Kevin Beaver's Security Blog

Too many people, too many policies, too much busy work! Security has to wait…

Busy, busy, busy…That’s what everyone working in and around IT/security seems to be these days. Ditto for the average user. So many things to do and not enough time to do them. It appears that everyone is completely overwhelmed with work, putting out fires, rather than focusing on  productive work that moves the business forward. But is this really the case? Based on studies I’ve seen and things I witnessed with my own eyes, I suspect the average user and even IT/security staff member is working at about 60-70% utilization, on actual fruitful work, at best.

There’s just so much stuff going on…So many things to do…So many people and systems to oversee…

It takes IT and security teams, especially those at larger companies, so long to get security measures in place. While these people are having meetings, chasing down the latest and greatest security technologies, or otherwise wasting time, the bad guys are doing their thing. And it’s often all out in the open, flying under the radar (when “radar” even exists) and no one ever knows about it until it’s made public by the hackers doing the work.

The business model of criminal hackers is simple. They’re not having a ton of distracting meetings. They’re not waiting around to get committee approval on policies or new capital expenditures or buy-in on whatever it is they’re trying to accomplish.  They’re not tiptoeing around and taking their time for cultural or political reasons. Instead, they’ve streamlined their business processes and are quick to move to the execution phase…hence all of the incidents and breaches we see – and seemingly cannot defend against.

We’ve known for a while that most businesses are behind the eight ball when it comes to security. The bad guys have the upper hand…and they know it. I strongly believe that businesses will ALWAYS be behind especially when technical staff, end users, and even executive management are continually distracted.

The question becomes: what are you going to do about this challenge in your organization? Time is indeed precious. Are you making the most of it?

Here’s a quick and valuable exercise: the next time you finish up a conference call or in an in-person meeting, ask yourself, what part of this could not have been solved via quick emails or direct messages…? You’ll be hard-pressed to find much for most meetings…at least that’s been my experience. And, this is just part of the “no time to get anything done” challenge so many people/businesses face.

Remember, it’s not how busy you are, or appear to be. It’s what you’re actually getting done and the value of that work that matters. Perhaps taking a course in time management would have greater dividends than most things you’re doing now? It has helped me tremendously…more than any course I’ve ever taken in information security.  Brian Tracy has amazing content on the topic of time management that you may consider checking out and sharing internally at your business. Mastering these kinds of things is what will ultimately lead to the mastery of your information security program.

Further reading on this topic from my posts of years past:

Are you idling or powering ahead?

Digital distractions take top priority

How are you spending your time?

Are you goofing off too?

Perhaps the goofing off is justified