them or not is another matter. Lack of funds is always a good reason to just “get something done” instead of “getting it done right”
To be honest, when I set out to write this article I didn’t expect my fear to be agreed upon. I regard these peers very highly and most were very fearful for others and it was an eye opener to say the least. Not to say I didn’t expect the reality, but rather I hoped there would be a nice big sunset for the InfoSec hero to walk into. I think that these interviews show that the niche of InfoSec is one that is fragile but vastly important. We can hope that through the rocky fears of a recession our careers bloom due to vast realization of how critical security is, but it never hurts to have a resume polished, be constantly improving our skill set, and poll dice.com every once and awhile.
Thanks for reading,