In the wake of what has likely become the biggest investment banking crisis in U.S. history, security professionals in financial services firms are waiting nervously to learn what effects the crisis will have on their organizations.
The trepidation began Monday amid news of Lehman Brothers Holdings Inc. filing for bankruptcy protection, Bank of America Corp. buying the troubled Merrill Lynch & Co., Inc. and American International Group Inc. teetering on the edge of failure, all of which sparked the sixth largest Dow Jones drop in history, the largest in seven years.
While information security groups within financial firms are in wait-and-see mode, security pros say there's no question the industry faces tough times ahead.
"It certainly has created a major PR issue for us, and I assume we are not alone," said Keith Gosselin, information technology officer at Biddeford, Maine-based Biddeford Savings Bank Inc., referring to the need to keep customer confidence up. "As far as security goes, I'm not sure how this will affect us yet."
Information security budgets
Monday's events couldn't have come at a worse time, as this time of year is budget-planning season. Ed Moyle, manager for IT services firm CTG and founding partner of Amherst, N.H.-based consultancy Security Curve, has seen a reduction in security budgets.
"Right now financial services [have] been particularly hard hit. Businesses get hit first and then they deploy [fewer] applications, [and] may upgrade less. Their budget shrinks and then a year later security budgets shrink. Security pros are bracing for it," Moyle said.
Gosselin agreed, saying, "Certainly budgets will shrink; that is a given."
What areas will the cuts come from? Mike Rothman, president and principal analyst of Atlanta-based security consulting firm Security Incite, feels that security budgets won't dramatically change before the end of this year, but 2009 budgets will emphasize keeping and maintaining existing technology, leaving little room for new initiatives.
"If I have a good enough [technology], I'm going to keep it and not look to upset the apple cart until things settle down a bit," Rothman said, adding that new technologies, such as virtualization security, newer versions of antivirus, unified threat management (UTM) and vulnerability management tools will probably be put on hold.
According to Rothman, there is a silver lining. With financial firms cutting staff or going out of business altogether, there will be opportunities for opportunistic enterprises to snatch up experienced information security professionals.
"There's going to be a decent amount of security talent that hits the streets in the near term," Rothman said. "As a manager, there is an opportunity to take a look at the skill sets on your team and bolster it.
"The reality is financials invest in security technology and people ahead of the curve than most other industries," he added. "Inventory is going to go up and that creates a buyer's market."
Gosselin isn't sure his management will buy into hiring more staff, however, he said, "I would certainly expect managed security providers to be on the lookout for vertical expertise talent like financial services."
Tell us how Monday's events are impacting your job.