Are you really ready to lay off your IT and Dev teams?

I believe we are going to see some really stunning breaches and failures in 2025. A whole layer of middle management and tech is being laid off and decimated in part because there's a belief there isn't enough work to keep them busy -- that they sit idle and the company can do just fine without them.

Before you gut your devops team, make sure your company has the basics covered:

• DDos Hardening: Understand the potential risk and cost and fix it
• Access Control Audit: Who really has access to what and how do they get it?
• Configuration Management: Understand how keys and other sensitive variables are managed
• Architectural Audit: Review your vendor, application and dependency attack surface
• Data Architecture Review: Document sources of truth, duplication, data in motion, data at rest… then streamline it
• Data Security/Privacy Compliance Audit: Understand PII, GDPR, PCI and other data compliance law that can cause real lawsuits and real fines. 
• Penetration tests: Review code injection, ports, access points, and close back doors
• Scaling review: Understand the true cost of scaling up and down including labor and lost opportunities.
• Core business process review: Are you business functions being met by your automation, and if not, what gaps need to be closed?
• Documentation: Make it easy for new people to understand how the systems work to make it easier to avoid problems in the future.

I found a 2020 study that says 74% Of Organizations Fail to Complete Legacy System Modernization Projects (albeit the article was a press release, so potentially self-serving). The primary reason is funding and resource allocation – unfortunately, fixing weaknesses in tech is like hiring a plumbers. No one hires them until there's crap everywhere… and then it becomes REALLY expensive.

One of the reasons I think 2025 is going to be particularly bad for breaches and failures is because there are people who are sitting in those corporate jobs with extra cycles. That is, they have extra time until there is an emergency (and there often are emergencies because the gaps haven’t been fixed).

When a company does a massive layoff not only does it mean they don’t have the resources to address the things on the vulnerability list, it means they lose the people who know how to fix it when it fails. I call this “Tribal Amnesia” where the org forgets how something works because the people who knew how it worked left the company and there was no knowledge transfer and no documentation.

It gets even worse when you consider some of these systems are tied to an individuals email address -- we're often subscribing to things under a business email address, and then that email address goes away when the employee goes away. Sometimes those subscriptions or services become critical to the company and there's a mad scramble to reinstate the email address or go through hoops to move the account to an active employee's address. (I've lost track of how many domain names I've had to salvage for clients or my own workplaces over the years).

In other words… mass layoffs without thinking about how things are intertwined with the workforce can have some nasty, unintended consequences that you won't know about until down the road…

Happy New Year everyone!