January 2, 2018 By Kevin Beaver 3 min read

Time is the scarcest resource we have as IT and security professionals. There are only so many minutes in each day to get things done. At the root of many security incidents and breaches is poor time management on the part of those tasked with getting the work done and preventing the breaches to begin with.

I certainly don’t envy information security administrators, managers and executives. With all the distractions of day-to-day business and constant interruptions by outside parties, it seems that there’s never enough time to focus on the big things — that is, until they’re made a priority.

Make ‘Back to Work’ Your Mantra

The older I get and the more patterns I see in security, the more I’ve realized the wisdom in what Jim Rohn once said: “If you really want to do something, you’ll find a way. If you don’t, you’ll find an excuse.”

I’ve witnessed and heard about some of the best professionals in this field getting distracted by new, shiny projects and technologies, and pushing aside the less exciting aspects of security. The good news is that it’s human nature to be drawn to something new. The bad news is that avoiding these distractions requires discipline. Therein lies a gap that creates the basis for many of the security challenges we have today.

The key to getting things done in security is to constantly ask yourself whether or not what you’re currently working on is the most valuable use of your time. I do that multiple times per day. If I catch myself getting distracted by my phone, social media or whatever — and I often do — I have found that repeating the phrase “back to work” a few times to myself helps me get back on track.

Urgency Versus Importance

To determine what is the most valuable use of your time is, you have to decide what’s most urgent and what’s most important. You’ll find many things that are urgent but not important, and just as many things that are important but not particularly urgent. You’ll also have other tasks that are neither urgent nor important. The key is to sharpen your focus on the areas that meet both criteria.

For example, documenting your security policies and updating your latest security standards are important tasks, but not urgent. The fact that a certain vendor just released an update to hardware or software that may or may not even be present in your environment might seem urgent, but it’s not necessarily important. However, if you haven’t performed vulnerability or penetration testing in the past six months, or if your development team hasn’t taken the proper steps to address the critical findings in your latest security assessment report, your resources should be focused in these areas.

Obviously, remediating known security threats, such as distributed denial-of-service (DDoS) and phishing attacks, should be a high priority. Ditto for major gaps around patch management, network monitoring and alerting, and awareness training. Make sure you’re making the right choices to prioritize whatever is considered urgent and important on your to-do list. The last thing you need is something urgent and important being ignored for so long that it brings your business — and possibly even your career — to its knees.

Set Your Goals for Time Management

Even though time management is such a critical aspect of the information security function, I’d venture to guess that most IT and security professionals have never taken a course in it. Study the concepts of time management and hold yourself and other pertinent parties accountable. Branch out and review your information security program goals. These goals are intertwined with how you manage your time and, ultimately, yourself.

Whatever needs to get done, dig in, get to work and commit to fending off distractions that are within your control. This one area of personal development can positively impact your security program in unimaginable ways.

Listen to the podcast series: Take Back Control of Your Cybersecurity now

More from Risk Management

Back to basics: Better security in the AI era

4 min read - The rise of artificial intelligence (AI), large language models (LLM) and IoT solutions has created a new security landscape. From generative AI tools that can be taught to create malicious code to the exploitation of connected devices as a way for attackers to move laterally across networks, enterprise IT teams find themselves constantly running to catch up. According to the Google Cloud Cybersecurity Forecast 2024 report, companies should anticipate a surge in attacks powered by generative AI tools and LLMs…

Mapping attacks on generative AI to business impact

5 min read - In recent months, we’ve seen government and business leaders put an increased focus on securing AI models. If generative AI is the next big platform to transform the services and functions on which society as a whole depends, ensuring that technology is trusted and secure must be businesses’ top priority. While generative AI adoption is in its nascent stages, we must establish effective strategies to secure it from the onset. The IBM Institute for Business Value found that despite 64%…

Ermac malware: The other side of the code

6 min read - When the Cerberus code was leaked in late 2020, IBM Trusteer researchers projected that a new Cerberus mutation was just a matter of time. Multiple actors used the leaked Cerberus code but without significant changes to the malware. However, the MalwareHunterTeam discovered a new variant of Cerberus — known as Ermac (also known as Hook) — in late September of 2022.To better understand the new version of Cerberus, we can attempt to shed light on the behind-the-scenes operations of the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today