My wife and I were returning to our home after a New Year's Eve dinner. We had a very busy fall season and were pleased to be able to spend a long, quiet holiday weekend together. It was a rainy night, so we opted for a romantic dinner for two at our favorite local restaurant, sharing a bottle of wine and a great meal. We knew we'd be in bed and asleep long before the ball dropped and the revelers sang Auld Lang Syne.
My wife removed her coat and shoes in the foyer, and when she moved toward the kitchen she uttered a yell of shock. I ran in to check on her, immediately following her gaze to the large puddle of cold water she'd just stepped into in her stocking feet. We said simultaneously, “Where's this coming from?”
We turned on all the lights at the front of the house, illuminating a shiny stream of water entering from the framing above the front door. After checking the plumbing system, we decided the culprit was most likely some rotting wood on the Palladian window frame over the door. We ran to get towels to mop up the mess, then put down several more to absorb what else we would seep in during the night before retiring for the evening.
Morning broke on New Year's Day, and an outside inspection confirmed our suspicions. We got out the ladder and found nearly two feet of rotted wood window frame allowing water to seep behind the brick and into the house's framing. We got out plastic sheeting and duct tape—the waterproofing cure-all—aware that we wouldn't find a builder on a holiday, since finding one even in the best of times takes patience and persistence. I started calling around the next day.
It took me 15 telephone calls, three estimates, and nearly week of hassle to select someone who could perform the work in a relatively short time. The guy I chose was far from the leading candidate, but he was available and claimed he was capable of getting the problem solved quickly. We made an agreement.
Even after several weeks, the work continue, albeit at a snail's pace. For starters, I have found all local builders refuse to work when it rains. It doesn't appear to matter if the work needing completion is indoors or out. Apparently, if the weatherman calls for rain, they collectively turn off their bedside alarms and retire to dream up other plans for their day off.
Last week, Fred the Builder (not his real name) called me to explain that he had to leave the job at 4:00 pm because he was tired and it had been a long day. He had arrived with a small crew that day after lunch saying he was late because had to work on his hot tub at his house that morning. I took a mental note to try that excuse on my current employer some time. Fred also said they had predicted rain for the next day, but that he would come over to work on the inside woodwork if, in his words, “it wasn't raining too hard.” The following day was cloudy, but it did not rain a drop. I never saw him.
Two days later, Fred promised to be over at the house first thing in the morning to complete the inside job so he could receive his next payment from me. He said he would be there between 9:00 and 10:00 a.m. I made another mental note to see if my professional colleagues felt the hour between 9:00 and 10:00 constituted “first thing in the morning.”
He ultimately called me around 10:30 saying he was at the police station reporting a stolen generator, but that he would try to be there after lunch. He also mentioned that the carpenter he subcontracted to finish the woodwork was the one accused of the crime, and he may not be able to come, since he may be explaining things to the police.
When Fred finally did arrive, he asked if I wanted to sell a snow blower I had stored in the garage. I considered his request, suggested a price, and we again shook hands on the deal. He agreed to deduct that price from the monies I owed him for the next phase of the work.
When it came time to write that check, he asked for the full amount and did not deduct the $200 we agreed was the sales price of the snow blower. He explained we still had a deal on the snow blower, but he needed the money to pay off his subcontractors. When I asked when he wanted to purchase the snow blower, he replied that perhaps next week would work out, or maybe when the final payment was due. He wasn't really sure. He left and raced to the bank and cashed the check while the ink was still wet.
We still are not done with the project. Fred has scheduled his arrival and followed up with an excuse more frequently than he has been on time. Even when he is on the job, he has to run to the hardware store at least twice a day for everything from drill bits to paint. Instead of making a list and going once, he waits for the project to stumble to a halt, then jumps in his truck and disappears for two hours, ostensibly to get needed items from the store. His subcontractors use that time for smoke breaks, trips to fast food joints, and cell phone calls.
Some people would call Fred lazy, but I would disagree. I personally believe he is a very, very busy man. I cannot imagine the amount of effort it takes to come up with all the excuses and deal with all the conflicting priorities he creates for himself. His hectic schedule is mostly a self-inflicted wound.
As a security professional, I often listen to my colleagues complain about their busy schedules: meetings, reports, travel, personal life, and ultimately, security crises. When you have security responsibilities, crises are always a looming schedule killer. The issue is not if there will be a crisis, but when.
How you prepare yourself for these career-specific challenges can make the difference between a well-orchestrated response and unbridled panic. You already know about the importance of well-documented and tested disaster recovery plans, but that is not really the angle I want to explore. If you do not want to live la vida loca at work, you also need to plan for the more mundane, day-to-day crisis management challenges.
The most important element to make you work life easier is a carefully planned, written and promulgated comprehensive security strategy. This makes achieving and maintaining management support much less burdensome. Instead of being called on the carpet to justify your actions and reactions on a recurring basis, your strategy allows you to point out how your activities implement their previously approved plan. Problem solved.
Another key aspect of making your work life easier is making sure you are able to keep your protection commitments. As experts, we are aware all risks cannot be eliminated, so prioritizing your projects is not only a good idea, it is vital. Ensure you have the necessary leadership support and fiscal resources before tackling that large identification card program or that intrusion detection system install. If you have to make excuses for a delayed roll-out or faulty installation, few will remember the budget cuts, staff changes, or the departing vice president who approved the initial project. Spending extra time on the front end of the effort can often save you many hours of overtime and crisis management later on.
Some people seem to enjoy being in the center of their own personal maelstrom. They create problems and then fly off, expending innumerable hours trying to extinguish the brush fires that constantly seek to engulf them. However, the security business almost always provides enough excitement to keep even the most thrill-seeking among us sated. If you fail to plan, you can plan to have a wild ride.
John McCumber is a security and risk professional. He is the author of Assessing and Managing Security Risk in IT Systems: A Structured Methodology from Auerbach Publications. Mr. McCumber can be reached at [email protected].
