Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: What's On Your Not To Do List? - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
What's On Your Not To Do List?

In our craft, there are more than ample opportunities to occupy our time. There are so many things you CAN do. How can you ensure focus on the things that actually make the biggest impact? I suggest that often times you take on more work than what you are able to complete. Many times there is so much work to do that nothing ever seems to get completed. 

 

I readily remember several cases where a combination of my ambition, auditors and loss of key team members facilitated this behavior in me. One in particular was a very important compliance project deadline that had no tolerance for schedule slippage. The internal auditors wanted to review the project in detail ahead of the external auditors coming to inspect the project. All while the solution was still being deployed. Lots of stress and long hours are my biggest memories of this project. While important at the time, looking back now I struggle to remember many of those details. What I do remember are the other projects that suffered neglect during this heroic effort.

 

Risk assessments inform you of clear and present problems. Project deadlines are looming and start pile up. Demands from your leaders come in unexpected waves. What is a strategy to position you for success? Consider writing down your projects. On paper. Start to document their priority, their deadlines along with the stakeholder expectations. Regularly and diligently track your progress and communicate them clearly up, down and horizontally to your peers, focusing on the opportunity cost of what is being neglected. 

 

Many times this extra clarity will help in terms of someone deciding for you that the project that seems so important right now should go on your "not to do" list instead. I am a BIG fan of the not to do list as it helps clearly communicate opportunity cost in terms of risk to the most important projects and initiatives. The clarity that comes from this exercise is worth far more than the effort to put it all together.

 

What ONE thing will you choose to focus on when you return to work on Monday morning? What TWO things best belong on your "not to do" list? Whether you enter them in our comments section below or keep them to yourself, consider adopting this approach while on your Monday morning commute to work.

 

Russell Eubanks

@russelleubanks

securityeverafter at gmail dot com

Russell

84 Posts
ISC Handler
If you want to know how risk assessments work in the real world there's an excellent YouTube video on the subject at https://www.youtube.com/watch?v=9IG3zqvUqJY

It's a discussion between a CISO and auditors regarding risk assessments. It is safe for work.
Anonymous

Posts
I totally agree - Risk Assessments are best when leveraged by more than just our security community. Auditors make great partners for improving the security posture.

Thanks so much for supporting the ISC!
Russell

84 Posts Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!