In his book 7 habits of highly effective people, Steven Covey describes presents universal habits which can be applied to any person, organization, profession, corporation, or business. As part of habit 3, “put first things first”, he describes a way to classify activities in terms of importance and urgency . He has a basic four box matrix that looks like this:
|
Urgent |
Not urgent |
| Important |
I (crisis)
|
II (Prevention)
|
| Not important |
III |
IV |
His point is that too many people spend too much time in box I, which is the crisis box. Crises, in his words, “act on you, rather than you acting on it”. The solution he says is to spend more time in box II – things which are important but not urgent. To give a brief example, if you were suffering a heart attack and needed medical attention, that would constitute a box I event – it is both urgent and important. A box II event would be exercise and proper diet, which would ultimately reduce your likelihood of having the heart attack in the first place. By working more in box II, you ultimately shrink the amount of time you spend in box I. Security is, almost by definition, a box II item – it is important, but rarely urgent. However within our profession this matrix can still be applied, and I think that properly classifying and thinking about these activities can greatly help an infosec individual or group better prioritize it’s activities.
|
Urgent |
Not urgent |
| Important |
- Incident detection,
- Incident containment
- Incident eradication
- Deploying urgent patches because the newest worm is tearing you apart
|
- Security reviews
- Hardening systems
- Deploying secure technologies like DNSSec, VPNs, SPF, DKIM, etc.
- code review
- Implementing a good patch management policy
- User awareness training
|
| Not important |
- Regulatory compliance
- Complying with legal requests/issues
|
|
I’m clearly not saying that you should all start to simply ignore the crises that regularly crop up in your line of work, however I think that entities which focus on box II items will ultimately see far more benefit than those that ignore those things (as they’re not urgent), and will end up spending all their time in box I.
