Time is the scarcest resource we have as IT and security professionals. There are only so many minutes in each day to get things done. At the root of many security incidents and breaches is poor time management on the part of those tasked with getting the work done and preventing the breaches to begin with.
I certainly don’t envy information security administrators, managers and executives. With all the distractions of day-to-day business and constant interruptions by outside parties, it seems that there’s never enough time to focus on the big things — that is, until they’re made a priority.
Make ‘Back to Work’ Your Mantra
The older I get and the more patterns I see in security, the more I’ve realized the wisdom in what Jim Rohn once said: “If you really want to do something, you’ll find a way. If you don’t, you’ll find an excuse.”
I’ve witnessed and heard about some of the best professionals in this field getting distracted by new, shiny projects and technologies, and pushing aside the less exciting aspects of security. The good news is that it’s human nature to be drawn to something new. The bad news is that avoiding these distractions requires discipline. Therein lies a gap that creates the basis for many of the security challenges we have today.
The key to getting things done in security is to constantly ask yourself whether or not what you’re currently working on is the most valuable use of your time. I do that multiple times per day. If I catch myself getting distracted by my phone, social media or whatever — and I often do — I have found that repeating the phrase “back to work” a few times to myself helps me get back on track.
Urgency Versus Importance
To determine what is the most valuable use of your time is, you have to decide what’s most urgent and what’s most important. You’ll find many things that are urgent but not important, and just as many things that are important but not particularly urgent. You’ll also have other tasks that are neither urgent nor important. The key is to sharpen your focus on the areas that meet both criteria.
For example, documenting your security policies and updating your latest security standards are important tasks, but not urgent. The fact that a certain vendor just released an update to hardware or software that may or may not even be present in your environment might seem urgent, but it’s not necessarily important. However, if you haven’t performed vulnerability or penetration testing in the past six months, or if your development team hasn’t taken the proper steps to address the critical findings in your latest security assessment report, your resources should be focused in these areas.
Obviously, remediating known security threats, such as distributed denial-of-service (DDoS) and phishing attacks, should be a high priority. Ditto for major gaps around patch management, network monitoring and alerting, and awareness training. Make sure you’re making the right choices to prioritize whatever is considered urgent and important on your to-do list. The last thing you need is something urgent and important being ignored for so long that it brings your business — and possibly even your career — to its knees.
Set Your Goals for Time Management
Even though time management is such a critical aspect of the information security function, I’d venture to guess that most IT and security professionals have never taken a course in it. Study the concepts of time management and hold yourself and other pertinent parties accountable. Branch out and review your information security program goals. These goals are intertwined with how you manage your time and, ultimately, yourself.
Whatever needs to get done, dig in, get to work and commit to fending off distractions that are within your control. This one area of personal development can positively impact your security program in unimaginable ways.