Gas prices may go down and  electricity may get cheaper –   but In 2009, most of us  will have less money to spend and our clients will be tough on pricing and orders. For information security and compliance professionals it is the time to find, implement and enforce cost-effective security countermeasures. BUT HOW?
If the GFC is going to develop like the bubble bursting in 2001 then we will see the big dip in 2010 as customers continue to spend off 2009 commitments to projects – but by the end of 2009, tech vendors will find their pipeline drying up.
That’s my prediction anyhow.
Our customers are firing and cutting down on  expenses – the question is what will happen to  capital investments over 2009-2010.
Without a doubt – IT infrastructure has been focused since 2001 on cost effectiveness – server consolidation projects, virtualization and free open source line of business applications like Joomla and Sugar CRM have all enabled organizations to do more with less with their business applications and existing IT infrastructure.  Software piracy may have grown in the Far East but millions are using free open source software like Ubuntu and Inkscape and discovering that the software is more secure, more effective and friendlier than Microsoft Windows XP.
During the same period – expenditures on IT security have skyrocketed – as we speak – industry pundits are telling us what a big problem data theft is for organizations during a downturn and how companies must implement data loss prevention technologies from companies like Symantec, McAfee, Fidelis Security Systems, Verdasys, Infowatch, Workshare, Checkpoint and the lord knows – almost every other security vendor.
Unlike server virtualization – IT security is not a business enabler. It’s a cost – security countermeasures reduce risk for a company to do business – they don’t generate more end-user sales or make production more efficient.  I think it’s finally come time to say that the emperor has no clothes – let’s say it again: “IT security is not a business enabler, it’s a necassary cost”,.
For business applications, cutting back on investment programs that will help companies beat the competition is a bad idea. It’s a stupid idea not to invest in getting more competitive during a downturn – eventually growth will return and you don’t want to be dead on your feet when the time comes to get back on the playing field and kick butt.
Remember what happened after 2001 – the market bounces back over the course of 5-6 years and becomes even more brutally competitive, so conditions will be tougher.
But don’t forget that after 2001 – the Internet became a much more dangerous place  – I predict that 2009/2010 may be the worst recession in 100 years – but it will also be the most flourishing time of attacks that test the limits of software security, network security and data security of every sized organization.
What I recommend to all of us: take a deep breath – don’t fire your information security and compliance manager, tell her that she will get a bonus for doing more with less, for finding vendors with most cost-effective security countermeasures (not the flashiest marketing collateral), for using products that have low to zero cost of ownership, for products that will not involve spending 5-10x the cost of product on professional services for customization and policy development.  It’s cheaper to change the way you do business than to spend heavily on application customization isn’t it?