This post was originally published in November, 2014. It has been updated with current details.
We’re on the cusp of the Thanksgiving holiday here in the US. That means we’re on the verge of the annual holiday shopping season – kicked off by the infamous “Black Friday” retail sales extravaganza.
The holiday shopping season also, ironically, marks an annual “IT freeze” period for retailers. No new security tools or IT projects are implemented. It’s a time when critical transaction systems and other supporting IT systems are locked in top performance and availability mode. In many cases, only the most critical security patches get installed at retail organizations; the rest are put on hold until the busy holiday shopping season concludes.
The funny thing about the yearly holiday IT freeze in retail is that it makes a lot of sense – until it doesn’t. Obviously the busiest sales season of the year is not the time to replace point of sale systems or upgrade databases. The potential disruptions would outweigh any benefits.
On the other hand, most retailers have poor IT security, just waiting to be exploited by criminal hackers. The introduction of necessary IT security technology would have little to no visible impact on sales processes. Security solutions can be implemented quickly and transparently. This is assuming, of course, that the correct security technology is selected – one that is automated, mature and scalable to the retailer’s environment.
The Retailers’ Convenient Excuse to Avoid IT Security
The unfortunate reality of the holiday IT freeze at retailers is that it’s a transparent excuse for IT operations and executive management to punt on their fiduciary responsibility to secure the IT infrastructure. This is the classic concept of “kicking the can down the road” for the next guy, based on the deception that introducing new IT security solutions would somehow disrupt critical business operations.
This is not to say that some vendors’ solutions do have abysmal capabilities that really would disrupt business. So, how can you tell which IT security solutions might have a negative impact on a retailers’ daily business operations? Clues to a bad security solution are an inherent need for significant amounts of professional services, a reliance on off-shore development and support, and the use of proprietary technology that is undocumented.
Other clues to a poor security selection include having little or no automation and a heavy dependence on human interaction. For example, look at the data breaches at Target and Home Depot. These breaches involved security solutions that were based off-shore, required extensive human interaction to work, and were not even fully deployed because of the required professional services component.
There is No Off Season in IT Security
Consequently, I would submit that there is no need for a holiday IT freeze on implementing security during the holidays if existing retail IT security solutions are inadequate. Security should be continuously evaluated and improved, regardless of the season.
Criminal hackers and nation-state attackers don’t care what time of year it is. They won’t respect your IT freeze, so security improvement and continuous compliance needs to occur 365 days a year. Besides, if a retailer’s IT security solution is taking years to implement, perhaps they need to discard the product. That would be preferable to stopping and starting a security project based solely on the time of year.
There is no logic in the argument: now is not a good time to secure our environment. Every day that information security is weak, is another day that your company can be exploited by hackers. And it’s another chance for your customers’ financial information to be stolen. There is no holiday season in cyber security.
By Philip Lieberman, President and CEO, Lieberman Software
Mr. Lieberman is an astute entrepreneur able to perceive shortcomings in the cyber security market, and fill those gaps with innovative solutions. He developed the first products for the privileged identity management space, and continues to introduce new solutions for this burgeoning security field.