Steve Lutz

The demand for Information Security consulting has been steadily increasing in the past 10 years, and for good reason. As everyone got on the technology bandwagon in the 1990s, the pressure increased to find innovative ways to deploy technology and increase productivity. The business community "discovered" the Internet and grand proclamations were made about the obsolescence of "brick and mortar" to be replaced by "e-commerce." While much of this was over-hyped, the race was on and "time to market" became one of the anthems of the new economy.

So in the frantic race to beat the competition, technology was deployed with little thought to security. Indeed, people had just enough time to get whatever it was working, let alone secure it in any meaningful fashion. And then pow, some security breach was discovered and it had to be fixed fast. In the rush to put the Web site or whatever together, no one budgeted for security, and there's nobody in-house with the expertise to handle it. Enter the information security consultant. Since it wasn't budgeted for in the first place, it's an out-of-cycle approval from management, and there you are trying to secure a system that has deep design flaws from a security perspective with an obscenely small budget. You explain that to really do it right, a complete redesign is in order. Yes, we understand and No, we can't do that. "It's a production system," "Our competition will kill us," "We don't have that kind of budget for security," and so on. With a sigh, you do the best you can to place some security Band-Aids on it and advise them to call you before the next design meeting for version 2.0. Guess what happens when v2.0 is released? Same thing.

This cycle repeated itself for pretty much the entire "dot-com" era with some exceptions. Some of the more forward-thinking companies hired consultants for security architecture and design work and saved themselves a whole lot of money and headaches. Still, the InfoSec consultants had more work than they could handle. (The same was probably true in the 1920s for radio engineers.) One good thing that came out of the 1990s was raised awareness of the role that Information Systems Security plays in a successful technology deployment. Oh, and there are now hundreds (thousands?) of companies offering security products for every conceivable problem.

Now that the party is over and technology has fallen back to being just another business tool, what will this mean for Information Systems Security consultants? Virtually all companies have cut back on their IT spending and are focusing on using what they've already overbought. Part of the hangover is that companies have had to lay off significant numbers of people across the board, including IT. Lean and mean, baby. Now it's time to take stock of what we did during the frenzy and see if there's anything we missed. Did we buy enough servers? Yes, we've got plenty. Networking? Yup, plenty of that. Web sites? Got 'em. There was something we missed, though.... What was it? Something critical.... Oh, yeah! That security thing. OK, get somebody on it. Oops, we laid them off. Hmm, can we hire someone? No way, there's a hiring freeze on. Well, we better call a consultant then.

And that's where we're at now. Information Systems Security consulting is doing quite well in these times and mainly for those reasons. A lot of what we're seeing is going back over everything and locking it down. That's great, but where is it going? I think that this will continue for some time during the economic downturn. At just about the time the retrofitting work is done, the economy will probably heat up again and companies will start buying IT again. When that happens, we InfoSec folks will be there to secure the next generation of information technology. Let's just hope everyone does it right the next time around, rather than rushing into every project just to get it out there fast.