How Does Your Company "Winterize" Your Cybersecurity Posture?

As we move into the colder months in Upstate New York, I've begun the slow process of 'winterizing' my back patio in preparation for the unknown winter ahead. Moving my grill and patio furniture into my shed, bringing out the snow blower and starting to prepare firewood. All of this, and there's always a chance we might not even get snow! This got me thinking about the many cybersecurity initiatives I commonly seen organizations execute around this same time of the calendar year.

Although it is recommended that organizations continuously evaluate and work to improve their cybersecurity posture year-round, many organizations seem to focus numerous proactive cybersecurity efforts in the final quarter of year. Cross-team incident response tabletop exercises, penetration testing, documentation governance, and security awareness trainings are just some of the many preparatory efforts I've seen get shoved into this end-of-the-year spike!

As someone who sincerely enjoys seeing organizations adapt and improve their cybersecurity programs, this spike gets me excited. However, unlike my home winterization process, these cybersecurity efforts have no correlation with the upcoming snowfall. Instead, here are the five initiators I most commonly see:

• Utilization of the remaining cybersecurity budget: It's always exciting when there is a surplus, especially when those additional dollars can be spent on cybersecurity initiatives that can help save even more dollars going forward. Identify if your organization has any remaining cybersecurity budget that you want to take advantage of before the new calendar year begins.
• Reactions to cybersecurity impacts / risks observed this past year: If you see something, do something! Has your organization had any close calls with cybersecurity incidents this year? Has your IT team identified any emerging potential risks? Think about what can be done to better help protect against future risks based on what you have observed the past year.
• Planning for the next year's goals by establishing a roadmap: Cybersecurity threat landscapes are tricky enough to anticipate, even without considering other variables your organization encounters during this year. Whether you need to make fine-tuned adjustments to an existing multi-year roadmap, or build next year's cybersecurity plans from scratch, this is a great time for your organization to reflect on the goals you want to achieve.
• Completing new contractual or regulatory obligations: Data privacy and cybersecurity concerns are a hot topic with shocking news headlines emerging every day. As a result, regulations and supply chain expectations are constantly being questioned and refined. Maybe this year your organization is expected to complete a minimal number of penetration tests, hold a certain number of employee trainings or implement a specific security control. Organizations must remain vigilant to ensure they are complying with all cybersecurity expectations established by their applicable vendor contracts, agreements, laws and regulations. Nearing the end of the calendar year, your organization should use this time to validate that all expected cybersecurity efforts are completed.
• Tackling objectives for the current year which were initially delayed for any reason: Maybe a new zero-day vulnerability lassoed most of your attention, or a cybersecurity incident pushed your other initiatives back indefinitely. Things come up, even with the most careful of planning. Many organizations have to re-prioritize proactive cybersecurity initiatives for a later time in the year. Did your organization have to push any proactive cybersecurity initiatives that you're now able to revisit?

With all that said, what is your organization's 'winterization' process? Have you thought about what cybersecurity initiatives you are tackling in Q4, or integrating into your roadmap for this upcoming year?

‍