First Monday at the desk. Office still cold, kettle on. The shape of 2018 is clearer than at the start of any of the previous five years, in part because the regulatory and operational deadlines this year are sharp.
GDPR comes into enforcement on the 25th of May. Twenty weeks. The customer programmes are mostly on track but the last twelve weeks of any GDPR programme are about evidence, attestation, and the operational mechanics of breach response — the policy and architecture work being mostly complete by now. Browne Jacobson's GDPR posture is as I would want it; the Data Protection Officer appointment is in place, the Article 30 records are current, the breach-response protocol has been tested twice in tabletop exercises. Towry is similar. Northcott is closer to the wire than I would like; the DPO function is in the senior leadership but the operational machinery is still being built. The manufacturer is the largest piece of work — substantial cross-border data flows, multiple processor relationships, a Data Protection Impact Assessment programme that is in the middle stages rather than the final stages. The new financial-services client (the firm I added in September 2016) is in good shape. The retailer added in October 2017 is on a tight schedule but with sufficient resourcing to land it. Aggregate: probably four of six attestable on time, with the remaining two on remediation plans.
The Emily productisation question that I closed 2017 with. The decision is to productise. The argument that won the internal conversation is that the SOC-augmentation market is real, the team has the capability to build the product, and the alternative (keeping Emily as an internal differentiator only) leaves a substantial portion of the team's potential output unused. The product will be a separate offering branded EmilyAI — the postgraduate intern (now the lead engineer on the work, eighteen months in and shaping into the right shape for the role) suggested the rebrand and the team agreed. The first commercial release is targeted for Q2 with the existing customer-organisation pilots from 2017 as the initial reference customers. The product question — packaging, pricing, deployment model — is the work for January and February. The engineering work for the multi-tenant deployment architecture is the work for February and March. Live customer deployment in April or May.
The decision changes the company's shape. Hedgehog has been, for eight years, primarily a services business — vCISO engagements, pen testing, SOC-as-a-service. Adding a product line introduces engineering, product management, sales, and customer-success disciplines that the services-only business does not have at the same level. The hiring plan for 2018 reflects this — a product manager in February, a sales engineer in March, an additional senior ML engineer to take pressure off the lead, and a customer-success function from Q3. The total headcount goes from 17 at the start of January to a target of 22-24 by year-end. The Bath office, which has been deferred for two years, is now happening in March.
The threat-landscape planning. The post-WannaCry and post-NotPetya patching cadence is settling into operational rhythm at most customers; the 7-day SLA for critical patches is now standard rather than aspirational. The supply-chain attention from 2017 (NotPetya, CCleaner, ROCA) continues to drive customer programme work. The information-operation pattern from 2016 has not, in 2017, recurred at the same scale, but the assumption is that 2018 will produce something — the political calendar in several jurisdictions provides motivation, and the technical capability has been demonstrated. The post-Mirai DDoS landscape has been more stable than I would have predicted in early 2017; the Memcached-reflection technique that has appeared in the past several weeks (Cloudflare blog post on Memcrashed, late February — to be linked when published) may produce the year's first volumetric escalation.
The longer-form essay file. The DDoS-book successor that I have been outlining for two years is committed to being a draft by year-end. The export-control-cryptographic-debt essay (FREAK, Logjam, DROWN, ROCA) is committed to being publishable by mid-year. The early-Emily research paper, written as research not as product, is committed to being submitted to USENIX or comparable by September. Conferences: Infosec Europe in June (with a stand for the EmilyAI commercial launch), at least two BSides, and a research-paper presentation if the Emily paper lands.
The kettle has boiled. Inbox now.