Over the past few weeks I’ve talked to several privacy officers and information security officers about how things are going with their initiatives, funding, and so on. Many from the financial industry, but otherwise a wide range of businesses from small to large. There has been a common theme during these discussions…
The horrible U.S. economy is having a domino effect throughout the country, resulting in many CEOs making cuts throughout the organization.
It was common during my conversations to hear that the first to go are the contracted workers, many of which did the basic information security activities such as data entry, call staff, basic configuration maintenance, and so on.
It was also common to hear they are cutting consulting dollars. I personally have always thought that consulting companies charging $200 – $350 per hour to do long-term projects was ridiculously high. Several years ago when I was working for consulting organizations that is what they charged. Not even close to that hourly amount came to me though; a large portion went to the sales folks who “sold” the project (a completely different rant that I’ll save for a later time), the admin folks, the accounting folks, etc. These high rates have basically priced them out of business in many cases. But even if consultants are charging much less, many of the info sec and privacy practitioners told me they are cutting the use of consultants; period.
Probably the most concerning common statements were that, while full- and part-time employees are not yet being laid off, I heard that many of them have not only had their salaries frozen, many have not had a raise in a year or two, and some have even had their pay reduced. I also heard a disturbing trend, in multiple companies, for information security staff dedicated to information security and privacy awareness and training to have their positions’ pay scale “re-adjusted” to be comparable to positions in corporate training instead of positions in information security, which resulted in a lower average rate, and reduced their salaries.
Folks, humans have always been, and will always be, the weakest link in information security and privacy. Employees must receive good and effective training and ongoing awareness communications if you want to effectively safeguard your information assets.
Multiple people have told me their CEOs and other C-level execs are doing whatever they can to save a few thousand dollars in the short term and are knowingly taking the risk that it could cost them millions in the long term from resulting incidents that could very well occur from the vulnerabilities that are left unaddressed within the business enterprise.
Many of these info sec and privacy folks are very frustrated. They feel they are not being listened to. They feel as though they are being left vulnerable to be the scape goat when one of the risks they’ve been told they cannot address will be exploited. They are working longer hours doing more responsibilities because of the contractors and consultants being cut. They are just plain tired. I know some have even gone into completely different careers.
The lousy economy is a catalyst for degraded information security controls and practices and increased incidents.
Even with compliance requirements, increasing information security incidents and more privacy breaches, the CxOs are willing to chance that nothing will happen to them.
Horrible economy = less information security and privacy = more security incidents and privacy breaches
I think a good new theme song for these increasingly frustrated information security and privacy pros would be the The Barenaked Ladies’ “The Humour of the Situation”…”I felt a chill because I was still wearing the emperor’s new clothes.”
Usually I’m a glass half full type of person, but I’ve heard so much from practitioners about these dangerous trends that it seems that even more privacy breaches will be inevitable, spawned as a downstream result of the lousy economy.
Are others seeing this also?
Tags: awareness and training, Information Security, IT compliance, policies and procedures, privacy breach, risk management, security awareness, security training