The security industry devotes great amounts of thought, comment, conference sessions, training courses and deployments of personnel on numerous threats – from fraudsters and other insiders, computer hackers, single issue protesters, stalkers and terrorists. All these and others are based on the assumption that the business being protected is in a steady state. Yet what about when a corporate is anything but – when it’s going through a drastic and sudden cut in staff? Mark Rowe asks.
For not only does that act of downsizing (or whatever euphemism you choose for the shedding of workers), it brings two-fold work for security departments: the managing of that stressful time, and the risks arising. It’s further strange that the risks around getting rid of a mass of employees is relatively little considered as an issue for Security, because it’s regular news among big businesses such as banks. Barclays for example last year reportedly shed thousands. Culls seem a natural feature in the tech sector, among companies such as Amazon, and Meta, the parent of Facebook. Arguably most notorious was the trimming of Twitter after Elon Musk bought it. Spotify is going from 10,000 to 4500.
Whether the letting go of thousands happens in one go or more (Spotify is having three waves), if it’s large enough, it’s inevitable or indeed fair that a security department will be among the losses. Yet the act of sacking people means a rush of work for Security: the calling in or at least the decommissioning of laptops and company devices, the revoking of identity card or other site access, and network passwords. Even the right to a space in a car park – even if there’s going to be plenty more room in the car park for those left. All that admin work can mean 70-hour weeks in the security department.
That’s precisely the time when employees may be disgruntled, and make verbal threats to the CEO or other executives something else for Security to monitor, if only for the reputational risk, let alone the physical risk to execs (who may or may not have been part of the decision to lay off).
As an aside, consider how tech does its lay-offs. Here’s a link to the HackerOne website, detailing what HackerOne CEO, Marten Mickos, emailed to employees on August 2, about ‘the painful and necessary decision to undertake a restructuring and we will reduce the size of our team by up to approximately 12 per cent’. As background, HackOne arranges bug bounties – ethical hackers look for vulnerabilities in software, and if corporate customers (the likes of the hotel chain Hyatt, software firm Grammarly, Goldman Sachs) judge that the hacker has indeed found something for correcting, the hacker gets some money. If HackerOne’s clientele are going through a spell of firing, that bodes badly for companies like HackerOne in their supply chain.
It’s striking how lacking in human touch the HackerOne process was – as described by Mickos, remember, evidently not something he felt secretive about. Employees in the United States and Canada would ‘receive a meeting invitation in the next 15 minutes’ (the same kind of process that Spotify employed). As for why the company had to cut one in eight (UK and other countries could also expect to be ‘affected’, he wrote), he blamed ‘bets on hiring and new products proved to be too big’. This is people’s livelihoods that he was betting on?
As this signals, tech firms are not places where you can make meaningful, emotional contacts, whatever your function, whether inside the firm (to give phishing awareness training, for example) let alone with rival tech firms (perhaps for sharing of intel about hackers, who presumably are going after more than one target, just as shoplifters will steal in various stores on a high street). The tech field may be too young to have settled down, for rivals to appreciate the value in talking to one another about risks in common, as supermarkets now do in the UK.
As an aside, at this highly stressful time for any employee in any firm going through big staff cuts, the security around lists of who’s losing their job is important. It’s understandable that someone privy to that list might want to share it, whether to give those on the list more warning, or merely for gossip (and such is the power around knowledge, the urge to pass it on might be stronger than any chosen phrase, such as ‘not to be shared’).
The members of the security department like any others have to live with the uncertainty of whether they too will be out of a job soon. Is it time for them to scout LinkedIn (more closely than usual), to put in some calls and emails, to think about where they should go next, given that it’s far easier to get a job while you are in a job, rather than start searching when unemployed?
Such seems to be the nature of tech in particular and modern business in general: gone are the opportunities to stay for years, perhaps half a career, let alone your whole working life, in a company, not only because it suits you being there but because being able to show on your CV a spell of several years with one employer can give the impression that you are a steady and stable, employable, person. The younger generations (who may be more likely to work for tech) have to adapt to jumping ship regularly, and more or less permanently look for a new ‘gig’. This may have implications for how invested they are in any employer; how motivated they are to take care of its assets and data.
