The worst has happened. I have to cut almost half of my information security staff because, in this economy, the company is losing money faster than anybody anticipated. The cuts will include over a third of our global IT department, and even that may not be enough. We may need another round of layoffs if things don't get better soon.
This is going to have a devastating impact on our ability to provide services to the company and protect its assets. With a bare-bones staff, our IT department won't be able to roll out any new capabilities; all resources will be focused on keeping our technological lights on. It's amazing how fast things are falling apart. At this rate, I'll be lucky if there's a company to protect by the end of this year.
It's demoralizing. Despite my best efforts, I wasn't able to protect my staff, and now we're at risk of losing ground on everything we've accomplished. We spent all of last year establishing our fledgling information-security program. Things were starting to look up, but we can say goodbye to all that for now.
For example, we fought an uphill battle to get our IT organization on board with patching our servers, and we were just starting to see some improvement. Previously, our servers were not being patched at all. They were just being built, deployed and forgotten.
Today, about 20% of our servers are being regularly patched. They were the lowest-hanging fruit -- noncritical servers that were low risk. We were just starting to address the other 80% of our servers, but now I have grave doubts that they will be on a regular patch cycle anytime soon. It's even possible that we'll be unable to maintain the patching routine we fought so hard for.
Given the gravity of our situation, we also won't be able to keep our outsourced third-party services. And my decimated staff, already a skeleton crew before the layoffs hit, isn't going to be able to pick up the slack. In effect, we simply won't be able to do much of anything that an information security department needs to do. Day-to-day operations are going to suffer, and I certainly don't know how we'll be able to find the time to design security for new projects. Oh well, that's something I probably shouldn't worry about too much, since chances are slim that there will be many of those this year. After taking one long, challenging step forward, we're taking two big, fast steps backward.
Too Many Regrets
I wrote in an earlier installment of this column about our budget not including funds for disaster recovery for new applications. I complained mightily at the time, but that now seems like one of my lesser worries. Again, how many applications will our overtaxed IT department be rolling out this year?
But this situation carries other regrets for me. Prevention of data leakage, which is something this company desperately needs, will have to go on the back burner because we can't afford to work on something like that right now. Third-party security audits are out the window, as are any other new capabilities that have a price tag attached to them.
Worst of all, of course, is dismantling my top-notch security team, which I painstakingly built up over the past 18 months and staffed with great people. Some will stay, but many must go. It's one of the most painful decisions a manager has to make.
I've been through this sort of thing before, but that doesn't make it any easier. In fact, it affected me so much last time that I swore off management for several years. This is a situation I wouldn't wish on anyone. Let's hope things get better before they get worse.
This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.
Join in. To join in the discussions about security, go to computerworld.com/blogs/security.