When it comes to network security program management, time is of the essence. Threats need quick attention, incidents require rapid response and confirmed breaches must be dealt with promptly. Less urgently — but equally crucially — security teams must complete vulnerability and penetration testing, remediate issues uncovered during previous assessments, and roll out security awareness training.
As important as these security tasks are, they’re often put off or otherwise ignored in favor of more pressing matters. This is often due to unforeseen circumstances that are out of the organisation’s control, but just as often it can be chalked up to pure, unabashed procrastination.
Procrastination is an obvious barrier to security success because it puts the business at unnecessary risk. With so much day-to-day work to accomplish, the predictable fires to put out and so on, it’s easy to get distracted and put off what’s most important in your security program.
A lot of IT professionals have personalities that strive for perfection, and sometimes that means waiting for the “perfect” time to get things done. As novelist Erica Jong once said, “We are so scared of being judged that we look for every excuse to procrastinate.” Even if it’s subconscious, putting things off is a way of taking yourself out of the spotlight. Still, time passes, and with all that goes on in security, that presumed perfect time never comes and issues keep building up.
It’s human nature — and more fun — to try to address new things as they crop up. You know, those questions from your boss, the fun new project coming down the pike, the vendors showing up for their proofs of concept. But then reality dictates that you prioritise your security focal points.
Security to-do lists fall into predictable categories. Some things are nice-to-haves, while others need to be addressed in the short-term, and a select few items need to be done right away. When faced with perceived risks, longer-term projects and other things you know need to be done, ask yourself the following questions to determine where to best focus your efforts:
1.) What, exactly, needs to be done? Not fully understanding this can lead to problems from the get-go.
2.) Do you need to do it now? If so, get to work.
3.) Can you do it later? If so, how long can it wait? What resources will be required once you start so you can lay the groundwork?
4.) Can we put it off until later, perhaps indefinitely? You should probably just wipe tasks that fall into this category off of the slate altogether or delegate them to someone else or another group outside of security.
For the latter three questions, you need to consider the short- and long-term consequences of not addressing the problem now. It’s up to you and your team to determine what matters most in the context of your business and your overall security goals. You cannot take this approach to security program management lightly. If you do, you’ll end up like so many others who both ignore the basics and assume nothing bad will ever happen to them.
There’s always going to be uncertainty, and there will always be new things that create distractions. Don’t waste another minute thinking about where to start. The best way to progress is simply to get to work. Figure out what needs to be done, come up with a plan and do what it takes to make it happen, including holding yourself and your team accountable.
Time is going to pass anyway; why not start fixing what you know needs to be fixed? Like German writer Johan Wolfgang von Goethe once said, “The things that matter most must never be at the mercy of the things that matter least.” Don’t let procrastination facilitate an otherwise preventable security breach.
Written by Kevin Beaver, Independent Information Security Consultant