Getting Things Done for Geeks

I wrote this post for our internal team and some of my colleagues suggested that it might be useful to others. It’s a bit of a departure from our normal appsec posts. Let us know if you find it useful!


New employees at Security Compass often feel overwhelmed by the sheer number of things they could be working on at any one time. We have an intentionally flat organizational structure, which comes with some downsides. It means nobody is managing your work queue and telling you what you should work on at any time. It’s up to you to manage your own schedule. This article describes a system used by many people at Security Compass to effectively manage time, reduce stress and get things done. It’s a modified & abridged version of a system documented by David Allen: see his book here. You should really read the book. However, you’re probably here because you don’t have time to read a book.

What is & Why practice Getting Things Done (GTD)

GTD is a system of time management that uses context-specific lists to manage your tasks. It was originally made for busy executives and based on the premise that you have too many things to do at one time to keep in your head. Think about it: what are all things you need and/or want to do? Not just at work, but for anyone/anywhere. If you’re like most people, it will take you hours to just list out everything you need to do. File TPS reports, do your time entries, work on a research project about Node.JS security, register to vote, pay for your parking ticket, write a blog post, sign up for the gym, book a vacation to South Africa, beat your colleague at Foosball, etc. It’s probably the things you aren’t doing that are causing you the most stress. Moreover, that stress makes you less effective at what you’re doing right now because you’re constanty worried about all those other tasks.

Many of us think, “I just need to try harder to remember all the things I need to do” and we rely on our memory to store and process all of these tasks. The problem, as you probably know, is that most people lack the capabllity to remember more than a few things at a time. We forget things, which will in turn causes us to be even more stressed.

We often rely on email to externalize our memory. Our inbox becomes a database of things to do, often with red flags and deadlines to help us prioritize. The problem is that that inbox gets crowded quickly, and soon those red flags and deadlines stop meaning anything. Moreoever, everytime we fail to meet a deadline we lose faith in this email prioriitization system and it stops becoming an effective time management technique.

This article will descirbe *some* of the salient points of GTD and how to practically implement them, as interpreted and modified by yours truly. You will likely modify/tweak these techniques to suit your tastes & style. No matter how you implement it, effectively using GTD will reduce your stress and make you more effective in your work. It will give you a system you can rely on, provided you make an effort to actually practice it.

Step 1: Write Everything Down

Write every single thing you need and want to do down on a single list. I mean everything. Do you have a burning desire to learn crochet in the back of your head? Write it down. From this moment on, everything you ever need to do — apart from routine, everyday tasks that you don’t need reminders for — will be written down.

If you are a geek like me, you’ll want to write this down in some electronic format. I really like using Google Tasks, which is part of Gmail. You can also use Outlook Tasks, or any other task management software such as Remember The Milk. It’s a good idea to select something you can access from your phone so that it’s always at your fingertips.

Getting tasks in Gmail:


List of tasks in Gmail:


Step 2: Sort It All

Look at all the things you wrote down and sort them into the following categories. Note, if you are using Google Tasks then you can do this by creating a new list for each category:


Next Action

This is something that you need to work on, and will take less than an hour to complete. You’re not waiting on anyone else to do this thing and it’s not a Project (see below). Example: “File TPS report”. A very critical point to keep in mind is that there is concept of “priority” here — everything in next action is important and must be done.

Waiting For

This is something that you are waiting for/ blocking on somebody else to do before you can work on it. You want to have these stored somewhere so that you can occasionally follow-up. Example, “Select dates for vacation” if you are waiting for your friends to tell you when they are free to go to vacation.


A GTD project is different from your normal idea of a project. A project, in this context, is any “big” task that might take many hours, days or weeks to complete. Example, “Work on a research project for Node.JS security”. This should basically be anything that’s too big to put in the “Next Action” list.

Specific Date

This is something you don’t have to start until a specific date. Example, “Register to vote” 2 months before the next federal election. You should be able to use some sort of reminder mechanism in your software to remind you on that date. In Google Tasks you can do this by clicking on the task and hitting “shift + enter” and setting a Date. Once you hit that date, you should convert that task to Next Action. Remember, the specific date is a start date and not a due date.

