Slash and Burn: In Times of Recession, Do Not Let Emotions Drive Business Decisions - INFORMATION SECURITY AND RISK MANAGEMENT - Information Security Management Handbook, Sixth Edition (2012)

Information Security Management Handbook, Sixth Edition (2012)

DOMAIN 3: INFORMATION SECURITY AND RISK MANAGEMENT

Employment Policies and Practices

Chapter 13. Slash and Burn: In Times of Recession, Do Not Let Emotions Drive Business Decisions

Anonymous

“Don’t let operational developments influence strategy” writes noted warrior Sun Tzu. Many of the principles the great General developed can be applied to modern business. In particular, Sun Tzu stressed the importance of always positioning oneself in a proactive rather than reactive posture. It is all too clear, however, that the recent economic recession has forced many firms to learn the hard way that deviating from their objective strategies to react to—as Sun Tzu phrased them—“operational developments” is dangerous. It is always the most sound strategy to make decisions—business or otherwise—based on logic and clear-thinking rather than fear and related emotions. Dwindling capital, customer withdrawal, or uncertainty of the future can all place businesses on the defense, rushing headlong into decisions that will almost certainly hurt them in the long run.

Some of the first areas firms will look to cut costs are technology, human resources, and operations—often viewed as nonrevenue-producing cost centers, which are mere necessity. Arguably the most valuable of these departments is the information technology department and yet still often finds itself under the knife as one of the first areas to be hit in recession, often to the firm’s long-term detriment. Karl Flinders discusses this point in an issue of Computer Weekly, essentially taking the position that companies often panic in times of crisis and make irrational decisions not grounded in thorough analysis. “Companies risk reducing future business opportunities when they cut IT budgets in times of economic slowdown, according to Harvard Management, which manages the assets of Harvard University” (Flinders, 2009). Recessions end, economies recover, and businesses once again have the opportunity to thrive. The short-sighted slash and burn approach might make sense in the near-term, but falls apart when companies look to return to market with fresh initiatives during economic recovery. “Harvard Management says companies often cut IT budgets because of three common errors: they delay decisions that will improve the long-term health of the firm; they assume the smart way to grow is always cautiously and incrementally; and they focus on broadening their customer base” (Flinders, 2009).

Broadening a customer base seems, on paper, a worthwhile endeavor, yet many businesses do not time these initiatives correctly. A recession is the worst time to spend finite resources on marketing and increased sales initiatives. Instead, it is a tremendous opportunity to focus on client service and retention. By providing superior service to existing clients during an economic slowdown, firms place themselves in a strong position to expand that customer base when the time is right. By throwing resources at sales and marketing, firms miss a key opportunity to build their infrastructure and improve their strategy. “Harvard Management says businesses should cherish customers that stay with them through a slump because they will probably be its best customers when things pick up” (Flinders, 2009).

Some chief information officers (CIOs) do remain calm in crisis and ultimately guide their teams and the larger business to success. As one example, “Justin Speake, CEO at analyst firm Bloor Research, says during an economic slowdown businesses should re-examine their decisions, but warns against cutting projects as a knee-jerk reaction. If there was a justification for a project, it may still apply…” (Flinders, 2009). An often-hailed mantra in business leadership is a reference to the Chinese symbol for crisis, which is a combination of the symbols for danger and opportunity. The CIO is in the best position to seize an opportunity from a financial crisis through his leadership and decision making along with his ability to influence other senior management. To that end, “the CIO should not stand out as different from the rest of the senior management team due to a lack of business knowledge, but should be involved in all areas” (Computer Weekly, 2009). If the CIO can win the rest of the C-level executives and show that his strategy is business-focused and rooted in long-term gains, his firm should be effective at capitalizing on a crisis and turning it into an opportunity.

CIOs are in the best position to know the importance of capabilities such as flexibility, skills, innovation or knowledge to each area of the business and whether they are expendable or not. “CIOs should refocus on business strategy and then prioritise [sic] the IT portfolio based on that” (Computer Weekly, 2009).

Strategy is nothing without tactics. Assuming leadership is behind the CIO and his decisions, where does he actually begin to place his finite resources to generate the best results? According to Katherine Heires, companies are focusing on “nondiscretionary, must-tackle technology and compliance issues—including low latency, trade reporting, risk management and options symbology requirements …” (Heires, 2009). Another interesting approach focuses on the IT department’s use of vendors and other external resources and applications. In times of crisis,

Every organization must consider one area: on-demand applications. Why? First, a low initial capital investment (no hardware and small-scale implementation costs) and rapid deployment will accelerate payback so financial capital can be reinvested in other projects. Second, because you’re not buying licenses, you can scale up or down on user accounts if your business changes. Third, because you’re probably not financing the project like a capital investment, you don’t have to worry about how interest rate fluctuations increase the financial risk (need to verify/track down the source as I misplaced the printout).

