The Boss is a saint. Besides putting up with me every day, she recently reconnected with a former student of hers. She taught him in 5th grade and now the kid is 23. He hasn’t had the opportunities that I (or the Boss) had, and she is working with him to help define what he wants to do with his life and the best way to get there. This started me thinking about my own perspectives on goals and achievement.

Wide left...I’m in the middle of a pretty significant transition relative to goal setting and my entire definition of success. I’ve spent most of my life going somewhere, as fast as I can. I’ve always been a compulsive goal setter and list maker. Annually I revisit my life goals, which I set in my 20s. They’ve changed a bit, but not substantially, over the years. Then I’ve tried to structure my activities to move towards those goals on a daily and monthly basis. I fell into the trap that I suspect most of the high achievers out there stumble on: I was so focused on the goal, I didn’t enjoy the achievement.

For me, achievement wasn’t something to celebrate. It was something to check off a list. I rarely (if ever) thought about what I had done and patted myself on the back. I just moved to the next thing on the list. Sure, I’ve been reasonably productive throughout my career, but in the grand scheme of things does it even matter if I don’t enjoy it?

So I’m trying a new approach. I’m trying to not be so goal oriented. Not long-term goals, anyway. I’d love to get to the point where I don’t need goals. Is that practical? Maybe. I don’t mean tasks or deliverables. I still have clients and I have business partners, who need me to do stuff. My family needs me to provide, so I can’t become a total vagabond and do whatever I feel like every day. Not entirely anyway.

I want to be a lot less worried about the destination. I aim to stop fixating on the end goal and then eventually to not aim at all. Kind of like sailing, where the wind takes you where it will and you just go with it. I want to enjoy what I am doing and stop worrying about what I’m not doing. I’ll toss my Gantt chart for making a zillion dollars and embrace the fact that I’m very fortunate to really enjoy what I do every day and who I work with. Like the Zen Habit’s post says, I don’t want to be limited to what my peer group considers success.

But it won’t be an easy journey. I know that. I’ll have to rewire my brain. The journey started with a simple action. I put “have no goals” on the top of my list of goals. Yeah, I have a lot of work to do.

– Mike.

Photo credits: “No goal for you!” originally uploaded by timheuer

Recent Securosis Posts

  1. Security Commoditization Series:
  2. iOS Security: Challenges and Opportunities
  3. When Writing on iOS Security, Stop Asking AV Vendors Whather Apple Should Open the Platform to AV
  4. Friday Summary: August 6, 2010
  5. Tokenization Series:
  6. NSO Quant: Manage Firewall Process:

