Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Stop Wasting My Time

Dark Reading survey shows frustrated security pros spend too much time on drudgery, not enough on important tasks

One of the chief obstacles to IT security isn't a Windows vulnerability, a zero-day attack, or a shortage of budget dollars. It's that @#&$!* 90-minute staff meeting, or the three-page "status report" that nobody ever reads.

That's one of the key messages that security professionals conveyed to us in Dark Reading's "A Day in the Life of a Security Pro," which was completed today.

Administrative stuff -- including paperwork, meetings, report generation, and the like -- takes up a disproportionate part of security staffers' days, respondents say. And the time spent on these tasks actually reduces those staffers' ability to do real vulnerability assessment, and may actually leave the organization less secure.

"Every morning I must sort and distribute reports, forms, and letters that were produced from nightly processing," complains an IT specialist in the federal government who asked to remain anonymous. "This can take from 30 minutes to four hours, depending on the day of the week, month, or year." With few security specialists in the department, "I think my time would be better spent elsewhere," he says.

He's not alone. In our Web survey of 115 security professionals, nearly 80 percent say they spend between 30 minutes and four hours per day on administrative tasks. We're not talking end-user administration here -- this is the time they spend on meetings, status reports, and paperwork. And more than 28 percent of respondents say they expect to spend more time on these sorts of tasks in the coming year.

Not surprisingly, survey respondents rank administrative tasks as the least valuable jobs they do each day. Almost 72 percent rank these tasks as "not beneficial;" about 10 percent rank them as "a total waste of time."

One security manager who works for a state government says she actually has to spend time filing reports about how much time her people spend on different IT tasks. "My staff and I barely have time to do the work we do, and these [reports] trivialize what we do and take time away from more important work we could be doing."

These lost hours could result in lower security for the organization. While nearly 80 percent spend as much as half their days in administration, more than 58 percent say they spend fewer than 90 minutes per day evaluating their organization's infrastructure and architecture to make it more secure. Several respondents say they spend too much time "fire fighting" and handling administrative tasks to adequately analyze their security infrastructure.

"The best use of my time would be to plan our risk management and compliance efforts for the future," says an information security manager at a California semiconductor manufacturer. "However, this is among the lowest priorities in my work day. There are too many other requests for my attention."

Regulatory and policy compliance tasks were the second most frequently cited time-sucker. Some 47 percent of respondents say they spend at least 30 minutes a day on compliance issues, and some 14 percent say these initiatives take up more than a third of each workday. Thirty-six percent say they expect to spend even more time on compliance initiatives in the coming year.

Compliance reporting already is the most time-consuming task for Mike Rizzi, an IT security support administrator for First Federal Bank of Charleston in South Carolina. "The [audit] requests rarely -- if ever -- are clear, or ask for precisely what is needed," he says. "We have to provide several agencies with nearly identical information, but each reporting body wants it in their own format."

Regulatory requirements make compliance efforts necessary, but few security pros see these efforts as beneficial to their organizations. Of the respondents whose organizations are subject to regulatory compliance, more than half say their compliance projects are "not beneficial" to their enterprises; about 6 percent described them as "a total waste of time."

Aside from administrative tasks and compliance requirements, security pros express the most frustration over the time they spend managing end-user requests. More than 33 percent say their most frustrating time-waster is "reminding witless users that they aren't allowed to use unauthorized applications or download company documents to their iPods."

"My biggest time-waster is answering the same security questions over and over again from users who haven't read my many newsletters and FAQs," says another security administrator for a state government. "No matter how many times I write about what spam and phishing are, and how to avoid them, I get several email messages a week from users who attach a mail message and ask me, 'Is this legitimate?'"

In fact, more than half of the survey respondents say they spend at least 30 minutes a day managing end-user problems, and more than 10 percent say those activities take up at least a third of their day. Password problems were the most commonly-cited challenge: Several respondents say password resets are the tasks they would most like to take off their plates.

While end-user management is time consuming, most IT pros don't consider it to be a time-waster. In our survey, more than 62 percent of respondents say that "training users and/or other IT staffers" in security technology is beneficial to the organization, and more than 20 percent characterize it as "extremely beneficial."

"It can be a pain, but without [end user management], I wouldn't have a job," says one security pro.

Although many survey respondents express frustration with their most time-consuming tasks, most of them feel satisfied with their jobs. More than 50 percent say the majority of their day is spent doing tasks that are "enjoyable and rewarding." Monitoring and analyzing systems and networks for potential security problems ranks as the most beneficial task, cited by more than 80 percent of respondents.

— Tim Wilson, Site Editor, Dark Reading

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.