2009-03-01
Abstract
'[There is] an indication that IT security budgets are being prioritized even while other business areas are seeing cuts.’ Helen Martin, Virus Bulletin
Copyright © 2009 Virus Bulletin
Reading through some past issues of VB recently I came across an opinion piece penned by former editor Richard Ford in the early part of 2001 (see VB, February 2001, p.8). The opening line read ‘Nobody would debate that the last several years have seen an exceptional growth in the stock market.’ What a contrast to eight years on, when the last several months have seen a calamitous fall in stock markets around the world.
Richard’s article considered the argument that the strength of the technology sector, and the conditions in which companies regularly grew from start-ups to multi-billion-dollar behemoths almost overnight, could actually be detrimental to the security of companies, and indeed nations. In particular, he discussed the rapidity with which high-riders in the stock market can plummet out of favour, and the resultant pressure on those companies which often sees time-to-market and functionality being prioritized at the expense of foundational elements such as security.
Conversely, then, could economic downturn be a positive thing for corporate security and the computer security industry?
It is widely accepted that criminal activity increases in times of economic hardship – more people become willing to break the law when they are struggling to make ends meet. Where online crime is concerned, widespread economic hardship also opens up new opportunities, increasing the number of avenues down which criminals can venture. As the credit crunch tightens and unemployment rockets, cybercriminals will find victims more susceptible to scams that include bogus offers of investment opportunities, financial and legal services, employment opportunities, fast-track qualifications and so on. This, combined with the overall and ongoing increase in online crime over the past year, suggests that in the world of organized crime, business will be booming throughout the economic slump.
Yet an increase in cybercriminal activity does not automatically translate into a boom for the computer security industry. It, like any other, feels the pinch when its customers tighten their belts, and recent months have been no exception. Jobs have been cut by some of the major players in the anti-malware market – including 4.5% at Symantec in October 2008, 5% at Sophos in January 2009 (although the company attributes the cut to shifting priorities rather than the unfavourable economic climate), and freezes on hiring and salaries were announced last month by McAfee. However, these cuts are not on a catastrophic scale (at a company level at least); rather they indicate a process of getting houses in order before battening down the hatches to weather the storm.
Indeed, there are some positive signs for the security industry. In a survey of IT security chiefs conducted last autumn by analyst Ernst & Young half of the respondents said that their annual security spending would increase this year, and only five per cent claimed to be planning reductions in security spending – an indication that corporate IT security budgets are being prioritized even while other business areas are seeing cuts.
A survey conducted by Finjan in December 2008 gave further indication that security budgets are to be prioritized in 2009, with 77% of respondents saying that their IT security budget would be unchanged or increased in 2009. This goes against historical trends when IT spending – including security – was one of the first areas to be cut in times of economic difficulty. In 2001 Richard Ford reasoned ‘until the consumer places a high value on security, the market will not place a high value on security’. Eight years on, organizations are realizing the importance of making a commitment to protect their data and that of their customers.
Who knows how long it will be before we see signs of amelioration in the economic climate, but as an industry we must continue to make every effort to keep computer security on the agenda, and continue doing what this industry does best – sharing insight and knowledge, debating and challenging ideas, and encouraging coordinated global efforts to combat cybercrime.
