I recently came across the article, Holiday retail “freeze” takes hold by Dan Raywood in which Dan quotes numerous sources concerning the impact of the typical change freeze that occurs in retail organizations over the Christmas holiday from a security perspective. I thought I would add my $0.02 to the discussion here. The typical change freeze lasts about 6 weeks starting just before Thanksgiving until just after New Years Day. It seems that many of Dan’s sources are really focused on those 6 weeks but I would ask, what happened with the other 42 weeks of the year?
In the retail vertical we plan our entire year around the holiday shopping period. In January we’ll kick off numerous projects and infrastructure upgrades that will need to be completed before next year’s holiday rush. We’ll perform our yearly maintenance and upgrades, keeping our systems on the leading edge not the bleeding edge. We’ll still push down Microsoft, Adobe and Apple security updates to desktops and laptops alike throughout the freeze but we’ll hold off on pushing any security updates to our back-end infrastructure unless the risk warrants a change. This year has been the exception to the norm because of a number of high profile late breaking security vulnerabilities that have demanded some unscheduled but approved emergency changes and software upgrades.
It’s all about preparation and planning…
I would compare it to my teenage daughter keeping her room clean. If she keeps her room relatively tidy and clean then it’s pretty easy to clean quickly. If she keeps her room like a pig sty then it’s going to take a lot of time and effort to clean it up. The same goes for any network infrastructure and your security posture. If your keeping things relatively tidy and up to date for the other 42 weeks of the year you should be able to survive a 6 week change freeze.