Some folks just naturally push outside their comfort zones as a matter of course. I am one of them. Others only do things that are comfortable, which is fine if it works for them. I believe that while you are basically born with a certain risk tolerance, you can be taught to get comfortable with pushing past your comfort zone.

For example, kids who are generally shy will remain more comfortable holding up the wall at a social event, but can learn to approach people and get into the mix. It’s tough at first but you figure it out. There is always resistance the first few times you push a child beyond what they are comfortable with, and force them to try something they don’t think they can do. But I believe it needs to happen. It comes back to my general philosophy that limitations exist only in our minds, and you can move past those limitations once you learn to face your fear.

The twins’ elementary school does a drama production every year. XX1 was involved when she was that age, and XX2 was one of the featured performers last year. We knew that she’d be right there auditioning for the big role, and she’d likely get one of them (as she did). But with the Boy we weren’t sure. He did the hip hop performance class at camp so he’ll perform, but that’s a bit different than standing up and performing in front of your friends and classmates. Though last year he did comment on how many of his friends were in the show, and he liked that.

We were pleased when he said he wanted to try out. The Boss helped him put together both a monologue and a song to sing for the audition. He knew all the words, but when it came time to practice he froze up. He didn’t want to do it. He wanted to quit. That was no bueno in my book. He needed to try. If he didn’t get a part, so be it. But he wasn’t going to back out because he was scared. He needed to push through that fear. It’s okay to not get the outcome you hope for, but not to quit.

So we pushed him. There were lots of tears. And we pushed some more. A bit of feet stomping at that point. So we pushed again. He finally agreed to practice for us and then to audition after we wore him out. Sure, that was a little heavy-handed, but I’m okay with it because we decided he needed to at least try.

The end result? Yes, he got a part. I’m not sure how much he likes the process of getting ready for the show. We’ll see once he gets up on stage and performs for everyone whether it’s something he will want to do again. But whether he does it again doesn’t matter. He can always say he tried, even when he didn’t want to. That he didn’t let fear stop him from doing something. And that’s the most important lesson of all.


Photo credit: “Faces of fear!” originally uploaded by John Seb Barber

The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.

Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Security Best Practices for Amazon Web Services

Network Security Gateway Evolution

Monitoring the Hybrid Cloud: Evolving to the CloudSOC

Security and Privacy on the Encrypted Network

Newly Published Papers

Incite 4 U

  1. Full discraposure: Google discovers a bug in a Microsoft product. Google has a strict 90-day policy to disclose, no matter what. Microsoft says, “Hey, we have a fix ready to go on Patch Tuesday, can we get a few extra days?” but Google releases anyway. I’m sorry, but who does that help? Space Rogue summed it up best; he has a long history in the disclosure debate. In his words, “The entire process has gotten out of hand. The number one goal here should be getting stuff fixed because getting stuff fixed helps protect the user, it helps defeat the bad guys and it helps make the world a better place.” Another great quote is: “And so the disclosure debate continues unabated for over a hundred years. With two of the giants in our industry acting like spoiled children we as security professionals must take the reigns from our supposed leaders and set a better example.” Marry me, Space Rogue. Marry me. – RM
  2. The impact of Sony in 2015? FUD! Okay, I am being a little facetious by saying the Sony breach will enable the security industrial complex to launch a new wave of Fear, Uncertainty, and Doubt at organizations in 2015. But it already has folks using tried and true tactics in an attempt to create urgency for whatever widget they are selling today. Ben Rothke is a little more constructive in his analysis for CSO. He makes some good points about the reality that improving security requires ongoing investment and that shiny security products/services are not a complete answer. The one I like best is “a good CISO is important; great security architects are critical.” Amen to that. We believe that as security increasingly gets embedded within the cloud and continuous deployment environments, the security architect will emerge as one of the most valued members of the team. So study up on your architecture, kids! – MR
  3. Making the effort: Gunnar has another really good post, challenging folks to think differently about security. It’s very popular to accept defeat because the odds are stacked against defenders. To mail it in because you will be pwned anyway. And that much is true. You can make progress, but only if you make the effort to improve. Always quick with good analogies, GP refers to how smog was reduced in Los Angeles by 98% over the past 50 years, which most thought was impossible 60 years ago. And how the Scandinavian countries don’t have airplane delays because of snow. They just don’t because they made the effort to figure out how to optimize their processes. I guess another way to put it is a quote I use frequently: “I’m not in the excuses business.” And neither is your senior management, so as Gunnar says: “There is a lot to do, can’t get started any sooner than right now. No such thing as bad winter weather, only opportunities to improve bad snow removal equipment, dysfunctional teams and processes.” Truth. – MR
  4. Free, as in crapware: I seem to have a ‘crap’ theme for my submissions this week. A couple of writers over at HowToGeek decided to go to CNET’s [no link, for obvious reasons and obviousness] to see what happens if they download and install the top 10 apps listed. Hilarity ensues. Spyware, ads, browser hijackers, and more… all from a site that claims its downloads are safe. I frequently see links to these sorts of sites when I search for an application. Sometimes search engines show these contaminated links before the software developer’s site. This is especially common when I look for anything more obscure or no longer maintained. I never download from those sites and I’m on a Mac, but this highlights the ridiculous dangers facing normal Windows users (including your employees). Needless to say, this is why I’m a fan of app stores for PCs, even the open ones (where stuff can still sneak through). I suspect Microsoft will need to move in that direction for the same reasons Apple did, and kill the economic model of bundling and installing backdoors. As long as I always still have the option to go outside the store, I am down with it. – RM
  5. You want a seat, Mr./Ms. CISO? Good luck. I wanted to dig into the archives a bit to mention research that confirms what many of you already know. CISOs are not considered players at the big table. ThreatTrack commissioned a study last summer and came away with some disturbing numbers. 74% of respondents said CISOs should not be part of the organization’s leadership team. 54% don’t think CISOs should be responsible for security purchasing. 28% say the CISO’s decisions negatively impacted financial health. Holy crap! It’s time for a reality check. This is clearly a failure to communicate with folks in senior management. And it needs to be fixed ASAP. It is not like we are going to see fewer attacks or breaches, so if these folks don’t understand what you do and why, that needs to be job #1. Or polishing up your resume will be job #2. – MR