Holiday season is a stress test of everything you have done to make the customer experience smooth and enjoyable. One of the things we don’t want to do during this key period is make changes that might impact that experience, so companies go into freeze or change lockdown — typically from mid-November until the end of December. This leaves the team with time on its hands. Most teams have been in a full-court press to get everything ready for the holidays, so they are ready to just relax. But based on my prior experience, I would encourage you to use this time to get set up for success in 2020. Below are some things you can do to prepare.
Strategic planning is always a good place to start. Review how your security strategy and technical roadmaps are tied to the business plan goals. For each business and IT strategic goal, the security team should map out how they’ll support the effort. It’s surprising how many times I have heard people say they do this, but when asked how — they can’t articulate what they’re doing. It is worth the effort to document it.
At the team level, one area you can maximize is around education. If you’re moving to the cloud or DevOps/DevSecOps, it’s time to take the team though new skill development. This can be a challenge at the end of the year, when most budgets are exhausted, so it may take some creativity. I’ve found that there are several demos, podcasts, books, YouTube videos and free trials folks can take advantage of. For example, if you are moving to the cloud, you can have the team create individual test accounts and leverage the training capabilities they offer.
Many vendors will work with you to increase skills around their products, so it is worth checking in with them as well. Another great technique is having members of the team develop classes, which creates internal SMEs and elevates everyone’s skills. Finally, you can try to create some gamification-based training by introducing a hackathon-based event. This can be a capture-the-flag competition or a codefest aimed at developing a beta of a useable security feature/solution. All of these are great ways to invest in your people and energize the team.
Change lockdowns also are a great time to inventory your technical debt and come up with a prioritized plan to address it. Most of us have purchased a tool to solve a specific gap, but then not optimized its capabilities beyond that single use case. Ideally, you can optimize multiple controls, and with the overlap in capabilities, remove a tool. It might also be worth looking at where you can consolidate to a smaller set of partners, by moving to vendors that offer integrated platforms. Once you have reviewed the maturity of your current set of capabilities, it’s time to create a backlog of issues and start to prioritize how you will address them.
If you have a test environment, you can do some proof-of-concept testing on how to optimize current capabilities and get buy-in from partners on what to focus on after the holidays. Additionally, you can demo new tools you have been considering. This can be problematic during a freeze, so you may need to conduct this on a separate vendor network (if you use a Value-Added Reseller try asking them for help) or cloud environment.
Finally, don’t limit yourself to single tools: depending on the complexity of the product(s) you are testing, this could be an excellent time to look at changes to your architecture. Legacy issues often prevent us from moving to the latest strategies, like zero trust.
At the program level, this is a great time to conduct a postmortem on how the team performed over the year, and turn those lessons learned into updated processes. There are always several issues that you had to push though in the drive to the holiday season that were solved, but not documented as updated processes. This is especially important as we are in a regulated industry, so auditors want to see processes, flow diagrams and most importantly for PCI assessments — your current network diagrams. Additionally, it might be a good time to do a customer satisfaction survey with internal partners/customers.
We have covered several options, so based on the size of your team and complexity of your infrastructure, you should determine what is best for you. If you’re concerned about talent, then focus on training. If you’re worried about compliance (and most of us are, with the new privacy laws) then review tech debt based on the new requirements. If budgets are the issue, then it might be time to review the maturity of your controls based on the risk reduction they provide. Bottom line, it’s time to develop a plan to take advantage of holiday freezes.
Steve Winterfeld is the Senior Director of Security Strategy at Akamai. Before joining Akamai, he spent over 10 years building security programs to protect companies and their customers as Director of Incident Response and Threat Intelligence at Charles Schwab, Director of Cybersecurity for Nordstrom and CISO for Nordstrom and supporting national defense efforts at Northrop Grumman/TASC. Now he is focused on being the voice of the customer for Akamai’s security vision and helping CISOs solve their most pressing issues.