I was on the phone last week with Jen Minella, preparing for a podcast on our Neuro-Hacking talk at this year’s RSA Conference, when she asked what my story is. We had never really discussed how we each came to start mindfulness practices. So we shared our stories, and then I realized that given everything else I share on the Incite, I should tell it here as well.

Simply put, I was angry and needed to change. Back in 2006 I decided I wanted to live past 50, so I starting taking better care of myself physically. But being more physically fit is only half the equation. I needed to find a way to deal with the stress in my life. I had 3 young children, was starting an independent research boutique, and my wife needed me to help around the house.

In hindsight I call that period my Atlas Phase. I took the weight of the world on my shoulders, and many days it was hard to bear. My responsibilities were crushing. So my anger frequently got the best of me. I went for an introductory session with a life coach midway through 2007. After a short discussion she asked a poignant question. She wondered if my kids were scared of me. That one question forced me to look in the mirror and realize who I really was. I had to acknowledge they were scared at times. That was the catalyst I needed. I wasn’t going to be a lunatic father. I need to change. The coach suggested meditation as a way to start becoming more aware of my feelings, and to even out the peaks and valleys of my emotions.

A few weeks later I went to visit my Dad. He had been fighting a pretty serious illness using unconventional tactics for a few years at that point. I mentioned meditation to him and he jumped out of his chair and disappeared for a few minutes. He came back with 8 Minute Meditation, and then described how meditation was a key part of his plan to get healthy. He told me to try it. It was only 8 minutes. And it was the beginning of a life-long journey.

These practices have had a profound impact on my life. 6 years later it’s pretty rare for me to get angry. I am human and do get annoyed and frustrated. But it doesn’t turn into true anger. Or I guess I don’t let it become anger. When I do get angry it’s very unsettling, but I’m very aware of it now and it doesn’t last long, which I know my wife and kids appreciate. I do too.

Everyone has a different story. Everyone has a different approach to dealing with things. There is no right or wrong. I’ll continue to describe my approach and detail the little victories and the small setbacks. Mostly because this is a weekly journal I use to leave myself breadcrumbs on my journey, so I remember where I have been and how far I have come. And maybe some of you appreciate it as well.

–Mike

Photo credit: “Scared Pandas” originally uploaded by Brian Bennett

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

Reducing Attack Surface with Application Control

• Use Cases and Selection Criteria
• The Double Edged Sword

Security Management 2.5: You Buy a New SIEM Yet?

• Negotiation
• Selection Process
• The Decision Process
• Evaluating the Incumbent
• Revisiting Requirements
• Platform Evolution
• Changing Needs
• Introduction

Advanced Endpoint and Server Protection

• Assessment
• Introduction

Newly Published Papers

• Eliminating Surprises with Security Assurance and Testing
• What CISOs Need to Know about Cloud Computing
• Defending Against Application Denial of Service
• Security Awareness Training Evolution
• Firewall Management Essentials
• Continuous Security Monitoring
• API Gateways
• Threat Intelligence for Ecosystem Risk Management
• Dealing with Database Denial of Service
• Identity and Access Management for Cloud Services

Incite 4 U

1. SGO: Standard Government Obscurity: The Target hack was pretty bad, and it seems clear it may only be the tip of the iceberg. Late last week the government released a report with more details of the attack so companies could protect themselves. Er, sort of. The report by iSIGHT Partners was only released to select retailers. As usual, the government isn’t talking much, so iSIGHT went and released the report on their own. A CNN article states, “The U.S. Department of Homeland Security did not make the government’s report public and provided little on its contents. iSIGHT Partners provided CNNMoney a copy of its findings.” Typical. If I were a retailer I would keep reading Brian Krebs to learn what’s going on. The feds are focused on catching the bad guys – you are on your own to stop them until the cuffs go on. – RM
2. Unrealistic expectations are on YOU! Good post on the Tripwire blog about dealing with unrealistic security expectations. Especially because it seems very close to the approach I have advocated via the Pragmatic CSO for years. I like going after a quick win and making sure to prioritize activities. But my point with the title is that if senior management has unrealistic expectations, it’s because your communications strategies are not effective. You can blame them all you want for being unreasonable, but if they have been in the loop as you built the program, enlisted support, and started executing on initiatives, nothing should be a surprise to them. – MR
3. Other people’s stuff: The recent Threatpost article ‘Starbucks App Stores User Information, Passwords in Clear Text’ is a bit misleading, as they don’t mention that the leaky bit of code is actually in the included Crashylitics utility. The real lesson here is not about potential harm from passwords in log files, which is a real problem, with a low probability of exploitation. It’s that applications built on third party libraries and APIs inherit their level of security (duh!). It is a mistake to abdicate security, assuming the authors of every utility do security right. Make no mistake – we are in the age of APIs and open source leverage. It makes a lot of sense for developers to leverage whatever utilities they can to cut development time or reduce the quantity of code they need to produce. We see a compelling new use case for third party code validation services for apps, and application code security, because development teams are sprinting too fast to vet other people’s stuff. – AL
4. The PCI protection dance begins: It seems that with every high-profile breach the PCI Security Standards Council goes out of their way to point out how the compromised retailer was clearly not compliant or they couldn’t have been breached. It appears this time with Target will be no different. Dark Reading works through some speculation about what Target did or didn’t have, and how the attackers could have monetized the stolen info. But then you have a PCI forensicator talking about how Target couldn’t have been PA-DSS compliant because those kinds of attacks are specifically protected against in the standard. Uh huh. I’m sure the assessment went through the code line by line, and it seems the malware attacked the underlying POS operating system. But whatever. The machine will rise up to protect the machine. Just the way things go… – MR
5. SOS (Same old sh##): As the Target breach drags on and it becomes clear that more retailers have been hacked, the Payment Card Industry (PCI) Data Security Standard (DSS) revision 3.0 will undergo major scrutiny. Does the standard go far enough? Is it too prescriptive? Will the PCI Council embrace more detection and forensic requirements? Should merchants focus on additional physical and electronic security controls around PoS? These conversations are fundamentally unimportant, and a red herring for payment card data security. Either the card brands will mandate EMV or point-to-point encryption – both of which somewhat disintermediate merchants from the financial details of transactions – or we will get a few more years of the status quo. And the status quo isn’t working very well right now. Don’t look for changes to PCI-DSS to alter the story one bit – hackers, attackers, and fraudsters have too many ways to game the current US system. Without a fundamental shift in the way payment card security is handled, we will get to continue the breach parade of the last decade. – AL
6. Pwn me once, shame on me, pwn me twice… Earlier this month some Microsoft blog and Twitter accounts were hacked by the Syrian Electronic Army. Not good for a company that is now known for being darn good with security. Shockingly enough, it appears the attack can be traced back to standard old phishing. Okay, they fixed it and everyone knows these things happen. On the bad side, it happened again this week, with the Office blog. These aren’t Microsoft’s core services, but a string of attacks like this can directly degrade trust. While Microsoft surely (hopefully?) has better back-end controls for the serious stuff, it is hard to maintain a good public perception if you experience multiple, ongoing, public compromises. I feel for them – they have one of the largest attack surfaces in the world – but hopefully they will get all hands on deck before things get worse. – RM
7. (For vendors) is awareness the problem? When I first saw the title Our biggest problem is awareness on Seth Godin’s blog, I immediately thought of mindfulness. So you see where my head is at. But Seth’s point is that a lot of sales folks vilify marketing because they don’t think there is enough awareness of the company, products, etc. Which really means they want inbound calls from customers ready to write checks. Seth points out that the product and customer experience need to speak for themselves. And when that happens awareness isn’t a problem. He’s right. – MR