There is so much to do, what do I do first?

12 Mar There is so much to do, what do I do first?

It has been my experience over the past 6 years or so, that the environment in a product-first, fast-growing scale-up is continuously changing and is regularly intense. Products are still being created; there are always new markets to break into that come with new regulations to comply with; there’s organisational restructures; new processes to be built; acquisitions to complete; commercial needs to support.

Being a leader in this kind of environment, driving an effective security strategy, building new security teams, embedding new governance processes can be overwhelming at best. On the worse days, it may feel like you’re drowning in conflicting priorities, old and new emerging threats, new projects to support.

Having a 100-day plan, having priorities, having a strategy in place that reflects business needs and aligns with business goals – this all helps. These are my North Stars, the golden light to walk towards in a tunnel full of requirements. They’re key to having an impact.

However, they alone are definitely not enough to get me through the daily struggle of gaining focus, doing the right work, staying on track – without burning out.

Over the past 6-years of working in intense environments, these are some tools I’ve picked up that help me focus and achieve my functional goals, while supporting business needs:

• I choose my priorities and plan for them – At the start of every month, I choose 3 priorities for myself that are aligned with my teams’ goals and my company’s goals. I write them down. I reference them when I’m planning my week, so that I can ensure I do the right work. They also serve to remind me what will not be done if I let myself get pulled into the “busy, low-impact” work. They serve as my guiding stars on what to focus my time and attention.
• I use a task manager – I LOVE Notion for this. I have my own board, where I regularly add tasks I know need to be done for me to meet my monthly priorities and yearly OKRs. I also use it to add ad-hoc tasks that come my way throughout the week. I mark these tasks as urgent vs important and I also add the task type [is it team-related; strategic; admin work?], to be able to filter and reflect on the type of work I’m doing throughout the months. I give tasks deadlines and at the start of the week, I choose/add the tasks I will be working on to that week’s view.  This allows me to manage my time and to view my tasks holistically, so that I do not underestimate the work needed to be done.
• I do not underestimate tasks – When planning my week I take into account the unplanned work, the incidents, the meetings, my team members’ 1-1s. Then with the time I have left, I plan my work, aligned with my monthly priorities. I consider that high-impact work needs thinking time and that it will probably come with follow-up that might be time-sensitive. I give my tasks, which are usually wide-impact, the time they require.
• Urgent, Important or Neither – In security, where most of what we talk about is risk, it is easy to treat everything as urgent. This can make for chaotic ways of working. When unplanned work or “fires” come my way, I pause, I ask myself or my team “is this urgent or important – if it is important we need to plan it and make time for it”. Treating important but unplanned items of work as side-projects, trying to fit them into the spaces between meetings, can feel overwhelming and makes the work seem harder than it is. I make sure I have the time and brain space to deal with important items. I reprioritise, replan and and give myself focus to work on important work. 
• I utilise a risk register – At the start of every year, I ensure my executive team are aware of what risks my teams will be focusing on in the coming year. I also communicate what risks we are currently accepting. Risk is however ever-changing. Especially in a fast moving organisation. When new risks come my way, risks we did not plan to mitigate, risks we do not have enough resources to tackle, I utilise the risk register. I add them to it. Not as a paper-pushing exercise. Utilising a risk register allows me to appreciate the new risk within our existing risk landscape, and allows me to communicate it as such. This enables informed and holistic decision making on how the company wants to react to that risk – do we want to re-prioritise and mitigate; do we want to accept for now?.
• I celebrate regularly – Working in security is hard. It can sometimes feel thankless; like pulling teeth; lonely. And so, in an environment that’s constantly looking forward, onto the next steps, I make sure to prioritise reflection.  I consider all the things my team and myself have achieved, I write them down, and I communicate them regularly – to my team; to the senior leadership team; to the wider company. This pause gives us the energy to move forward, but it also raises awareness on the positive impact of effective security in an organisation.

I also wanted to recommend a book I found super helpful [this is not an affiliate link] in the starting days of my first leadership position some years ago. I’ve read it a couple of times, and I always take something different away from it.

I hope you found this article helpful. Leave comments on other topics you want to know more about.

– Diane

This article is not, in any way, affiliated with my employer. These are my own opinions, based on my own experiences.