Time Hacking: The Scotty Principle
Oh, You didn’t tell him how long it’d really take did ya? - Montgomery Scott
To end this series about time management, we should discuss one last skill that I think security testers need to master. Guessing. Some, more professional sorts of folk, might call it ‘estimating’ but tomato/tomAHto. Either way, the goal here is to make favorable educated guesses.
My second great teacher in time management is Montgomery Scott. In an episode called “Relics” Scotty is talking to Geordi LaForge about time management. He scolds the younger engineer on making the cardinal sin of being considered a great engineer/project manager. LaForge told his starship Captain the truth about how long a task would really take.
Going back to my last post about the magic of Chris Angel. There was a second thing that the “Mindfreak” did well— he created a false dilemma for one purpose: magic. Now, I can’t say that I am a magician, but I can assure you that there is no way that Chris Angel’s magic trick took many chances. I suspect, as Chris essentially admitted, that by the time he got placed on the road he had already picked every lock. The time it took him to finish his trick was well before the trick was over. At that point it was just a question of how dramatic to make his escape appear. It’d have been a really boring magic trick if he showed you how long it really took. And if how long it really took was in fact just seconds before the car hit the box he was in, he risked his life for no reason at all. We all were watching for the magic.
The Scotty Principle is defined as:
- Calculate the average time a specific task takes you
- Add 25%-50% to that depending on circumstances
- Report that time to your boss.
That might seem like lying, but I can assure you it is the smartest play you can make when guessing. The future is reliably unpredictable. Under optimal circumstances, you can come in ahead of time and move onto the next task or perform more testing. Under situations where life has hit the fan, you might actually find the extra time allows you to deliver the project at all.
I can’t tell you how many times a client has failed to have source code ready, or a whole environment, or no access at all— and didn’t understand the impact on a very static due date. While you can do a lot of prep work up front to mitigate those risks (and you should), you can also mitigate risk with having a time buffer. Time buffering allows you a chance to cope with the very predictable changes that come up while working. This allows both you and your clients to have some flexibility. Everyone wins.
Leveraging buffers is not only a sign of professionalism— it is life wisdom that makes you trustworthy. Consistently being late to deliver things is never seen positively, and sometimes being late just comes down to your ability to estimate. As an example, which of these is more preferable:
- I tell you it will take 30-40 minutes to get to your house and pick you up— I show up in 25 minutes.
- I tell you it will take 20 minutes to get to your house and pick up— but I show up in 40 minutes.
The house distance hasn’t changed and is 20 minutes away either way. And while I knew that when I gave you my estimate, what I can’t control is traffic, or hitting every light, or forgetting something and having to go back inside. Providing estimates that take life into consideration is the most human thing you can do for others and yourself.
Even if you don’t have a boss or a client to give an estimate to, time buffering works to your advantage too. I once had a meeting downtown that I knew was important for a client. I left an hour early, for a 15-20 minute drive, expecting to arrive at least 30 minutes before the meeting so I could grab a coffee and come up well before I was due. It was mid-day, so there was no reason to think that this wasn’t a healthy estimate. As I was driving to the meeting, a truck transporting watermelons had flipped over and shut down both sides of the freeway and I sat for nearly 40 minutes trying to an exit. I still arrived on time. The estimation buffer I gave myself made all the difference.
So lastly, what do you do with spare time? Whatever you want. It is yours. My personal preference was that any time remaining on a test was a low risk chance for me to explore new ideas. Remember how you wanted to automate that scanner? Why not do it now and try to see how it plays out? Remember that cool crypto-thing you saw before but didn’t have time to really play with it? Play with it now. This is a perfect time to go read up on the coolest new attacks against some tech you saw— maybe you will find a chance for something totally new to test. Or grab a coffee and get started on that report.
If you can do time management well, you will end up looking like a miracle worker.