Incite 4 U

  1. Yo Momma Is Good, Fast, and Cheap… – I used to love Yo Momma jokes. Unless they were being sent in the direction of my own dear mother – then we’d be rolling. But Jeremiah makes a great point about having to compromise on something relative to website vulnerability assessments. You need to choose two of: good, fast, or cheap. This doesn’t only apply to website assessments – it goes for pretty much everything. You always need got to balance speed vs. cost vs. quality. Unfortunately as overhead, we security folks are usually forced to pick cheap. That means we either compromise on quality or speed. What to do? Manage expectations, as per usual. And be ready to react faster and better because you’ll miss something. – MR
  2. With Great Power Comes Great… Potential Profit? – I don’t consider myself a conspiracy nut or a privacy freak. I tend to err on the skeptical side, and I’ve come around to thinking there really was a magic bullet, we really did land on the moon, most government agents are simple folks trying to make a living in public service, and although the CIA doped up and infected a bunch of people for MK Ultra, we still don’t need to wear the tinfoil hats. But as a historian and wannabe futurist I can’t ignore the risks when someone – anyone – collects too much information or power. The Wall Street Journal has an interesting article on some of the internal privacy debates over at Google. You know, the company that has more information on people than any government or corporation ever has before? It seems Sergey and Larry may respect privacy more than I tend to give them credit for, but in the long term is it even possible for them to have all that data and still protect our privacy? I guess their current CEO doesn’t think so. Needless to say I don’t use many Google services. – RM
  3. KISS the Botnet – Very interesting research from Damballa coming out of Black Hat about how folks are monetizing botnets and how they get started. It’s all about Keeping It Small, Stupid (KISS) – because they need to stay undetected and size draws attention. There’s a large target on every large botnet – as well as lots of little ones, on all the infected computers. Other interesting tidbits include some of the DNS tactics used to mask activity and how an identity can be worth $20, even without looting a financial account. To be clear, this fraud stuff is a real business, and that means we will be seeing more of it for the foreseeable future. Does this mean Gunter Olleman will be spitting blood and breathing fire at the next Defcon? – MR
  4. Fashion Trends – The Emerging Security Assumption by Larry Walsh hit on a feeling we have had for some time that Cisco does not view security as a business growth driver any longer. Security has evolved into a seamless value embedded within the product, according to Fred Kost, so the focus is on emerging technologies. Ok, that’s cool, and a little surprising. But heck, I was taken by surprise several years ago when Cisco came out and called themselves a security company. Security was not mentioned in the same sentence as Cisco unless the word ‘hacked IOS’ was somewhere in there as well. In all fairness they have embedded a lot more security technology into the product line over the last six years, and I have no doubt whatsoever that that security is still taken very seriously. But talking about security going from a point solution to an embedded and inherent feature is a philosophical proposition, like saying access controls safeguard data. Technically it’s true, but every system that gets hacked has access controls which do little to stop threats. And I think Larry makes that point very well. What Cisco is telling us – in the most PR friendly way possible – is that security is no longer in fashion. With a head flip and a little flounce, they are strutting the latest trends in virtual data centers and unified communications. Of course if you read Router World Daily, you know this already. – AL
  5. Holy Crap, Batman! It’s Patch-a-Palooza… – Microsoft has been very busy, issuing 14 bulletins this month to address 34 vulnerabilities. Apple’s fix of is imminent, and it seems Adobe is fixing something every other week. Lots of patches and that means lots of operational heartburn for security folks. Keith Ferrell says this is a good opportunity to revisit your patch policies, and he’s exactly right. The good news is your friends at Securosis have already done all the work to draw you a treasure map to patching nirvana. Our Project Quant for Patch Management lays out pretty much all you need to know about building a patching process and optimizing its cost. – MR
  6. Channeling Eric Cartman – I just finished reading Google’s joint policy proposal for an open Internet, or what has been referred to as their 7 principles for network neutrality. When I first read through the 7 points I could not figure out what all the bluster was about. It was just a lot of vague ideals and discussion of many of core values about what makes the Internet great. In fact, point 2 seems to be very clearly in favor of not allowing prioritization of content. I figured I must not be paying very close attention, so I read it a second time carefully. I now understand that the entire ‘proposal’ is carefully crafted double-speak; the ‘gotchas’ were embedded between the lines of the remaining principles. For example touting the value of net neutrality and then discussing a “principled compromise.” Advocating a non-discrimination policy – no paid prioritization – but then proposing differentiated services which would be exempt from non-discrimination. Discussing an “Open Internet”, but redefining the Internet into 4 separate sections: wired Internet, unregulated wired, wireless Internet, and unregulated wireless. This lets Google & Verizon say they’re supporting neutrality, but keep any rules from restricting their actions in mobile market, and anything new they can call “additional, differentiated online services”. But don’t worry, they’ll tell you first, so that makes it okay. I particularly like how Google feels it’s imperative for America to encourage investment in broadband, but Google and Verizon are going to be investing in their own network and your rules don’t apply to them. All I can hear in the back of my mind is Eric Cartman saying “You can go over nyahh, but I’m going over nyah!” – AL
  7. The Latest Security Commodity: Logging – In a timely corroboration of our posts on security commoditization (FireStarter, perimeter, & data center), I found this review of log management solutions in InfoWorld. Yup, all of the solutions were pretty much okay. Now watch our hypotheses in action. Will prices on enterprise products go down substantially? I doubt it. But you’ll get lots of additional capabilities such as SIEM, File Integrity Monitoring, Database Activity Monitoring, etc. bundled in for the buyers who need them. This is also a market ripe for the Barracuda treatment. Yep, low-cost logging toasters targeted at mid-market compliance. Sell them for $10K and watch it roll in. But no one is there yet. They will be. – MR
  8. Ghosts in the SAP – I missed it, but a researcher presented some new material on attacking SAP deployments in the enterprise. Somewhere I have a presentation deck lying around with an analysis of large enterprise app security, and in general these things need a fair bit of work. In SAP, for example, nearly all the security controls are around user roles and rights. Those are important, but only a small part of the problem. Considering these things can take five years to deploy, and contain all your most sensitive information, perhaps it’s time to run a little vulnerability analysis and see if you need more than SSL and a firewall. – RM
  9. My Pig Is Faster Than Your Pig… – As a reformed marketing guy, I always find it funny when companies try to differentiate on speeds and feeds. There are so few environments where performance is the deciding factor. I find it even funnier when a company tries to respond to take a performance objection off the table. I mentioned the friction between Snort and Suricata talking about pig roasts mostly about performance, and then FIRE goes and announces a partnership with Intel to accelerate Snort performance. This announcement just seems very reactive to me, and what they’ve done is legitimized the position of the OISF. Even if Snort is a performance pig, the last thing they should do is publicly acknowledge that. Just wait until Suricata goes back into the hole it came from and then announce the Intel stuff as part of a bigger release. So says the thrice fired marketing guy… – MR