5 security tips from Santa

Stay off Santa's (and your employer's) naughty list by following this list of useful security tips and practices.
98 readers like this
98 readers like this
Security monster

If you're reading this in 2019, it's almost Christmas (as celebrated according to the Western Christian calendar), and, like all children and IT professionals, it's time to write your letter to Santa/St. Nick/Father Christmas. Don't forget: those who have been good get nice presents and those who haven't get coal. Coal is not a clean-burning fuel, and with climate change well and truly upon us,1 you don't want to be going for the latter option.

Think back to all of the good security practices you've adopted over the past 11 or so months. And then think back to all of the bad security practices you've adopted when you should have been doing the right thing. Oh, dear. It's not looking good for you, is it?

Here's the good news, though: because Santa is a benevolent soul, there's time to make amends (unless you're reading this after Christmas2). Here's a list of useful security tips and practices that Santa follows and therefore are bound to put you on his "good" side.

1. Use a password manager

Santa is very careful with his passwords. Here's a little secret: from time to time, rather than have his elves handcraft every little present, he sources his gifts from other parties. I'm not suggesting that he pays market rates (he's ordering in bulk, and he has a very, very good credit rating), but he uses lots of different suppliers, and he's aware that not all of them take security as seriously as he does. He doesn't want all his account logins to be leaked if one of his suppliers is hacked, so he uses separate passwords for each account. Now, Santa, being Santa, could remember all of these details if he wanted to—and even generate unique passwords that meet all the relevant complexity requirements for each site—but he uses an open source password manager for safety and for succession planning.3

2. Manage personal information properly

You may work for a large company, organisation, or government, and you may think you have lots of customers and associated data, but consider Santa. He manages (or has managed) names, birth dates, addresses, hobbies, shoe sizes, colour preferences, and other personal data for literally every person on Earth. That's an awful lot of sensitive data, and it needs to be protected. When people grow too old for presents from Santa,4 he needs to delete their data securely. In fact, Santa may well be the archetypal GDPR data controller, and he needs to be very careful who and what can access the data that he holds. Of course, he encrypts all the data and is very careful about key management. He's also very aware of the dangers associated with cold boot attacks (given the average temperature around his residence), so he ensures data is properly wiped before shutdown.

3. Measure and mitigate risk

Santa knows all about risk. He has complex systems for ordering, fulfillment, travel planning, logistics, and delivery that are the envy of most of the world. He understands what impact failure in any part of the supply chain can have on his customers: mainly children and IT professionals. He quantifies risk, recalculating it on a regular basis to ensure that he is up to date with possible vulnerabilities and ready with mitigations.

4. Patch frequently but carefully

Santa absolutely cannot afford for his systems to go down, particularly around his most busy period. He has established processes to ensure that the concerns of security are balanced with the needs of the business.5 He knows that sometimes business continuity must take priority, and on other occasions, the impact of a security breach would be so major that patches just have to be applied. He tells people what he wants and listens to their views, taking them into account where he can. In other words, he embraces open management, delegating decisions where possible to the people who are best positioned to make the call, and only intervenes when asked for an executive decision or when exceptions arise. Santa is a very enlightened manager.

5. Embrace diversity

One of the useful consequences of running a global operation is that Santa values diversity. Old or young (at heart); male, female, or gender-neutral; neurotypical or neurodiverse; of any culture, sexuality, race, ability, creed, or nose colour, Santa takes into account his stakeholders and their views on what might go wrong. What a fantastic set of viewpoints Santa has available to him! And he's surprisingly hip to the opportunities for security practices that a wide and diverse set of opinions and experiences can bring6 not to mention the multiple positive impacts on his organisation.


Here's my advice: Be like Santa, and adopt at least some of his security practices. You'll have a much better opportunity of getting onto his good side, and that's going to go down well—not just with him, but also with your employer, who is just certain to give you a nice bonus, right? And if not, well, it's not too late to write that letter directly to Santa himself.

  1. If you have a problem with this statement, then either you need to find another article, or you're reading this in the far future where all our climate problems have been solved. I hope.
  2. Or you dwell in one of those cultures where Santa visits quite early in December.
  3. A high-flying goose in the face can do terrible damage to a fast-moving reindeer, and if the sleigh were to crash, what then...?
  4. Not me!
  5. Santa doesn't refer to it as a "business," but he's happy for us to call it that, so we can model our own experience on his. He's nice like that.
  6. Though Santa would never use the phrase "hip to the opportunities." He's way too cool for that.
What to read next
I've been in and around Open Source since around 1997, and have been running (GNU) Linux as my main desktop at home and work since then: not always easy...  I'm a security bod and architect, co-founder of the Enarx project, and am currently CEO of a start-up in the Confi

Comments are closed.

Creative Commons LicenseThis work is licensed under a Creative Commons Attribution-Share Alike 4.0 International License.