Posted by 
Many people may be surprised to hear that the US has the second highest manufacturing output in the world (measured by value of products produced) despite having one of the highest overall labor costs. How can that be, considering the US has lost millions of manufacturing jobs in the last decades? The answer is increased productivity.
Increased productivity is often personally painful and results in disruption of lives, but it is a hallmark of a vibrant industry. Productivity is one word that is frequently mentioned in business but is rarely if ever mentioned with regard to information security. Outsourcing and off-shoring were trends meant to reduce costs by getting cheaper labor. However, basic economics and history shows that cheap labor can only go so far. Automation not only drives costs even lower, it eliminates dreary manual tasks. In fact, the country that lost the most manufacturing jobs between 1990 and 2005 was China. Automation trumps manual labor even if the labor is very cheap.
All long term trends (even in information security) in the end are really driven by lowering costs. The economies of scale that security automation provides is one of the biggest productivity enhancing opportunities in information security. Its economic impact will go well beyond off-shoring.
There have been many studies discussing the cybersecurity skills gap. However, those numbers are not consistent with potential information security productivity gains. If the information security industry matches productivity gains of any other industry, those numbers won’t hold up. There won’t be nearly as much demand for these skill sets.
In his masterpiece The Wealth of Nations, Adam Smith said “the division of labour is limited by the extent of the market.” He explained, “There are some sorts of industry, even of the lowest kind, which can be carried on no where but in a great town. A porter, for example, can find employment and subsistence in no other place. A village is by much too narrow a sphere for him; even an ordinary market town is scarce large enough to afford him constant occupation. In the lone houses and very small villages…every farmer must be butcher, baker and brewer for his own family.”
Information security is not an exception to this rule. In order to be done effectively, security must have specialization. Even smaller organizations have distinct systems administrators, database administrators, system testers, security staff, etc. A porter might not be found in a village but a security analyst is often found even in a smaller firm. There are few effective “jacks of all trades” in security. There are significant real cost savings – and likely effectiveness improvements – when entire categories of security staff are outsourced. That’s why companies coming into existence now may very well be totally cloud-based and outsource most of their security functions. That will make them much more productive with regard to their security spending.
As I said earlier, productivity is one word that is frequently mentioned in business but is rarely if ever mentioned with regard to information security. I think that is going to change.
Security Economics 