A few years ago I had to stop competing. The constant need to win – whatever that even meant – was making me unhappy. Even when things were going well, I found some reason to feel like a loser. So I got off the hamster wheel and put myself in positions where I wasn’t really competing against others. I am always trying to improve, but I stopped doing that in terms of others. Set a goal. Work toward it. Adjust as needed.

The only time I even sort of compete now is my annual golf trip. Except for four rounds that weekend, I don’t play golf. It’s not that I don’t enjoy the game, but it just takes too much time. So every year 9-11 buddies and I go to a nice resort town and play a tournament Ryder Cup style. There is a draft and this year we used Potato Head dolls to represent the players. Mine was a riot, as you can see in the picture below. The captains negotiate handicaps and set the line-ups, and we play. The winners make some beer money and the losers… well, there aren’t actually any losers – we are hanging with buddies on a ridiculous beachfront property and playing golf every day.

Since I’m not a good golfer, I am usually the high handicapper. But it’s not like that helps me much. At multiple points over four days, my game falls apart. I typically shoot between 120 and 130, usually losing the match. Except there are no losers, right? But this year was different. I missed last year’s trip so I hadn’t picked up my clubs in 2 years. I went to the new TopGolf near my house the day before the trip to hit some balls, and I was hitting solid and straight. But I entered the weekend with zero expectations about playing decent golf.

Without those expectations I was calm on the course. I just enjoyed being outside in a beautiful place. I had a few beers. OK, maybe more than a few. I kept my ego in the bag and swung nice and easy – even as some of the gorillas in my group hit 50-60 yards past me. I shot pretty well the first day (111) and with my handicap we smoked the other team. Huh. The next day I was playing a heads-up match. I shot a 101 and closed out my opponent on the 13th hole, which is apparently pretty good. Strange. My game didn’t fall apart. What’s going on here?

By this time I had a pretty sizable lead in the overall. The other guys on the trip started talking about how evidently I’m a golfer and wondering if I had secretly taken a crapload of lessons. Then I actually believed maybe I was a golfer, and I wanted to win. I started feeling bad when I hit a bad shot. Predictably my game fell apart and I shot 61 on the front.

Then I remembered that I don’t need to win, I just want to be credible. That is the key. It’s about not getting attached to the outcome and just having fun instead. So that’s what I did. Suffice it to say I shot 44 on the back and had a grand old time. I finished up Sunday with a 117 and took home the overall. That means I will be one of the captains next year – a place I never thought I’d be. I lost the final day match, but my team won the cup as well. So I won by not needing to win.

What was the difference? Without sounding corny, it’s all the mindfulness work I’m doing. I used body awareness and scanned my body for tension points before every swing to make sure I was relaxed. I visualized a good shot, not skulling the ball into the water hazard. I recognized that my increasing desire to win was causing tension, which resulted in bad shots. I had a short memory, so when I hit a bad shot I’d just let it go. Then I’d hit a good shot. Or not. I’d look up at the sky and be grateful that I was on the course. Then drink another beer.

At some point during the trip I made the connection. Golf is mostly a mental game, as is most of life. The work I’m doing to be more mindful translates directly – even to my golf trip. Controlling my own self-imposed expectations and decreasing the pressure I put on myself allowed me to compete without stressing out. Being able to maintain that for four days was a real victory. Winning the golf trophy is besides the point. At least for me…


Photo credit: Incite Potato Head uploaded by MSR

The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.

Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Security and Privacy on the Encrypted Network

Secure Agile Development

Trends in Data Centric Security

Newly Published Papers

Incite 4 U

  1. Inside man (or woman): The Standard ran a short article about an attack in planning which will attempt to steal $1B from banks, based on penetrating chat rooms and various other intel. Two facets of this warrant discussion. First, any heist at this level is likely to require an inside person. Like the RBS ATM heist two years ago, without someone or something on the inside (either a legit employee or a compromised device) to squelch risk management alarms, they are likely to get caught. Which goes to show with every major attack at some point, everyone is an insider. Second, I am not confident in the validity of their intelligence. If they had a smoking gun there would have been arrests. It’s not like they need a PR campaign to inform some banks they are being targeted. It feels more like a PR stunt. But we need to deal with inside men sooner or later. – MR
  2. Old school meet new school: To date there has been no public breaches of Big Data systems, but they are inevitable. Altiscale announced they would support SQL queries on their cloud Hadoop service. This is just a couple weeks after Apache announced the availability of Drill, which also provides a SQL query gateway to Hadoop. What could possibly go wrong with that? Both are likely to see adoption – not everyone wants to run MapReduce queries and not every programmer wants to learn the intricacies of a new query language during the development cycle. So bolting a SQL query parser onto Hadoop is a big win for people familiar with SQL. For security this means two things: attackers will begin to target Hadoop clusters with SQL injection attacks, and companies will begin to retrofit database activity monitoring and firewalls onto Hadoop to intercept these attacks. Both are well understood but SQL injection is trivially easy for attackers, so it will be used as a probing attack just to see what works. Sooner than later it will… – AL
  3. What retailer isn’t pwned? The list of secure retailers is likely a lot shorter than the ones we know have been pwned. Kmart is The latest to hit the wires, but they won’t be the last. So we will see a surge in security spending in retail, and folks will buy a bunch of shelfware. Then attackers will lose interest and hit another industry. The retailers will go back to their old practices. And so it goes. Unless the entire world starts using Apple Pay for everything and then the problem is solved. Yes, that’s a joke. But the sad truth isn’t really a laughing matter. In a business with small margins, retailers never invested in proper security, and now they are paying. Combine that with a lot of new technology going into stores and we have a recipe for disaster. Which is exactly what we are seeing. – MR
  4. Not news: We wondered if Apple would offer a sync capability to push Apple Pay credit card tokens to iPhones, to help banks cost-effectively push new credit card data out to consumers – that would be convenient, but likely an attack vector as well. Instead Apple will use a nagware approach to having users update credit card numbers for iTunes and Apple devices. This simply means that if the card is out of date, the Apple Pay token won’t work around the issue, so you won’t be able to buy stuff with an expired card. Same as it ever was. You will be reminded that you need to enter a new card to use the service. We would expect nothing less, but we are often surprised by a lack of common sense when it comes to payment cards. Apple will also omit personal customer information from sales receipts – instead printing just the last four credit card digits with card type. – AL
  5. Keep your friends closer: Everyone is spying on everyone else. So it’s no surprise that the FBI used Sabu as a pawn to attack all sorts of countries, including allies like the UK and Australia. Of course to stay on the right side of an ethical line, the FBI used Jeremy Hammond to actually attack – under Sabu’s direction. And then arrested him. Not that those were the only attacks he was responsible for, but still… It comes back to Baretta’s line: “Don’t do the crime if you can’t do the time.” Though you can imagine the State Department received a number of fun calls from allies wondering what data they stole. I guess that’s all part of the diplomatic life… – MR