Do less and focus on securing what matters most.
“The Way of the Essentialist isn’t about getting more done in less time. It’s about getting only the right things done. It is not a time management strategy, or a productivity technique. It is a systematic discipline for discerning what is absolutely essential, then eliminating everything that is not, so we can make the highest possible contribution towards the things that really matter.”
So says Greg McKeown in his bestselling business management book Essentialism: The Disciplined Pursuit of Less. To achieve our goals, McKeown teaches, we need to be more selective about our choices, remove distractions, and focus on productivity instead of being busy for the sake of being busy.
McKeown’s management theories have been taught widely at companies like Google, LinkedIn, Twitter, Facebook, VMware, Adobe, and Apple.
The tenets of Essentialism can be applied to risk management and information security.
First, what is Essentialism?
Essentialism is, according to McKeown, “the power of less, but better.”
- Have you ever found yourself stretched too thin?
- Do you simultaneously feel overworked and underutilized?
- Are you often busy but not productive?
- Do you feel like your time is constantly being hijacked by other people’s agendas?
He then examines the ways we allow ourselves to become distracted and hyper-reactive to requests from others. We are constantly pulled away for nonessential tasks, resulting in decreased output and unrealized goals. Essentialism, in contrast, entails deliberately choosing to do only the things that matter and maximizing the impact of these efforts.
Source: Greg McKeown (http://gregmckeown.com/)
Anyone who works in information security will identify with many, if not all, of the pain points of a “Nonessentialist.”
How often do you feel the need to be reactive instead of thoughtfully responsive to non-emergencies? Do you have trouble deciding how to start a security program because everything has become a priority? Do you find yourself picking a myriad of security products, tools, vendors, and training programs that don’t seem to fit together because you feel the need to get something (anything) done?
Many of the people I speak to who manage cyber security feel overwhelmed. They have the sense that they are simply going through the motions, but unclear about their security and risk management objectives. Even worse, they are making reactive decisions instead of taking calculated actions and are actually increasing the risk of security breaches through mis-allocation of resources.
Follow the Essentialist model: don’t try to secure everything at all times. You don’t have to drown in your Inbox eight hours a day, moving from one fire drill to the next and reacting to every vulnerability announcement alert, particularly to those that don’t apply to your environment. Instead, turn off the noise, identify what matters, and focus on a few critical issues. Until you strip down to managing only the essentials, you will continue to feel overwhelmed in your security life.
A Few Steps Towards Information Security Essentialism
I could write an entire book about Essentialism and how to apply it to information security. Starting out however, that would be ironically counterproductive. There are a few aspects that I think people should get under control before adding too much to their plate.
Turn Down the Noise
The average person has five to six social media accounts, two email accounts, and three connected devices. According to a recent survey, people in the United States across all age groups check their phones 46 times per day. On top of that, people send and receive, on average, over 120 emails per day.
Why do we think this is “normal?” How is anything with any purpose getting accomplished if we are constantly unfocused? Once distracted, it takes 25 minutes to get back to your original task and the subsequent quality of work decreases. You cannot accomplish anything meaningful in your cyber security program if you are operating in a distracted, reactive state of mind.
Think about it from an organizational perspective. Hackers love distracted, frustrated, and impulsive users addicted to email and web applications. They are the intended prey for phishing and social engineering! If individuals were encouraged, trained, and rewarded to be more focused on fewer platforms and devices, sending fewer but more meaningful email messages, the attack surface for users could be substantially reduced.
Consider email management methods such as Inbox Zero, which can help reduce time wasted in your Inbox and allow you to focus on dealing with only the emails that truly warrant attention. This can also be used as a method of risk reduction in end user awareness training by encouraging people not to be mindlessly reactive to emails.
Make a Plan
As Earl Nightingale once said, “People with goals succeed because they know where they’re going.” To get where you need to be you need a security road-map or plan. Security plans, however, are not one size fits all. Your security strategy should focus on what matters most for your organization to reduce operational risk and protect revenue streams. Security for its own sake is not a good enough reason, and neither is using a vendor’s solution because it hosts the best party at Black Hat. Choosing that way is the mark of a nonessentialist.
Here is a great exercise to uncover the macro security issues you should focus on for your organization. Develop a high-level risk assessment by creating a basic flow chart of how your organization operates and captures revenues (e.g., sales, production, delivery, receivables), map business functions that go into each step, list the critical IT systems and processes that support these functions, and identify weaknesses in these systems and processes that introduce the greatest risks. Essentially (pun intended), break down how your organization processes and monetizes information. Then prioritize the management of key elements in this ecosystem that could have the largest financial impact if affected by a security incident. Get a handle on what matters most instead of aimlessly playing whack-a-mole security.
After you get a sense of priority, pick a risk management framework such as the NIST Cybersecurity Framework or the CIS Critical Security Controls for Effective Cyber Defense. Both of these frameworks are designed to be used as starting points or benchmarks for information security programs and managing risk. Both focus on managing risk and selecting key controls to prioritize your efforts securing key business functions and systems.
Once you have a clearer understanding of why and what you want to protect and an approach, you can set meaningful goals to reduce risk facing the systems and processes that matter most for your organization.
Inventory Control and Access Control
You can’t protect what you aren’t aware of and you shouldn’t protect what you don’t need. In most organizations, asset identification and management is a constant challenge. Coupled with excess user accounts and data sprawl, knowing who has access to what data on which systems becomes a seemingly impossible task and, if not done correctly, presents a significant risk. Unfortunately, no program or system that can do this perfectly or easily. Managing assets and users is a manual process spread across many departments.
Herein lies the application of Essentialism: keep only the IT assets and data you need to serve business-critical functions and make sure that they’re accessed by the minimal number of users with the fewest possible privileges. That’s it. It shouldn’t be more complicated than that. Many organizations could manage risk better if they focused efforts to properly size their environments and removed nonessential data, users, and systems.
Information security is not about managing technology. It’s a systematic effort to reduce risk facing business critical functions that involves people, technology, and processes. It can be a daunting task; I am not discounting that. But by applying some elements of Essentialism to information security, you’ll start to see meaningful results.
I challenge everyone to make a deliberate effort to reduce their distractions and commitments. Don’t live in your inbox. Clear some time on your calendar to identify the business-critical functions of your organization and get a handle on your environment. Take these steps before you do anything else in your security initiative. You’ll gain clarity and control of what matters most in your organization while reducing some of the unneeded stress. It’s essential.