As a child, I felt that growing up in Illinois was in some ways the worst of both worlds. Summers always felt Florida-hot and muggy to me, and I never perceived any difference between the winters in the Midwest and those at my grandparent's homestead in northern Minnesota. Hot is hot and bitter cold is bitter cold. Additionally, Illinois doesn't have the beaches of Florida, nor the pristine lakes and forest trails of Minnesota. We had cornfields as far as the eye could see, punctuated only by livestock pens.
It was summer, and on this particular hot, muggy day, I was nearer the hog pens than the cornfields. My job was simple. As part of a team of male family members, I was given a section of a shed to clean out. This particular shed was an eyesore ready to be torn down, and we needed to move its contents to the new shed that had been recently constructed nearby. My area of responsibility was crammed with recycled tractor parts, tools, lumber and some rusty old bicycles. I approached this task with all the enthusiasm of a kid going in for a tooth extraction.
As my brother, father and uncle each confronted a different section of the shed, I looked over my chore to determine how I could most easily get it done. I began by putting the assorted junk in armload-sized piles. I stacked these piles on a workbench, then struggled to lift the first mammoth load.
As I came around the corner, pieces of my load began to drop, leaving a trail of tarnished parts between the old and new shed. I saw my father and uncle watching intently with big grins spread across their craggy features. Since it was not my father's nature to treat farm chores with levity, I almost dropped the whole pile right then and there.
"Do you see what I see?" my father asked my uncle.
"Sure do, Bob," replied my Uncle Sam. (Yes, I really had an Uncle Sam.) "It seems young John here doesn't want to spend any more time than he has to doing this job."
"He all but said it out loud. He's got the lazy man's load," said my father.
I finished toting what remained of the armload to the new shed and dumped it in a pile in my assigned space. Then I walked back out to where my elders stood and demanded to know why they felt I was being lazy. Surely they could see I had struggled with a burden that obviously taxed every bit of strength my skinny arms possessed.
"No one called you lazy, son," chided my father. "We just noticed you're trying to minimize the number of trips you make, even if that means coming back to pick up the pieces you drop along the way. When your uncle and I were boys, people called that carrying the lazy man's load."
That wasn't a satisfactory answer. I felt humiliated and wanted to know what was wrong with a desire to minimize the time required to perform a distasteful task.
"There's nothing wrong with it, boy," he replied. "Now with this job, your uncle and I are enjoying the nice weather and doing a small, easy job that will give us a sense of accomplishment. If we hadn't done this today, we'd be with your mother and the other ladies on a shopping trip to town. So this is really our way of avoiding a chore we found even more unpleasant."
I still wasn't satisfied. I felt I had been maligned. Just because the oldsters were having fun moving all this nasty old junk in sweltering heat didn't mean I was wrong for wanting to minimize the number of trips I made with the stuff. The term lazy in my family was an epithet. It was almost as bad as being called a coward.
"Son," my father said reassuringly, "sometimes being the lazy man on a job site is not a bad thing. When I was in the navy, we would always seek out the laziest guy in the unit to assign a new or unfamiliar job to. We knew he would ultimately work out the quickest and easiest way to complete it. The lazy man is the one looking to meet the minimum requirements with the least amount of effort. There are many, many times when that's exactly what you want."
I couldn't believe my ears. Here was my father now saying being lazy was a good thing. Now I wanted to know why the use of the term lazy had always had negative connotations when applied to me.
"I guess it's not that simple," he said. "Besides, turn around and take a look at your brother. See that cart he just found in the barn? He's loading it up and using it to take almost all of his stuff in just one load. I guess he's the real lazy man on this job."
I've had many opportunities to ruminate on my father's story of the lazy man's load. There have been many times in my career when I have been proud to be the one who's figured out a quicker or easier way to complete a difficult or distasteful job. On such occasions, however, I never saw it necessary to point out that it was the lazy man's load. I am sure my performance appraisal would not have been enhanced if I referred to myself as the laziest guy in the organization.
When I approach my personal and professional challenges now, I am often reminded of the value of a certain type of laziness. Doing the right thing may not always appear to be the easiest or even the most satisfying approach, but it most assuredly is the choice of those lazy souls among us. When you run a security program, your best bet is to consider the lazy man's load.
The lazy man's load is the desire to find the most efficient and least problematic approach to a difficult chore or complex problem. When you take the time to perform a detailed risk analysis of your security environment, you are looking for the most effective ways to deploy your limited resources. It may seem like more up-front investment than necessary, but it will cost you 10 times less effort and expense than the pay-as-you-go plan.
The risk assessment will become your roadmap to meeting your security challenges. It will form the centerpiece of your implementation and management plan. Obviously, you will need to maintain and adapt the plan as technology and threats change. However, the written plan will give you a process that you can justify and defend to your management, colleagues and direct reports.
As we all know, there are no absolutes in security. Every experienced security practitioner has experienced an attack, a successful breach or a loss of company assets. That underscores the need for another important tool for the security manager. After a structured risk assessment, the next most important tool is a reaction and recovery plan. Because we cannot hope to preclude all undesirable outcomes, we need to be prepared to deal with the ones that will ultimately occur.
The risk assessment and the reaction and recovery plan are the two key tools you'll need if you want to carry the lazy security man's load. They require commitment and effort to establish, but they will quickly become the keystones of your security program. They are just like the two wheels on the cart my brother discovered when he went looking for the best way to make a difficult job easier. They allowed him to carry the definitive lazy man's load. Consider finding your own cart, and proudly proclaim yourself the laziest security practitioner you know.
John McCumber is an IT security professional and the author of Assessing and Managing Security Risk in IT Systems: A Structured Methodology, the new book from Auerbach Publications. He can be reached at [email protected].
