One of the things about celebrating a birthday is the inevitable reflection. You can’t help but ask yourself: “Another year has gone by – am I where I’m supposed to be? Am I doing what I like to do? Am I moving in the right direction?” But what is that direction? How do you know?

Adam’s post at Emergent Chaos about following your passion got me thinking about my own journey. The successes, the failures, the opportunities lost, and the long (mostly) strange trip it’s been. If you had told me 25 years ago as I was struggling through my freshman writing class that I’d make a living writing and that I’d like it, I’m actually not sure what my reaction would have been. I could see laughter, but I could also see nausea. And depending on when I got the feedback from that witch professor on whatever crap paper I submitted, I may have smacked you upside the head.

But here I am. Writing every day. And loving it. So you never can tell where the path will lead you. As Adam says, try to resist the paint by numbers approach and chase what you like to do. I’ve seen it over and over again throughout my life and thankfully was smart enough to pay attention. My Dad left pharmacy when I was in 6th grade to go back to law school. He’s been doing the lawyer thing for 30+ years now and he still is engaged and learning new stuff every day. And even better, I can make countless lawyer jokes at his expense.

My father in law has a similar story. He was in retail for 20+ years. Then he decided to become a stock broker because he was charting stocks in his spare time and that was his passion. He gets up every day and gets paid to do what he’d do anyway. That’s the point. If what you do feels like work all the time, you’re doing something wrong.

I can envision telling my kids this story and getting the question in return: “OK Mr. Smart Guy, you got lucky and found your passion. How do I find mine?” That’s a great question and one without an easy answer. The only thing I’ve seen work consistently is to do lots of things and figure out what you like. Have you ever been so immersed that hours passed that felt like minutes? Or seconds?

Sure, if you could figure out how to play Halo professionally that would be great. But that’s the point – be creative and figure out an opportunity to make money doing what you love. That’s easier said than done but it’s a lot better than a sharp stick in the eye working for people you can’t stand doing something you don’t like. Adam’s post starts with an excerpt from Cal Newport’s Follow a career passion?, which puts a different spin on why folks love their jobs:

The alternative career philosophy that drove me is based on this simple premise: The traits that lead people to love their work are general and have little to do with a job’s specifics. These traits include a sense of autonomy and the feeling that you’re good at what you do and are having an impact on the world.

It’s true. At least it has been for me. But my kids and everyone else need to earn this autonomy and gain proficiency at whatever job they are thrust into. Which is why I put such a premium on work ethic. You may not know what your passion is, but you can work your tail off as you find it. That seems to be a pretty good plan.


