I have yet to meet a security professional who has all the time required to do everything that he or she needs to, to protect his or her organization. Instead, whenever I network with security professionals, I ask them, “How’s it going?” and can usually predict the answer: “crazy busy,” “way too much going on,” “many unfilled holes,” and so on.
This problem is not limited to security. Most other business functions usually feel short on the resources they require to do what they need (or want) to do.
The question, then, is how to decide what activities truly deserve our time.
The answer to the question is, perform a risk assessment across your entire organization (or within individual business units if your organization is large). If you perform this competently and faithfully, you will end up with a list of risks. If you categorize those risks in terms of short-term impact, probability of occurrence, public visibility, cost of mitigation, and long-term impact, then you should be able to “slice and dice” your list to determine which risks truly demand your attention now, and which are lower priority.
The next task, then, is to present the findings of the risk assessment to senior management, so that they can make any adjustments to priorities and provide resources as they feel are needed.
Finally, explicitly or implicitly, you will need to document all untreated risks as “accepted” by senior management. Do it in writing, as formal (or informal) as the risk assessment yourself.
Having done all of these, you will have done your job: make senior management aware of business risks, and enable them to make informed decisions.
If you agree (more or less) with senior management’s resourcing decisions, then you are fortunate. If you vehemently disagree, it may be time for you to find some mentors in the organization who can help you to better communicate with senior management. Lacking this, you may need to consider moving on.