There is always more to do. There are always competing priorities. There is always a sense of never enough time. Time management is in many ways about how to more effectively identify say yes and no to the right things.
Time management and opportunity cost go hand in hand. Whenever you choose to do something, you choose not to do something else. Time management is also about managing your day, week, or any particular unit of time. This matters to the extent that the time spent throughout each day matters, that it makes a difference.
Effective time management is made up of several more specific skills (or disciplines) such as:
- Inventorying your time (time audit)
- Saying "no"
- Focusing over multi-tasking
- Scheduling and schedule management
There are so many competing priorities in cybersecurity. This is true at all career levels. The particular tasks and demands simply change to something else coming from someone else. Knowing how to effectively manage your time is an absolutely critical skill so that:
- You don't get burnt out trying to do 16 hours of work in an 8 hour day
- The time you spend is effective
- What you spend your time on aligns with your priorities
Effective time management is one of the cornerstone soft skills that can help an individual or a team to achieve their goals. Waste less. Do more.
Time management is key to achieving success and reaching your goals, personally and professionally. Whether you're a CISO, a student, in sales, or a compliance auditor, effective time management can help you make the most of your time and actually achieve what you set out to. Setting priorities, making plans, staying organized, and reducing distractions are all part of the formula.
As a CISO
Any C-level executive has a lot of things pulling at their time. CISOs may find themselves getting pulled into sales meetings, getting bombarded by email, supporting incident response efforts, developing a strategic plan, and talking to other executives about risk. That’s just a Monday.
The specific demands will depend on the kind of organization you’re in, the size of the organization, and what’s happening in any given season. Time management for the CISO breaks down into two main buckets:
- Organizing your own time
- Supporting your team in how they manage their time
Organizing your own time starts by being very clear on what matters. What are the most important things in your role and to you personally? Having the answer to that as a filter in front of every request for your time can help with saying no the things that don’t matter or de-prioritizing them. Time or day blocking is also very helpful. Having blocks of time or entire days dedicated to something, whether that’s no meetings and deep work, or team engagement, or planning sessions. Minimizing context switching can help you stay more engaged and feel less fatigued.
Supporting your team in the management of their time is partly informed by how much you ask of them in the form of work expectations. If you’re requesting 100 hours of work to happen in a 40 hour work week, people are going to feel stressed, anxious, and things will drop off. The CISO is also a major part of setting the culture, creating the space for team members to say “no” to meetings, implement their own time blocks, and be empowered in their prioritization efforts can help people feel supported in more effective management of their time.
As a Pentester
There’s always more stuff to test, more things to cover, another exploit to get working. Penetration testers typically work in a sequence of time-boxed engagements with the goal being to maximize coverage of the target, vulnerabilities found, and of course ensure the quality of the report is as good as it can be. Penetration testers need to therefore be cognizant of how much time they spend on any given thing. Not allowing any one task to take up too much of your time, in an 80 hour (2 week) engagement, spending 30 hours working on one particular exploit may not be worthwhile.
Judgement is necessary, that exploit might be of such high value and you might have confidence you can get it to work that it’s worthwhile. Or it may be necessary to set it aside temporarily, work through other in-scope items to ensure a certain coverage and then circle back with whatever remaining time you have.
Like other technical roles, penetration testers may also be in a position to automate portions of their job to drive efficiencies.