by Jason Leuenberger, SecureState - Many are familiar with David Allen's "Getting Things Done" methodology, used for time management to increase productivity and focus. Do you use it? Ask yourself, "What is the next physical action required to move this project forward?" Repeat this process until everything in the world is finished. It's just that simple.
What are minutiae? Minor details. More importantly, minutiae are minor details of negligible importance.
Negligible importance? Yes, negligible. Meaning, when you're studying something of larger magnitude, the items of negligible importance can be ignored or neglected. That's right, move on, you've got bigger fish to fry.
- We've got to look at better anti-virus software because our current one is not detecting malware X!
- We can't force our clients to change their passwords to our external portal! We'll have an uprising and get a ton of calls!
- Writing policy is a waste of time because employees won't follow the rules!
- Risk management has no place here because we don't even have time to patch all of our systems!
- Don't bring up PCI compliance around the CFO, he won't care.
We love to debate minutiae everywhere, in all facets of life. Information security is no different; it's a beloved exercise because it absolves us from actually having to do anything. And it makes us feel good! It makes us feel satisfied (mmm, tasty tasty minutiae)! But really all we've done is spun our wheels, and failed to persuade or change people's minds.
Debating minutiae is crippling for a security program. It stunts growth and maturity. When using minutiae to build a security program, it's paralyzing. An organization will lay band-aids on everything that's in front of them; they'll focus only on the trees instead of the forest. They'll only discuss what's comfortable, or what's within their wheelhouse.
Now, move away from your keyboard, settle down, and retract your claws, Mr. Devils-In-The-Details. A wise older man with a tablet recently told me, "One man's minutiae is another man's job description." I'm not saying you should ignore specificity to the point of ambiguousness. You absolutely need details. But really, you need them only at specific times. More often than not, they confuse and delay. They take the focus off of root, systemic issues - that feels good to everyone involved, because then they can talk about the things that are in front of them all day, the things they're experts in (read: comfortable). Do you work for a large organization? How many meetings were you in today that lasted more than an hour? Did you spend the majority of the time in your meetings talking about things that didn't really matter at that point? Most meetings include more trivial details than minor, important details.
You want to get things done? Start big, skim the surface across all areas, bring up uncomfortable security topics, continually assess, and then do something with that information - build a plan, and establish success and failure criteria on what it is you're trying to get done so that you can clearly separate the minutiae from the bull's-eye. Once you've got the bull's-eye, create a timeline and go. Important details will flush themselves out. I promise. People who get things done realize this. Call us if you'd like to talk about it.
Jason Leuenberger leads the Risk Management practice at SecureState, which focuses on the full Risk Management lifecycle to comprehensively address assessment, evaluation, and remediation of risk. The team's primary purpose in life is to help clients all over the world Get Things Done (GTD), by avoiding the classic hangup of debating security minutiae and instead driving towards a solid security program, with maturity metrics to show progress along the way.