December 28, 2018 By Kevin Beaver 3 min read

When it comes to security program management, time is of the essence. Threats need quick attention, incidents require rapid response and confirmed breaches must be dealt with promptly. Less urgently — but equally crucially — security teams must complete vulnerability and penetration testing, remediate issues uncovered during previous assessments, and roll out security awareness training.

As important as these security tasks are, they’re often put off or otherwise ignored in favor of more pressing matters. This is often due to unforeseen circumstances that are out of the organization’s control, but just as often it can be chalked up to pure, unabashed procrastination.

Procrastination Is the Enemy of Security

Procrastination is an obvious barrier to security success because it puts the business at unnecessary risk. With so much day-to-day work to accomplish, the predictable fires to put out and so on, it’s easy to get distracted and put off what’s most important in your security program.

A lot of IT professionals have personalities that strive for perfection, and sometimes that means waiting for the “perfect” time to get things done. As novelist Erica Jong once said, “We are so scared of being judged that we look for every excuse to procrastinate.” Even if it’s subconscious, putting things off is a way of taking yourself out of the spotlight. Still, time passes, and with all that goes on in security, that presumed perfect time never comes and issues keep building up.

It’s human nature — and more fun — to try to address new things as they crop up. You know, those questions from your boss, the fun new project coming down the pike, the vendors showing up for their proofs of concept. But then reality dictates that you prioritize your security focal points.

Put Together Your Security To-Do List

Security to-do lists fall into predictable categories. Some things are nice-to-haves, while others need to be addressed in the short-term, and a select few items need to be done right away. When faced with perceived risks, longer-term projects and other things you know need to be done, ask yourself the following questions to determine where to best focus your efforts:

  1. What, exactly, needs to be done? Not fully understanding this can lead to problems from the get-go.
  2. Do you need to do it now? If so, get to work.
  3. Can you do it later? If so, how long can it wait? What resources will be required once you start so you can lay the groundwork?
  4. Can we put it off until later, perhaps indefinitely? You should probably just wipe tasks that fall into this category off of the slate altogether, or delegate them to someone else or another group outside of security.

For the latter three questions, you need to consider the short- and long-term consequences of not addressing the problem now. It’s up to you and your team to determine what matters most in the context of your business and your overall security goals. You cannot take this approach to security program management lightly. If you do, you’ll end up like so many others who both ignore the basics and assume nothing bad will ever happen to them.

Hold Yourself Accountable

There’s always going to be uncertainty, and there will always be new things that create distractions. Don’t waste another minute thinking about where to start. The best way to progress is simply to get to work. Figure out what needs to be done, come up with a plan and do what it takes to make it happen, including holding yourself and your team accountable.

Time is going to pass anyway; why not start fixing what you know needs to be fixed? Like German writer Johan Wolfgang von Goethe once said, “The things that matter most must never be at the mercy of the things that matter least.” Don’t let procrastination facilitate an otherwise preventable security breach.

More from Risk Management

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

How TikTok is reframing cybersecurity efforts

4 min read - You might think of TikTok as the place to go to find out new recipes and laugh at silly videos. And as a cybersecurity professional, TikTok’s potential data security issues are also likely to come to mind. However, in recent years, TikTok has worked to promote cybersecurity through its channels and programs. To highlight its efforts, TikTok celebrated Cybersecurity Month by promoting its cybersecurity focus and sharing cybersecurity TikTok creators.Global Bug Bounty program with HackerOneDuring Cybersecurity Month, the social media…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today