One of the chief obstacles to IT security isn't a Windows vulnerability, a zero-day attack, or a shortage of budget dollars. It's that @#&$!* 90-minute staff meeting, or the three-page "status report" that nobody ever reads.
That's one of the key messages that security professionals conveyed to us in Dark Reading's "A Day in the Life of a Security Pro," which was completed today.
Administrative stuff -- including paperwork, meetings, report generation, and the like -- takes up a disproportionate part of security staffers' days, respondents say. And the time spent on these tasks actually reduces those staffers' ability to do real vulnerability assessment, and may actually leave the organization less secure.
"Every morning I must sort and distribute reports, forms, and letters that were produced from nightly processing," complains an IT specialist in the federal government who asked to remain anonymous. "This can take from 30 minutes to four hours, depending on the day of the week, month, or year." With few security specialists in the department, "I think my time would be better spent elsewhere," he says.
He's not alone. In our Web survey of 115 security professionals, nearly 80 percent say they spend between 30 minutes and four hours per day on administrative tasks. We're not talking end-user administration here -- this is the time they spend on meetings, status reports, and paperwork. And more than 28 percent of respondents say they expect to spend more time on these sorts of tasks in the coming year.
Not surprisingly, survey respondents rank administrative tasks as the least valuable jobs they do each day. Almost 72 percent rank these tasks as "not beneficial;" about 10 percent rank them as "a total waste of time."
One security manager who works for a state government says she actually has to spend time filing reports about how much time her people spend on different IT tasks. "My staff and I barely have time to do the work we do, and these [reports] trivialize what we do and take time away from more important work we could be doing."
These lost hours could result in lower security for the organization. While nearly 80 percent spend as much as half their days in administration, more than 58 percent say they spend fewer than 90 minutes per day evaluating their organization's infrastructure and architecture to make it more secure. Several respondents say they spend too much time "fire fighting" and handling administrative tasks to adequately analyze their security infrastructure.
"The best use of my time would be to plan our risk management and compliance efforts for the future," says an information security manager at a California semiconductor manufacturer. "However, this is among the lowest priorities in my work day. There are too many other requests for my attention."
Regulatory and policy compliance tasks were the second most frequently cited time-sucker. Some 47 percent of respondents say they spend at least 30 minutes a day on compliance issues, and some 14 percent say these initiatives take up more than a third of each workday. Thirty-six percent say they expect to spend even more time on compliance initiatives in the coming year.
Compliance reporting already is the most time-consuming task for Mike Rizzi, an IT security support administrator for First Federal Bank of Charleston in South Carolina. "The [audit] requests rarely -- if ever -- are clear, or ask for precisely what is needed," he says. "We have to provide several agencies with nearly identical information, but each reporting body wants it in their own format."
Regulatory requirements make compliance efforts necessary, but few security pros see these efforts as beneficial to their organizations. Of the respondents whose organizations are subject to regulatory compliance, more than half say their compliance projects are "not beneficial" to their enterprises; about 6 percent described them as "a total waste of time."
Aside from administrative tasks and compliance requirements, security pros express the most frustration over the time they spend managing end-user requests. More than 33 percent say their most frustrating time-waster is "reminding witless users that they aren't allowed to use unauthorized applications or download company documents to their iPods."
"My biggest time-waster is answering the same security questions over and over again from users who haven't read my many newsletters and FAQs," says another security administrator for a state government. "No matter how many times I write about what spam and phishing are, and how to avoid them, I get several email messages a week from users who attach a mail message and ask me, 'Is this legitimate?'"
In fact, more than half of the survey respondents say they spend at least 30 minutes a day managing end-user problems, and more than 10 percent say those activities take up at least a third of their day. Password problems were the most commonly-cited challenge: Several respondents say password resets are the tasks they would most like to take off their plates.
While end-user management is time consuming, most IT pros don't consider it to be a time-waster. In our survey, more than 62 percent of respondents say that "training users and/or other IT staffers" in security technology is beneficial to the organization, and more than 20 percent characterize it as "extremely beneficial."
"It can be a pain, but without [end user management], I wouldn't have a job," says one security pro.
Although many survey respondents express frustration with their most time-consuming tasks, most of them feel satisfied with their jobs. More than 50 percent say the majority of their day is spent doing tasks that are "enjoyable and rewarding." Monitoring and analyzing systems and networks for potential security problems ranks as the most beneficial task, cited by more than 80 percent of respondents.
Tim Wilson, Site Editor, Dark ReadingTim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio