informa
/
Vulnerabilities/Threats
News

The Great Creeping Time-Suck

Peripheral tasks and distractions keep IT security people from doing their real jobs

10:55 AM -- No matter what your job, every day is laced with distractions. Writing status reports. Filling out timesheets. Going to meetings that don't have a clear agenda. Listening to water-cooler conversations longer than you'd planned. We all have moments when we feel as though we've stepped into a "Dilbert" comic strip or an episode of "The Office."

But security professionals get it worse than most. In our latest survey, "A Day in the Life of an IT Security Pro," we found out that administrative tasks, peripheral distractions, and manually intensive processes often keep security people from doing the things they need to do to protect the organization. (See Stop Wasting My Time.)

Aside from the usual distractions that come with any job, security pros have some unique challenges. The worst, of course, is that nobody else in the organization truly understands what they do. Top-ranking executives want constant reports on security, because they know it's important, but they actually have no idea what the reports mean when they get them. End users call security about every three-year-old phishing scam they find in their mailboxes.

Security pros are often called into meetings because the topic "might have security implications," when there aren't any such implications at all. They are required to spend hours trying to cost-justify the time they spend protecting the company from things that might happen -- a concept that breaks every ROI equation known to the CFO.

On the other end, security pros spend a lot of their time doing helpdesk functions that have little to do with protecting information. Resetting passwords, responding to calls that say, "I think my PC has a virus," explaining that no, you can't open any email attachment just to see what's inside. These are everyday battles for the average security staffer.

And it doesn't stop there. Today's public companies are now inundated with a raft of regulatory requirements, from SOX to GLBA to FISMA or HIPAA. Each one of these requirements has a security requirement and a deadline, yet compliance with the specifications seldom truly improves the overall integrity of the infrastructure.

With all of these distractions, it's amazing that security pros ever find time to do the real work of vulnerability assessments, log file analysis, and everyday security troubleshooting -- all tasks that are highly time-consuming in their own right.

So here's another qualification to add to the list of requirements for a successful IT security hire: good time management skills. To protect your company's data, you must not only navigate the usual office obstacles, but you need a special set of hurdles set up just for the security folks. It's enough to drive you to drink.

If you can find the time, that is.

— Tim Wilson, Site Editor, Dark Reading

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5