Some Day / Maybe

Things that you would like to do if you had spare time. It may hard to believe right now, but at some point in your life you will have spare time and may actually make progress on these things. Example, “Learn crochet”.

Some people elect to create additional lists for different contexts. For example, “Next Action — Work” which is different than “Next Action — Home”. Some people use a category called “To Read” which you can focus on when you have long periods without internet connectivity, such as on a plane.

Do not put deadlines on anything. You can generally be aware of deadlines, but recognize that your list of Next Actions will shift constantly and any sort of deadline you add will soon become a suggestion rather than an actual date you abide by.

Step 3: Inbox Zero

Now go and do the same thing with your inbox. Create sub-folders in your inbox for the above categories and FILE EVERYTHING. Delete the email you don’t need. Create another sub-folder called “Reference” for emails and file anything that you don’t need to specifically action on but you want to keep for reference there. You may already have a system for keeping emails archived, in which case you can just use that pre-existing system.

From now on your inbox is only for reading and processing new messages. If you have to do something for it, and it takes less than 5 minutes, then just do it. Otherwise, add it to Next Action or Projects respectively. Clean out inbox regularly and do your best to keep it to 0 messages.

By this point you *should* start to feel some sort of euphoria. Everything you need to do is categorized and externalized. You no longer have to over-burden your brain. If you can keep up with this system you should feel a permanent reduction in stress.

Step 4: Project Plan

On a periodic basis, you need to revisit your list of projects. For each project, take some time to distill the project into a set of finite tasks. Then add the next task into your next action list. This will allow you to make incremental progress on a project.

For example, you might break up “Work on a research project for Node.JS security” into the following steps:

• Review introduction materials on what Node.JS is

• Setup an environment to start developing with Node.JS

• Build a “hello world” app with Node.JS

• Google search on existing material for Node.JS

• Review OWASP Developers guide against Node.JS feature set

• Review Node.JS features for prospective security issues

• Research and try to exploit issues found in previous item

• Write up draft of research

Each step is a concrete step that you can do along side other work without requiring 2 interrupted weeks of heads-down time to focus.

Step 5: Maintain

Here’s the hard part. You need to do your utmost to keep this system going. Every new email or task you get needs to enter the system, every time. When you work on a task, you are in a zen state of mind — you are not thinking about other tasks because you have a trusted system that captures every single thing you need to work on.

You *must* frequently check your next action list to see what things you need to work on, but only between working on tasks or when you choose to take a break. Every time you complete a next action, you can file it/ delete it/mark it as complete — whatever you have to do to get it out of the list.

You will periodically review your “waiting for” list to see if you can follow-up with people. You will periodically check your project list and add specific steps to your next action list.

If you can do all of this consistently, I guarantee reduced stress levels and better productivity.

Now go get things done!

Appendix A: I Have Too Much To Do!

If you go through this process and you wind up with an unwieldy list of next actions, then the system will break down. A next action list only works if you can actually make progress on it.

If you have too many things to do that you aren’t ever making progress on your list of next actions, then I hate to break it to you but you’ve committed to too much. Think hard about that list of actions. For each task, ask if you can put it into of the following buckets:

• Decline: Can you get away with saying no to whomever expects you to finish this task, or asking them to find somebody else to do it?

• Delay: It’s hard to admit, but you just don’t have enough time to do even useful things. If possible, move the task to “Specific Date” and give it a date in the future when you will revisit, hopefully when your plate is a little clearer.

• Demote: Are there certain next actions that really aren’t that important at all? Move these to “Someday maybe”.

• Delegate: Can you yourself find somebody else to work on this task?

Always remember to prioritize productivity gain tasks/projects. For example, reading the book “Getting Things Done” may seem like an enormous investment of time but it may just yield better productivity for the rest of your life. This is also true for other projects, such as finding a tool to help you do manual work (e.g. an app that scans business cards rather than entering them in yourself).

Previous Article
4 Reasons Why You Should Define Software Security Requirements for Mature Applications
4 Reasons Why You Should Define Software Security Requirements for Mature Applications

There’s a common misconception that security requirements are only useful for net new applications. Most pe...

Next Article
The Escape
The Escape

[embed][/embed] The hacker mindset is one of curiosity and intrigue...