Working Smarter not Harder is Key. The Most Important Thing to do is Prioritize.
I’m a busy guy. I start work before 8:00, and more often than not eat lunch at my desk. I usually quit for the day towards 6:00. And, when I do things like write my SecurityWeek columns, more often than not I do that after my normal workday. In the evening, I help make dinner, clean up dishes, and then work out for an hour or so. If it is not too cold or too hot, the dog takes me for a drag (with a 70 pound Norwegian Elkhound it is not considered a “walk”). Among grocery shopping, mowing the lawn, shoveling snow and other assorted chores, I make sure to enjoy time with my family, and, of course, watch the Packer game when it is on TV.
Part of this is prioritizing. I work at home, and there are always all of these chores and other assorted things calling me. But, work has its own priorities, and I simply cannot afford to let the other things distract me from getting my stuff done.
To some extent, this is a microcosm of any organization’s IT/Security world. We simply have too many competing priorities to complete everything we want to get done. This is the “too much work left at the end of the day” syndrome. I was once in a meeting in which the senior manager cursed loudly and pounded on the table, demanding to know, “What are people doing after 6:00? What are people doing on weekends?” I once worked at a company that regularly scheduled consultants to be billable for 50 hours per week, and consultants were expected to complete all of their administrative tasks, including travel, on top of that. For 18 months I averaged over 80 hours a week, though my own personal record was 147 work hours over eight days, back in the day. But, all rational people understand that this is not really the way the world should function. In reality, we really can only get so much done in the time we have. There really is such a thing as working smarter not harder.
First things first.
The first thing we do is prioritize. I am pretty strict about working during work hours. But afterwards, I prioritize house maintenance and food (but I like to cook) and family over general chores, but make sure I take time to play. Some of this just comes natural, and some things need to be planned and scheduled – I mean, it is hard to make Veal Saltimbocca on Tuesday if I didn’t pick up everything during Sunday grocery shopping.
In the business world, there simply are things that are more important than other things. I will step up on my little soapbox long enough to reiterate that one of the most important things an organization can do is complete their Business Impact Analysis (BIA) (or Information Asset Inventory, or whatever you happen to call it). Identify what all of your cool data is, where it sits, how it moves through your organization, and how you access and use that information. If access of critical data requires an application, then that application, and the server which runs it, is just as critical to your organization. The critical issue in the BIA is to identify exactly what and where your cool data is.
Then, you can determine what your other constraints and controls are/should be for that cool data. Is it PHI? Is it cardholder data? Answers about your data tell you a lot about how you should be prioritizing system support and security controls. When it comes to your information security program, one of your highest priority steps is simply adding protections that are appropriate for the data. Hopefully, it is obvious that personal financial information of clients should be getting a higher level of control (and corresponding protection) than should the number of size 7 ½ shoes you have in stock. Simply put, it is hard to protect my PHI on Tuesday if I didn’t figure out Sunday that I had PHI to protect.
Don’t Wait, Automate.
One of my regular chores used to be making sure all of our home computers were regularly backed up. It only took me one unprotected catastrophic crash to realize that I needed to do regular backups, and they have served me well. But, it takes time to log onto every computer in the house and run a backup. So, I installed a home server, installed it on my home network, and every computer on my network gets a weekly backup (which is stored on mirrored drives on the server). Yes, it took me probably four hours to install the home server, and probably another four hours to make my images and set up the automatic backups. But it saves me an hour per week of manually kicking off backups and manually managing images.
In our home, there are only so many things we can do. The same may very well be true for a business, but the general rule is accurate – automation can simplify repetitive tasks out of your staff’s responsibility. I worked with a large retailer that manually built every single desktop computer they fielded internally. Yes, they used a checklist, but they pretty much loaded everything by hand. They standardized their build process, then automated it by developing a process to load a standard image on every system. Their build process went from a 3-4 hour manual process to a task that literally took less than 15 minutes. That doesn’t sound like so much, but you go ahead and build 7,000 images a year and check out that time savings (hint: 12 person years of effort to well under 1 year effort is considered good efficiency).
Identify your common, repetitive tasks that are the most likely candidates for automation. Backups are obvious. How much time does your organization spend doing compliance auditing and reporting? I once worked with an online retailer that claimed they did something like 19 audits per quarter. Given that there are only 12 weeks in a quarter that means pretty much constant. If they could automate compliance reporting would it have a good chance of making a good return on the investment required to gather and manage logs for the reporting engine? Probably.
Share the Load.
Even at that I don’t always have time for everything. Sometime, during the summer, I pay one of the neighborhood kids to mow the lawn. The trade off is that I think the 90 minutes it saves me is worth the $25 I have to pay to get it done. Think of it as outsourcing.
An organization can think of this the same way. Would you pay a provider $160,000 per year to manage some aspect of your security program if it meant you could replace $300,000 worth of resources? Realistically, perhaps that means you are making better use of their skill sets and they are working on something more focused to move your business forward. But, if the answer to the question is that you can do something better and cheaper by outsourcing, you should at least consider the cost/benefit and make a sound business decision on the outsourcing. The other key point in outsourcing is taking maximum benefit of any outsourcing opportunity. Don’t just find someone to offload hours. Find an outsourcer that fulfills an actual need – something they really can do better than you.
Getting it Done.
Realistically, in the end, it is all about getting things done. Balancing all of the things on your list, and completing the things you have to complete. Yes, sometimes the 80 hour week is necessary, and sometimes that is just the way it works out. That is how I end up checking email after finishing my game of Dead Island at 4:30 on a Saturday morning.