Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Stop Wasting My Time

Dark Reading survey shows frustrated security pros spend too much time on drudgery, not enough on important tasks

One of the chief obstacles to IT security isn't a Windows vulnerability, a zero-day attack, or a shortage of budget dollars. It's that @#&$!* 90-minute staff meeting, or the three-page "status report" that nobody ever reads.

That's one of the key messages that security professionals conveyed to us in Dark Reading's "A Day in the Life of a Security Pro," which was completed today.

Administrative stuff -- including paperwork, meetings, report generation, and the like -- takes up a disproportionate part of security staffers' days, respondents say. And the time spent on these tasks actually reduces those staffers' ability to do real vulnerability assessment, and may actually leave the organization less secure.

"Every morning I must sort and distribute reports, forms, and letters that were produced from nightly processing," complains an IT specialist in the federal government who asked to remain anonymous. "This can take from 30 minutes to four hours, depending on the day of the week, month, or year." With few security specialists in the department, "I think my time would be better spent elsewhere," he says.

He's not alone. In our Web survey of 115 security professionals, nearly 80 percent say they spend between 30 minutes and four hours per day on administrative tasks. We're not talking end-user administration here -- this is the time they spend on meetings, status reports, and paperwork. And more than 28 percent of respondents say they expect to spend more time on these sorts of tasks in the coming year.

Not surprisingly, survey respondents rank administrative tasks as the least valuable jobs they do each day. Almost 72 percent rank these tasks as "not beneficial;" about 10 percent rank them as "a total waste of time."

One security manager who works for a state government says she actually has to spend time filing reports about how much time her people spend on different IT tasks. "My staff and I barely have time to do the work we do, and these [reports] trivialize what we do and take time away from more important work we could be doing."

These lost hours could result in lower security for the organization. While nearly 80 percent spend as much as half their days in administration, more than 58 percent say they spend fewer than 90 minutes per day evaluating their organization's infrastructure and architecture to make it more secure. Several respondents say they spend too much time "fire fighting" and handling administrative tasks to adequately analyze their security infrastructure.

"The best use of my time would be to plan our risk management and compliance efforts for the future," says an information security manager at a California semiconductor manufacturer. "However, this is among the lowest priorities in my work day. There are too many other requests for my attention."

Regulatory and policy compliance tasks were the second most frequently cited time-sucker. Some 47 percent of respondents say they spend at least 30 minutes a day on compliance issues, and some 14 percent say these initiatives take up more than a third of each workday. Thirty-six percent say they expect to spend even more time on compliance initiatives in the coming year.

Compliance reporting already is the most time-consuming task for Mike Rizzi, an IT security support administrator for First Federal Bank of Charleston in South Carolina. "The [audit] requests rarely -- if ever -- are clear, or ask for precisely what is needed," he says. "We have to provide several agencies with nearly identical information, but each reporting body wants it in their own format."

Regulatory requirements make compliance efforts necessary, but few security pros see these efforts as beneficial to their organizations. Of the respondents whose organizations are subject to regulatory compliance, more than half say their compliance projects are "not beneficial" to their enterprises; about 6 percent described them as "a total waste of time."

Aside from administrative tasks and compliance requirements, security pros express the most frustration over the time they spend managing end-user requests. More than 33 percent say their most frustrating time-waster is "reminding witless users that they aren't allowed to use unauthorized applications or download company documents to their iPods."

"My biggest time-waster is answering the same security questions over and over again from users who haven't read my many newsletters and FAQs," says another security administrator for a state government. "No matter how many times I write about what spam and phishing are, and how to avoid them, I get several email messages a week from users who attach a mail message and ask me, 'Is this legitimate?'"

In fact, more than half of the survey respondents say they spend at least 30 minutes a day managing end-user problems, and more than 10 percent say those activities take up at least a third of their day. Password problems were the most commonly-cited challenge: Several respondents say password resets are the tasks they would most like to take off their plates.

While end-user management is time consuming, most IT pros don't consider it to be a time-waster. In our survey, more than 62 percent of respondents say that "training users and/or other IT staffers" in security technology is beneficial to the organization, and more than 20 percent characterize it as "extremely beneficial."

"It can be a pain, but without [end user management], I wouldn't have a job," says one security pro.

Although many survey respondents express frustration with their most time-consuming tasks, most of them feel satisfied with their jobs. More than 50 percent say the majority of their day is spent doing tasks that are "enjoyable and rewarding." Monitoring and analyzing systems and networks for potential security problems ranks as the most beneficial task, cited by more than 80 percent of respondents.

— Tim Wilson, Site Editor, Dark Reading

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-20
** DISPUTED ** The BIOS configuration design on ASUS ROG Zephyrus M GM501GS laptops with BIOS 313 relies on the main battery instead of using a CMOS battery, which reduces the value of a protection mechanism in which booting from a USB device is prohibited. Attackers who have physical laptop access ...
PUBLISHED: 2019-10-19
The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.