It’s the end of the year, which means that the holidays are nigh upon us. For those of us in security, it’s a time of heightened vigilance. We know from experience that the holidays bring with them an influx of malware (both targeted and untargeted) and a barrage of fraudsters who seek to capitalize on the season to gain leverage that they might not otherwise have.
These changes come at a time when organizational defenses are at or near their lowest. Many of the supporting organizations that the security team normally relies on for help are understaffed – for example, organizations like peers orgs in IT, audit, compliance, and legal are likely to have a large percentage of their staff on vacation.
For those that are still in the office, they’re likely either focused on wrapping up important projects before the end of the year or are engaged in holiday merry-making.
The point is, there are two dynamics happening simultaneously over the holiday weeks: first, the security organization is (of necessity) likely to have a higher percentage of staff still on alert relative to other areas (because the bad guys don’t stop at the holidays).
Second, much of the other business areas in question slow down significantly. They might even slow down enough to allow enough breathing room to focus on things beyond the day-to-day fires that occupy much of our time.
Put these two facts together and there’s a significant potential opportunity hidden in there: an opportunity to use that time to make some progress on problematic areas that are often overlooked.
Using Downtime Productively
By this, I mean that there’s a potential opportunity to undertake a few end of year projects that can give you a leg up when the organization comes back into full swing in mid-January.
These projects have a few things in common: they’re short so you can get them done in the few weeks available during the holiday lull, they’re easy to pick up and put done since you might be interrupted during their execution, and they’re things that will provide incremental value whether you finish them or not.
Project 1: Inventory Cleanup
When it comes to maintaining an inventory of assets, there’s little that’s either more challenging or more important. The benefits of a reliable inventory are legion: it helps with investigations, incident response, risk assessment, BCP/DR, and numerous other tasks.
It’s challenging to get right though because environments are already complex and fluid – but technologies like mobile, virtualization, and containerization add further complexity and make it even harder to keep tabs on what applications tie to which VM’s, which containers, which physical hardware, etc.
Holiday downtime provides a useful opportunity to revisit existing inventories to make them more accurate and keep them updated. Why? Because many organizations limit the amount of change happening during the end of year period.
Project 2: Policy Review
For many organizations, keeping information security policy updated is back of mind. Not that it isn’t important (because we all know it is), but instead often it’s an “I’ll get to it” activity – particularly when there are fires to put out and other projects clamoring for attention.
In short, there’s often not enough time to systematically review the corpus of policy germane to information security to make sure that it’s current, that it’s organized most effectively, that it’s free from internal inconsistencies, etc. If there is a lull that your team can take advantage of, now might be a good time to work through the policy and look for these things.
Granted, actually changing that policy will probably need to occur after the new year since it will require review, buy-in, and approval – however, isolated the problematic areas and flagging them for later revision can be quite valuable in and of itself.
Project 3: Preparation for New Trends
As we all know, new technologies and trends are always coming down the pike that have the potential to change the landscape. Relatively new but highly transformative technologies like application containers and IoT have the capacity to have tremendous impact on the security team.
As an example of the latter point, the most recent ISACA Risk/Reward Barometer found that 73% of practitioners believe there to be a medium or high likelihood of an IoT device leading to a security issue while about half (49%) say that IT isn’t in the loop on all of the devices being brought into the organization.
Unfortunately though, the day to day pressures of keeping the organization secured don’t always allow us to keep abreast of these items to the degree that maybe we’d like. If down the road we’re called on to make risk decisions about these technologies, being educated about them already is hugely beneficial. Now might be a good time to do some of that research.
Project 4: Evaluate Control Efficiency
Whether or not a countermeasure, control, or security technology is effective is an altogether different question form whether or not it’s operating efficiently. Meaning, depending on what you have implemented (and how it’s implemented), some controls might be cheap to operate and maintain while others might be more expensive to do so.
Evaluating the cost/benefit/risk equation for the controls that comprise our security countermeasures is a good practice, but one that takes a bit of legwork to do since it involves a number of factors: licensing costs for software tools, depreciation for hardware platforms, soft costs associated with staff time, etc. If a lull presents itself at the year’s close, perhaps now might be a good time to do some of this legwork and put that analysis together. Worst case, you have a clearer understanding of what countermeasures cost to operate; best case you locate some areas of inefficiency and areas where money might be better allocated elsewhere.
Project 5: Penetration Testing
Let’s face it, there’s never a perfect time to undertake penetration and red team exercises. Obviously we want to do these things when we have the least likelihood of impacting production environments and disrupting system usage. For some environments and applications, the holidays can be a fruitful time to consider doing this. Why? Because many environments are frozen (i.e. changes are temporarily suspended) and production use might be at a low point.
Of course, this presupposes that resources are available to assist in the event of inadvertent impact to a production system, but assuming that’s the case, the holidays can be a useful time to schedule this type of activity.
It goes without saying that there are limitless options of useful projects to consider doing. This isn’t intended to be an exhaustive list and your specific environment will dictate which are the best options for you. However, if you do have a “lull” in your organization around the holidays, these are just a few suggestions of possible ways to use that time productively.
Ed Moyle is Director of Emerging Business and Technology for ISACA. Prior to joining ISACA, Ed was a founding partner of the analyst firm Security Curve. In his more than 15 years in information security, Ed has held numerous practitioner and analyst positions including senior manager with CTG’s global security practice, vice president and information security officer for Merrill Lynch Investment Managers, and senior security analyst with Trintech. Ed is co-author of Cryptographic Libraries for Developers and a frequent contributor to the Information Security industry as author, public speaker, and analyst.