Security Manager's Journal: The economy takes a toll on security

Computerworld - Financially, things have gotten really bad around here, even worse than I expected -- and as a security manager, I always expect the worst.

We all know the economy is gasping for breath (some would say you can hear the death rattle), and the repercussions are hitting my company hard. Our CIO has been meeting with each IT manager in emergency sessions to find ways to drastically cut costs so that we can try to avoid (or at least delay) major layoffs. Financially, our boat has been leaking for a while now, and we've been bailing out the water with some pretty small buckets.

Our response to the crisis up to this point has been to cut our 2009 budget and try to be fiscally responsible. But now, the pace of our company's overall financial losses has accelerated, and our metaphorical boat has started sinking fast.

I've had to make sacrifices when putting new security capabilities in place this year. But now, I need to find ways to cut significant costs from our existing security expenditures in order to avoid cutting staff.

And we're talking about a very short time frame. In the next two weeks, I'll have to cut several hundred thousand dollars from my department's expenses or else eliminate that amount of money in staffing and payroll costs. What a terrible situation to be in.

My department is already being run by a skeleton crew. We haven't been able to hire anybody since the middle of last year, and staff attrition has left me with no duplication of skills and only the bare minimum of people to run the basic security operation. Any further staff reduction would be devastating to our security department. I honestly can't envision how we'll be able to continue providing the level of protection our company needs with any fewer people.

Staying In-House

We do have a couple of third-party services we're paying for, and the contracts (luckily, I guess) are coming up for renewal soon. So I'm hoping that if I decide not to renew our outsourced security services, we'll be able to save enough money to satisfy our department's cost-reduction target.

That's not something I'll do gladly, because we're already way behind where I think we should be in terms of our corporate security posture. But I'd rather take a big step backward by coming up with cheaper in-house approaches than lose the people on my staff who have done so much to build our current security capability. We've invested a lot in these people, building the knowledge base and skill levels that they have today.

Ultimately, security is not just about protecting information; it's also about protecting people. In fact, some would say that protecting customers, partners and employees is the most important part of a security manager's job. Protecting my employees is at the top of my list, so I'm going to do what I can, and I just hope it will be enough.

There is no question in my mind that my company is about to have a massive layoff. I have a bad feeling that my team won't escape unscathed. And being forced to choose who to cut from my already devastated team is going to be like choosing which arm or leg to cut off of my own body.

This is ultimately the worst part of the responsibility of management. I've had to do it before, and I hoped never to have to do it again. But it looks like there's just going to be no escape.

For now, I'm going to try to stay positive and hope for the best.