December 23, 2015 By Rick M Robinson 3 min read

The holiday season is here. For chief information security officers (CISOs), as for Santa and his elves, it is the busiest season of the year.

For nearly all organizations, this season marks the run-up to an end-of-the-year security audit, a time to review and assess the organization’s cybersecurity progress and posture. And for retailers, it is also the busiest season of the year — one filled with its own security challenges.

A Season for Looking Back — and Ahead

The holidays are a time for making lists — not only of who’s been naughty or nice in the past year, but also for making resolutions on how best to meet the next year’s challenges. For CISOs, this means assessing and evaluating the security picture over the last 12 months, double-checking compliance needs and evaluating which issues are likely to be prime considerations next year.

CISOs will need to call on their elves to assist in these big tasks. These helpers may come from both inside and outside the organization, ranging from members of the security team and the rest of IT to representatives of other business units (IT’s internal customers), business partners and the broader cybersecurity community. Whether or not an external year-end audit is performed, WindowsObserver.com offered useful advice that goes beyond any specific operating system.

The first item on the CISO holiday checklist is looking back at how the security landscape developed in 2015. This means analyzing everything from internal event logs that give a highly granular picture of the organization’s own experience to surveying global trends that are shaping security. What threats has the organization faced and how effectively has it responded to them?

The second big item on the checklist is legal and regulatory compliance, a factor in all industries and absolutely critical for some, such as finance and health care. Official rules can be a pain to develop and implement, but most of them have been well-crafted by security professionals, and compliance requirements play a big part in building shared standards and best practices. But since new laws and rules often take effect at early in the new year, compliance must be not only reviewed, but also updated.

Finally — last but by no means least — this is the season to prepare for the year ahead. What new potential threats are looming, and what tools are available to protect against them? For example, Wired noted that an emerging threat as we head into 2016 is malvertising, innocuous-seeming online ads placed on popular websites through third-party brokers that conceal malware. The victim does not even need to click on the ad; simply visiting major media sites can expose users.

Malvertising is outwardly a consumer threat, but in a bring-your-own-device (BYOD) world, what attacks employees as consumers can also attack the enterprise. And for organizations with advertising-supported websites, inadvertently hosting malvertisements is a huge security threat and an emerging challenge that must be met.

In short, the holiday checklist for CISOs includes thinking ahead to who may be naughty or nice next year.

For Retail CISOs, Unique Holiday Challenges

All organizations face these challenges, though many benefit from a holiday slowdown or even scheduled downtime. Let’s face it, a lot of people — though not the security team, of course — can and do “check out” a bit during the holidays.

Not so for the retail sector, including firms and charitable nonprofits that are not retailers themselves but whose business follows the retail cycle. This cycle famously (or infamously) peaks during the holiday season. So do its cybersecurity concerns.

Not only are people shopping more, but they are doing it amid more hectic surroundings and often going outside their familiar safe zones to look for that special gift. That means potential security risks spike even more than overall traffic does. Retail-related CISOs will be very busy indeed, earning some holiday cheer they won’t even be able to enjoy until after the season is over.

The good news, in and out of retail, is that this busy security season will soon be over. Security leaders who meet the seasonal challenges will be heading into 2016 with their organization’s security posture in good shape. That could give them plenty to celebrate when this time rolls around again next year.

Read the complete IBM research report on security trends in the retail industry

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today