Episteme

Mike's random thoughts and ramblings

On Urgency

Andy wrote recently about urgency in security. And I think he brought up some really good and really important points:

"There is a trend in information security... to tackle the urgent issues first. These are the issues that users are screaming about, management is on you about, auditors have written you up about and then things that get you noticed. No one gets noticed for the security flaw or vulnerability that they found, patched and as a result prevented a breach. You get noticed when you put out a fire that other people see. Even if that fire is in the middle of an field and is surrounded by a mote full of water. People see you out there jumping up and down putting out that fire and they applaud you."

He goes on to talk about the importance of proactivity and having a plan, but, in my experience, a plan survives only until the first person who has the authority to quash the plan has their own pet fire that needs to be put out.

What is far more important than a plan for getting things done is a definition of what constitutes an emergency in your world. My thinking on this has been shaped a great deal by some of the ideas in the 4-Hour Work Week (which everyone on the planet should read... it's that good).

We have a tendency to escalate to urgent a huge number of things that simply don't need escalation. The questions you need to ask before jumping off into fire-fighting mode:

  1. Who will be seriously injured if I don't do this right now?
  2. How much will it cost (in real $$$) if I don't do this right now?
  3. What opportunities would I be giving up to do this right now?

Obviously, if it's a matter of injury to self or others, it really is a fire. In this case, injury doesn't have to be physical - if you have a compromise in progress, there's a pretty serious injury going on (as well as a loss of real $$$), and it's worth moving on right away.

Unfortunately, most often the "injury" in a given situation is the minor annoyance of someone deemed to be "important". In that case, it's appropriate to ask the person the prioritization question...

"I'm currently working on X, which will save/make us X number of $$. Would you like me to delay that task in order to help you right now?"

Realize, the answer may often be yes. But at that point, the importance (i.e. priority) of the decision has been made. For those who have read Covey's The Seven Habits, this is enough to move from Quadrant 3 to Quadrant 1 - from just urgent to "urgent and important".

Which is how you determine what's a real fire anyways. (The 3 questions above are a guide to end up in Q1).

Share this post

About the author

Michael Murray

Michael Murray