Whether you’re an IT consultant or a network administrator, your livelihood depends on “job security”. As the US and most of the rest of the modern world faces a financial downturn and a long, painful recovery, just about every IT worker will have to think about losing their salaried jobs or clients not only because of downsizing to save costs, but also because employers and clients may simply go out of business.
Sterling Camden’s IT Consulting article, Effects of the recession on IT consultants, discusses some of the challenges facing consultants. As I pointed out in a comment, though, the single biggest factor in job security during a recession for consultants who maintain long-term relationships with their clients is the same as that for employees, because an employer is a special case of a client: the profitability and stability of the client or employer, and how much you help improve and protect that profitability and stability.
Considering the significant dangers and unpredictability of business losses due to security issues, though, special care should be given to protecting client resources against losses due to security breaches.
Many employees and consultants in the IT world have a very “jobsworth” attitude toward work — doing exactly what the client specifies, and no more or less than that. It is during times of greatest financial hardship that employees and consultants should be most ready and willing to step outside the precise definitions of their jobs and try to provide additional value. This may require suggesting improvements to security technology implementations and policies, or even significant changes, rather than simply doing what you were told to do.
So-called “industry standard practices” or “industry best practices” — usually little more than a euphemism for “what everyone else is doing” — can sometimes ensure that tried and tested security policies will be employed to best effect. It can also mean that managers uncritically dictate implementation of poor security practices, and those of us given the responsibility of implementing them don’t look closely enough at the advisability of such practices, because it is easy to get lulled into a false sense of security by the popularity of the practice.
Every step of the way during policy planning and implementation, you should think carefully and critically about the consequences of your policy choices, and consider alternatives. If logic tells you something different from the conventional wisdom, find out why this conflict between your view and the popular view exists; it may make the difference between being a victim of the same attacks that hit others somewhere down the line and being one of the well-prepared who aren’t hit in a widespread security exploit epidemic.
A recession may cause many of us to become more conservative in how we deal with clients, for fear of upsetting the Powers That Be and losing income when we are kicked off the premises for contradicting the official line. Under such circumstances, many are less likely to suggest a less popularly used and more secure open source technology, for instance — because nobody gets fired for buying Oracle. It really should be a wake-up call, though, where we realize that a security breach can sometimes cause enough damage to the client that it can no longer afford our services, or even to send the client to bankruptcy.
Now is the time to speak up when alternative policies may be more secure, and to do more for the client than you would normally. Your livelihood may depend on it.