InfoSec Does Time Management Wrong

November 30, 2015

Actually, all of Information Technology does time management wrong. And it’s not about your todo list.

It was 2000 and I was a network administrator. The only network administrator in my business unit. So when I quit in August, I had to teach them everything I knew.

I wrote the manual “How to be Jay.” It contained everything I did, how to troubleshoot it, and anything else one would need to keep the networks up and running. The final comment was If you need any help, feel free to call.

In the one month after I left, I only got called once. And the network kept on humming.

But the three years prior to that, I never wrote anything down. I remember getting called by our Canadian subsidary on Thanksgiving with network troubles. It also wasn’t unusual to be on the phone at 2am walking someone through a network upgrade.

I was young and I felt job security meant that I was needed. But I ended up quiting because I was needed too much (and they wanted me to move to Atlanta).

What Time Management Should Be

The How to be Jay manual was long overdue. It is probably long overdue for you too. We spend all of our days dealing with the latest urgent need. Many of those needs are repetitive — same issue, different day.

Instead of working a todo list based upon urgency, work your todo list based upon the multiplier effect.

The multiplier effect means that something you do today helps someone or something else do it tomorrow.

Let’s take a report. Each month you put together a dashboard of vulnerabilities, metrics and other fun stuff. You have to do it because the metric calculations are in your head, or you’re the only one who knows where to find all of the data, or, or, or… the list could go on.

If you create a spreadsheet with the calculations, documented where you get all of the information to create the calculations and potentially even automate the creation of the reports, you’re multiplying your time. The time you spent building all of that is effort you can now delegate.

The Return on Investment for Your Time

When I first learned about DevOps (see my take on Security and Devops here), one key component resonated with me. Let the Subject Matter Experts be Subject Matter Experts.

Too often the most talented infosec professionals are still spending time on tasks someone else can do. While there are other reasons, here I am focusing on not thinking about multiplying your time. The SME could be documenting and teaching someone else to perform the task and instead focus on higher value tasks.

That’s the idea with an ROI on your time. Is that task a good return on your time? If not, teach it, automated it and get it off your plate.

Multiplying Time: Compound Interest

In my mind, the most important part of multiply time is teaching. With every tasks you’d like to get off your plate, you’re teaching someone how to do it. Apprenticeship.

The sixty minute investment you make on teaching someone an information security task means that you’ve also added to the knowledge and value of the person you’re teaching. With such a huge shortage of information security talent, the value of growing people’s information security careers can be hugely impactful.

So Why Aren’t I Doing This Today?

Everything here is common sense. Here is a quick list of reasons people can’t do this:

  • I don’t have the time
  • I don’t have anyone to delegate to
  • My boss won’t let me
  • I have nothing to delegate
  • Only I can do it right

I don’t know your specific situation, but many of these may be true for you. I also think that you can think more clearly about your time when you think about the multiplier effect.

In my network administration job back in 2000, I thought I didn’t have anyone to delegate to. I was a manager but the people who worked for me were routers and switches. That said, there were countless numbers of people who could have been the first lines of defense if I had given them the tools they needed to check things. At the very least, when they called they could give me a headstart on troubleshooting the issues. “Hey Jay, the network interface is down, I checked the cables and they all look good.” That’s far more helpful than “the internet is down.”

This isn’t easy but with the right mindset, you can not only make a difference for yourself but for your team as well.

[Tweet “Instead of working a todo list based upon urgency, work your todo list based upon the multiplier effect.”]