When it comes to security program management, time is of the essence. Threats need quick attention, incidents require rapid response and confirmed breaches must be dealt with promptly. Less urgently — but equally crucially — security teams must complete vulnerability and penetration testing, remediate issues uncovered during previous assessments, and roll out security awareness training.

As important as these security tasks are, they’re often put off or otherwise ignored in favor of more pressing matters. This is often due to unforeseen circumstances that are out of the organization’s control, but just as often it can be chalked up to pure, unabashed procrastination.

Procrastination Is the Enemy of Security

Procrastination is an obvious barrier to security success because it puts the business at unnecessary risk. With so much day-to-day work to accomplish, the predictable fires to put out and so on, it’s easy to get distracted and put off what’s most important in your security program.

A lot of IT professionals have personalities that strive for perfection, and sometimes that means waiting for the “perfect” time to get things done. As novelist Erica Jong once said, “We are so scared of being judged that we look for every excuse to procrastinate.” Even if it’s subconscious, putting things off is a way of taking yourself out of the spotlight. Still, time passes, and with all that goes on in security, that presumed perfect time never comes and issues keep building up.

It’s human nature — and more fun — to try to address new things as they crop up. You know, those questions from your boss, the fun new project coming down the pike, the vendors showing up for their proofs of concept. But then reality dictates that you prioritize your security focal points.

Put Together Your Security To-Do List

Security to-do lists fall into predictable categories. Some things are nice-to-haves, while others need to be addressed in the short-term, and a select few items need to be done right away. When faced with perceived risks, longer-term projects and other things you know need to be done, ask yourself the following questions to determine where to best focus your efforts:

  1. What, exactly, needs to be done? Not fully understanding this can lead to problems from the get-go.
  2. Do you need to do it now? If so, get to work.
  3. Can you do it later? If so, how long can it wait? What resources will be required once you start so you can lay the groundwork?
  4. Can we put it off until later, perhaps indefinitely? You should probably just wipe tasks that fall into this category off of the slate altogether, or delegate them to someone else or another group outside of security.

For the latter three questions, you need to consider the short- and long-term consequences of not addressing the problem now. It’s up to you and your team to determine what matters most in the context of your business and your overall security goals. You cannot take this approach to security program management lightly. If you do, you’ll end up like so many others who both ignore the basics and assume nothing bad will ever happen to them.

Hold Yourself Accountable

There’s always going to be uncertainty, and there will always be new things that create distractions. Don’t waste another minute thinking about where to start. The best way to progress is simply to get to work. Figure out what needs to be done, come up with a plan and do what it takes to make it happen, including holding yourself and your team accountable.

Time is going to pass anyway; why not start fixing what you know needs to be fixed? Like German writer Johan Wolfgang von Goethe once said, “The things that matter most must never be at the mercy of the things that matter least.” Don’t let procrastination facilitate an otherwise preventable security breach.

More from CISO

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

Do You Really Need a CISO?

2 min read - Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer. A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership. It’s a changing role in a changing world. But…

2 min read

What “Beginner” Skills do Security Leaders Need to Refresh?

4 min read - The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise. Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said,…

4 min read

The Needs of a Modernized SOC for Hybrid Cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

5 min read