Back when I managed people (and yes, it seems like a lifetime ago), I subscribed to the Gallup management concepts. Productivity is based on employee engagement, and employees are much more engaged when they are doing things they are good at. The book First, Break All the Rules was eye-opening – I have spent my entire career to date trying to make my weaknesses less weak, and not trying to improve my strengths.

So I took Gallup’s original StrengthsFinder test and discovered back in 2002 that my top 5 strengths were Strategic, Input, Achiever, Command, and Focus. So my attempts to start a technology company at that point made a lot of sense. Those are the skills you’d like an early stage CEO to be strong int. But looking back at my subsequent experiences as VP Marketing for a number of companies, it is not surprising I wasn’t happy or particularly successful, given the different skills required for that position.

The initial data gathering/learning phase of my VP Marketing jobs played to my ‘input’ strength. And building communications and product plans were great for my ‘strategic’ capabilities. But everything else about the job, including the day to day grind, the whac-a-mole of managing PR and lead generation programs, and the challenge of keeping high-strung sales folks happy, didn’t play to my strengths. Not at all.

As I mentioned last week, recently hitting the likely halfway point of my life got me thinking. I believe I am a different person than I was back in 2002. Life and the inevitable road rash you acquire do that to you. I wondered how much my strengths had changed. So I took the new version of StrengthsFinder – and lo and behold, 3 out the 5 were different. Now my top 5 strengths are Strategic, Relator, Achiever, Activator, and Ideation.

Keeping strategic and achiever weren’t surprising – I have always been like that. Nor was being an activator, which is someone who starts projects and gets things moving. Likewise ideation goes hand in hand with my strategic bent and allows me to come up with a number of different ideas for how to solve problems. All these fit well with my chosen occupation as an independent analyst. Without a firm grasp of strategy and a bunch of creative ideas, my value is limited. My activator and achiever talents make sure things get done, especially powered by a lot of coffee.

But the relator talent surprised me. The description of this talent is: “People who are especially talented in the Relator theme enjoy close relationships with others. They find deep satisfaction in working hard with friends to achieve a goal.” Huh. Close relationships? Really? My internal perception of myself has always been as a standoffish introvert who doesn’t really care about people. In fact, I tell stories about how I shouldn’t be working with people, which is why having partners on the other side of the country is perfect.

But now that I think about it, I enjoy nothing more than rolling up my sleeves and getting to work with people I respect and like. One of the key criteria for anyone wanting to become a Securosis contributor is whether we like to drink beer with them. These folks aren’t just my colleagues – they are my friends. I can see why this makes sense (for me) now, and how it makes me better at what I do.

Best of all, I have a gig which allows me to play to my strengths. It’s not like I had an evil plan to find a career that highlights my talents. I stumbled into research when I was in my early 20’s. But 20+ years later, I can appreciate my good fortune.


Photo credit: “Lifting heavy weight, I am the power man. originally uploaded by snow

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

Security Awareness Training Evolution

Defending Against Application Denial of Service

Newly Published Papers

Incite 4 U

  1. The limo job: If you can’t get in through the front door, you might as well come in through the limo service. At least that’s the tactic taken by the APT to get into Kevin Mandia’s stuff. It turns out they probably used real intelligence officers to discover Kevin’s preferred limo company, broke in, then sent him a fake receipt with a malicious payload. That’s some ingenious hacking and requires some boots on the ground. Obviously a guy as well-trained as Kevin will smell something fishy when he gets a receipt for a trip he didn’t take. But you have to wonder what else are they looking at? He knew becoming the public face of exposing Chinese hacking activity would have repercussions, and now I guess we are seeing them. – MR
  2. Not all leaks sink the boat: A while ago we did some work with a client who was worried about an impending source code leak (no, you don’t know about it – it’s not that one in the news). They were trying to figure out the best way to handle it from both a PR and IR standpoint. These guys had their stuff together, and went through an intense process to protect both customers and their brand. (No, it wasn’t Symantec – they flubbed it). Adobe is living that nightmare right now, and boy did the Wall Street Journal miss the mark in their trolling for clicks. Losing source code doesn’t necessarily correlate to increased customer risk. To be honest, most of the code testers I know find more bugs with dynamic testing than source code analysis. Short of glaring holes or back doors, losing the code really isn’t a major security issue for customers. The quotes in the article express a view that is quite out of date, and the fear mongering and “ooh… the Feds use it!” is simply crappy link-bait reporting. Not that I have an opinion or anything. – RM
  3. It’s okay – just don’t get caught: Mike Mimoso has a great post on the potential economic and trust implications of NSA’s spying assessing both real and assumed compromises to security technologies. But it is not just technologists worrying about this – our conversations with security companies that sell internationally reveal they are genuinely worried about the NSA backlash hurting sales. Keep in mind this was weeks before the recent Snowden remarks. Vendor-customer relationships are a tricky thing – you buy from those you trust. Regardless of whether security has been compromised or not, non-US security vendors are leveraging the emotional reactions and political angles to win deals. In Europe it is likely enough to swing deals in favor of the “home team”, despite the reality that all security firms face (or will face) the same pressures from their hometown intelligence agencies. – AL
  4. Don’t waste your money: I have spent far too many years talking with people about DLP (Data Loss Prevention) technologies. I still track the tools and use cases, and field a reasonable number of customer inquiries. But the truth is that most people don’t bother to use even a fraction of the features, and frequently use them incorrectly. Take web monitoring, for example. A dramatic minority of organizations bother to scan SSL traffic. Mostly because, you know, it’s kind of a pain to decrypt the traffic and then you end up sniffing employee’s bank transactions. The problem with that approach? Nearly all interesting traffic over the web is now encrypted by default. Every social media network. Every cloud service. And, now that Yahoo woke up and switched to SSL for mail, every webmail service. Seriously, the last thing we need to do in security is waste money on defenses that provide nearly no value. Even old-school signature-based antivirus provides more value than web DLP without SSL. Save the cash unless you can suck it up to intercept and monitor SSL traffic. – RM
  5. Blind to SQL injection: At my last firm (which may or may not have rhymed with IP*Bullocks), the console login of our core product was vulnerable to SQL injection. One of our customers found it, which was awesome. Being a database security company made it doubly embarrassing. We patched, apologized, altered our testing methods, and moved on. But for a security company whose product is designed to detect and thwart SQL injection, that’s really fracking embarrassing, as Imperva is finding out now with this blind SQL injection vulnerability. Take this for what it is – a bug in the code. It’s known and has been patched. Water under the bridge. What is important is that some of you were not aware of the bug and therefore remain vulnerable, so if you have not installed the patch yet, _stop reading_ and go patch it! – AL
  6. Hide the liability: It seems a lot of MSS contracts are built with SLAs exposing the provider to upwards of $40MM of damages. Based on what? How do you prove that the MSS provider is culpable? That first part is kind of wacky. But when I took a step back to think about it, clearly the providers are getting insurance to cover that kind of liability. Unless it’s a F500 Big IT or telecom shop offering the services, $40MM is real money so you would expect them to buy insurance to defer that risk. I remember back at TruSecure we had a ‘guarantee’ on the risk management service, and we couldn’t get any company to write the policy for a reasonable price. Maybe now that it’s clear how hard it is to collect on those kinds of policies, they are more willing to write them. But I find it hard to believe that any smaller provider (or their investors) is willing to accept $40MM in liability. – MR