Donald Hopkins of SunGard Availability Services advised against focusing on incremental cost reduction projects and taking the time to analyze more strategic initiatives—even in times of economic stress. “ ‘Cost reductions can be very addictive,’ he says, ‘where you end up always thinking about the next 15 percent to cut’” (Heires, 2009). Some breakthroughs he suggested include the use of “de-duplication technology as part of one’s disaster recovery plan—a technique that removes any duplicate data prior to compression and thus, Hopkins argues, can result in significant savings” (Heires, 2009).

Hopkins’ view is a classic example of not reacting to negative forces but rather remaining focused on his original objectives and not wavering from them. Businesses who fall into the cost reduction project trap sacrifice robust infrastructure for incremental and marginal gains. Often these projects hold appeal because they might temporarily improve the bottom line—especially, key for public companies that need to satisfy shareholders. This approach is flawed and long-term shareholders will suffer as a result. To underscore this point, “Harvard Management also believes it is wrong to assume that cautious growth is always best. Businesses can use technology to grow their businesses quickly when things pick up” (Flinders, 2009). To that end, everyone, from the CEO to the first-year analysts, must understand the value of strong technology. Some firms get it. Epicor is one of them.

“Technology is productivity,” [Epicor senior vice president and chief marketing officer John Hiraoka] said, highlighting studies and analysts who predict resilience in the IT sector. Hiraoka referenced Cisco Systems CEO John Chamber’s keynote address at Gartner ITEXPO in mid-October, who said there will be an ‘instant replay’ in technology-led productivity gains, with collaborative IT intertwined with business strategy (Manning, 2008).

Further, Rod Winger, Epicor’s senior director of product marketing, said that even in a down economy, companies understand that the road to recovery is the leveraging of business process and innovation (Manning, 2008). What are the real outcomes of these decisions? Ask Cisco. In 2009, Cisco Systems Inc. experienced a 2-hour shutdown of their Web site. “Kurt Roemer, chief security strategist at Citrix Systems Inc. in Fort Lauderdale, Fla., said he wonders whether [the shutdown] ‘would [have] happened a few years ago … when they had multiple people checking every single change.’ Cisco blamed the outage on human error” (Thibodeau, 2009). Other firms have had similar situations. As less flashy projects like database maintenance and hardware infrastructure are chronically ignored, the firm’s risk increases exponentially. “We’re not doing the maintenance we should be doing, and when you don’t do maintenance, you increase the probability of catastrophic failure” (Thibodeau, 2009).

Our discussion so far has been in general terms, but not all firms are created equal, and general economic trends have microscopic consequences, which vary in a myriad of ways. A large company may, based on past financial decisions, assets on hand, liquidity, and so on, may have the ability—should they choose to exercise it—to weather financial storms with relatively little impact to IT budgets or projects. “But the impact may be much more acute at smaller companies, which may spend a higher percentage of their annual revenue on IT products and services but have far fewer ‘real’ dollars available to trim, compared with larger businesses …” (Weston 2001). One could make a case that smaller businesses are less reliant on in-house technology and more on vendors. To that end, their challenges may be even worse. “Take, for example, the semiannual headache of negotiating software site licenses. At some point, you begin to test the limits of your negotiating skills. The vendors can only shave off so much margin. What can you do? The trade-off is unthinkable—telling users they’ll have to share software seats” (Weston 2002). A smaller firm could more easily revert to “pen and paper,” so to speak, but such firms may also have less bandwidth to map contingency plans. On the other hand, they have the advantage of working in presumably more agile environments. The ultimate question as to how a firm’s market capitalization impacts the damage of IT budgetary cuts is outside the scope of this discussion, but it is clear that each firm must address external challenges with a keen eye toward their specific business challenges.

All firms have the potential to capitalize upon crises. In an article for InformationWeek, Rusty Weston suggests using budget cuts as an opportunity to get creative with your IT priorities and expenditures. If senior management is cutting big projects in favor of cost-cutting, perhaps it is time to “try a plan B that lets you move ahead with at least some of your initiatives. Consider that in E-business, the best use of your time might be conducting usability or performance tests or, for enterprise applications, user focus groups” (Weston 2001), which might be more cost-effective while still delivering tangible business value. Sometimes, however, managers are not taking a critical eye to their specific dockets and workloads and scrambling to meet the bottom line and all costs. According to one study, “most managers have opted to trim the biggest part of the budget pie, labor costs, by instituting hiring freezes or, in three out of five cases, reducing head count” (Weston 2002). In an article that appeared in InformationWeek in 2002, analyzing the fallout of the U.S. economy following the terrorist attacks of 11 September 2001, it was noted that “only 29 percent of the cost-cutters have frozen their IT projects, preferring instead to scale back the size of projects, reduce administrative overhead, or outsource work when possible” (Weston 2002).

For a contradictory example, we need to turn no farther than the U.S. government, which, in 2005, increased its IT budget.* As noted by Grant Gross in ComputerWorld, “President George Bush’s proposed budget for the federal government’s 2006 fiscal year … includes an increase in IT spending, despite significant cuts elsewhere” (Gross, 2005). Although government and business strategies may be arguably different—even drastically so—yet commonalities exist. One area in which the government has been notably at the forefront of policy and spending is the area of information security. Bush sought to increase spending, in particular “for information security at 17 federal agencies … by $113 million…. The Information Technology Association of America (ITAA), an industry trade group, praised the IT budget plan.” “ ‘America must pick up the pace in science, math and engineering,’ ITAA President Harris Miller said in a statement. ‘Countries around the world have clearly signaled their intent to challenge U.S. leadership in technology. Our economic well-being depends on answering this challenge’ ” (Gross, 2005).

The importance of sound information security is a clearly understood maxim throughout government and business. Even as firms turn to outside vendors for solutions (e.g., Salesforce.com for Contact Relationship Management), they continue to place emphasis on stringent security requirements. But this field finds itself on the defense on several fronts. A survey by Ernst & Young conducted in 2003 “questioned whether organizations use their IT security budgets effectively. Nearly 50 percent of respondents admitted that their security spending is not closely aligned to their business objectives” (Goodwin, 2003). This is a fundamental problem, which is independent of economic circumstances. However, bigger the budget might be, it is the responsibility of professionals to manage it effectively to support the business. If it is not aligned effectively when times are good, it will be even worse when economic stress is applied. The results of this study are perplexing; they suggest that it is the department personnel and leadership who are pursuing projects “not closely aligned to business objectives,” yet other data indicates that information security woes are a direct result of funding issues. To that end, “pressure to cut IT budgets is now the biggest obstacle to effective information security, a survey of 1,400 IT executives around the world has revealed” (Goodwin, 2003). The challenge for the information security specialist, consultant, and manager is to engage in a continuous evaluation of his projects and objectives to ensure that they are aligned constantly with business priorities and be agile where needed. A time of economic crisis—as the IT department is led to the proverbial guillotine—may serve as the critical catalyst that forces difficult but ultimately productive decisions.

References

Computer Weekly. IT budgets set to defy the worst predictions for 2009. Computer Weekly, p. 9, January 20, 2009.

Flinders, K. Beware hidden costs of IT budget cuts. Computer Weekly, p. 8, April 7, 2009.

Grant, I. Untitled. Computer Weekly, p. 66, October 12, 2010.

Gross, G. Bush plan calls for more IT spending. ComputerWorld, p. 19, February 14, 2005.

Heires, K. Focusing on budget cuts. Securities Industry News, pp. 9–10, June 15, 2009.

Hume, L. Donaldson: ’06 budget will force technology, hiring slowdown. The Bond Buyer, p. 5, March 14, 2005.

Manning, A. Technology is productivity. Modern Materials Handling, p. 10, December 2008.

Singh, M., Nath, S., and Walvekar, R. IT sourcing trends in the current market. Infosys Technologies Limited, pp. 17–19, January 2009.

Thibodeau, P. Cutbacks could be causing IT outages. ComputerWorld, p. 8, August 17/24, 2009.

Wagner, M. Hard-hit industry makes deep cuts in IT. InformationWeek, p. 89, September 14, 2009.

Weston, R. Don’t let budget cuts jeopardize progress, InformationWeek, 2001.

Weston, R. Cost cutting: When less equals less. InformationWeek, September 2, 2002.

Wettemann, R. With recession in the air, don’t just cut and react. InformationWeek, p. 64, March 3, 2008.

* The reader might recall that 2005 hardly marked a year of significant economic recovery since 11 September 2001.