Photo credits: Passion originally uploaded by Michael @ NW Lens

Heavy Research

We’re back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

Defending Against Denial of Service (DoS) Attacks

Understanding and Selecting Identity Management for Cloud Services

Securing Big Data

Incite 4 U

  1. It’s not groupthink. The problem is the checkbox: My pal Shack summarizes one of the talks he does at the IANS Forums in Infosec’s Most Dangerous Game: Groupthink. He talks about the remarkable consistency of most security programs and the controls implemented. Of course he’s really talking about the low bar set by compliance mandates, and how that checkbox mentality impacts how far too many folks think about security. So Dave busts out the latest management mental floss (The Lean Startup) and goes through some concepts to build your security program based on the iterative process used in a start-up. Build something, measure its success, learn from the data, and pivot to something more effective. It’s good advice, but be prepared for battle because the status quo machine (yea auditors, I’m looking at you) will stand in your when you try to do something different. That doesn’t mean it’s not the right thing to do, but it will be harder than it should. – MR
  2. Android gone phishin’: There’s always a lot of hype around mobile malware, in large part because AV vendors are afraid people won’t remember to buy their mobile products without a daily reminder of how hosed they are. (I kid). (Not really.) As much as I like to minimize the problem, mobile malware has been around for a while, but it tends to be extremely platform and region specific. For example, it’s a bigger deal in parts of Europe and Asia than North America, and until recently was very Symbian heavy. Now the FBI warns of phishing-based malware for Android. It’s hard to know the scope of the problem based on a report like this, but it does back my past assertion that Android really isn’t enterprise ready (but it’s getting better). As you track this issue over time, pay particular attention to the platforms and versions involved – right now there is no malware issue on iOS (despite all the dire warnings), and even malware on Android can be very version-specific. It’s still more hype than reality, but worth keeping an eye on. – RM
  3. Poisoning the well: It was only matter of time until malware purveyors began to broaden their methods of malware distribution, but infected “watering holes” are evolving into an effective complement to phishing email. Advising people to use AV and saying, “don’t be deceived by unsolicited email” is not helpful – AV does not detect most malware and good social engineering will deceive almost anyone. There are technical controls that can help. For example, phishing messages are fairly easy to defeat if folks avoid clicking any links in email and use outbound firewalls to block traffic to the outside world. But protecting users from hacked web sites is a far more difficult task – there is no straightforward way for a user to protect themselves, besides not browsing. Sure, monitoring the resources a web pages tries to drag back to your browser via outbound filtering is an option, but inspect every resource request makes a horrible browsing experience. Some form of URL reputation inspection and/or sandboxing the browser, done automatically, is the right option here. – AL
  4. Can you know too much? First of all, how great is it that our pal Wendy is back in action? In her latest Dark Reading post, she examines When Monitoring Becomes a Liability. It’s a legitimate concern – as we get better at detecting breaches and then the regulatory requirement to report them creates a situation where depending on what constitutes a breach could blunt the obscurity most organizations hide behind. I see Wendy’s points but don’t necessarily agree. First of all every organization has bots and suffers breaches. Having to divulge that information isn’t the real risk. It’s the consistency of reporting. Let’s say Company A and Company B have similar issues (bots, breaches, and the like). Company A discloses because their overactive audit committee wants to avoid the perp walk. Company B pulls an Enron and doesn’t. The downside isn’t monitoring – it’s the consistency of enforcing the rules. I just come from the school that more data is better than less, even if it makes things a bit messier. – MR
  5. Patch the cloud: I’m in the process of rewriting all the hands on labs for the class we built for the Cloud Security Alliance, so perhaps my brain is a little overly focused on cloud platform issues. So I’m fascinated by a new (now patched) vulnerability in CloudStack that could allow an attacker to make random API calls. Keep in mind – you use the API to do little things like start, stop, and otherwise manage virtual machines, storage, the network, and… umm… everything. The fix in this case is pretty simple (a quick database change), but imagine if something much more serious hits? You can’t assume you won’t need to patch even fundamental components of your cloud, and you need to plan for outages. You also need to think about additional security controls for the management plane, such as XML security gateways to validate API calls, since you certainly can’t rely on IPS for attacks against these sorts of vulnerabilities. Not impossible problems but definitely worth changing how you think. – RM
  6. Click-to-play in Firefox: Firefox is broken in many ways, but they have continued to add security features onto an already impressive list of capabilities. The latest enhancement is having the Block-list drill-down coupled with ‘click-to-play’ plug-ins. This make it easier to keep certain plug-ins turned off, and when a plug-in is requested by the page you can toggle it on and off. Click-to-play is a great feature to keep the browser from loading and running plug-ins unless you want them to, but it’s often safer to leave plug-ins disabled until you need them. By pushing plug-in enablement into the address bar it’s easier to manage what’s running, and easier to verify that plug-ins are up to date. Couple this with your favorite browser checker and NoScript, and you have IHMO the most secure browser available. – AL
  7. Getting off the treadmill: Whether you want to call it a treadmill, the hamster wheel of pain, or whatever, security can be aggravating and frustrating because we don’t seem to improve the situation. Which isn’t exactly true, but it sure feels that way. Adam (this time on the New School blog) talks about how hospitals are open to the idea of sharing data about their mistakes. He points out that there is huge liability and downside to this, because they are giving lawyers the rope to hang them. But they’ll do it anyway because if they can save one life it’s worth it. Why can’t we do that in security? His post mentions the dangers of sharing exploit info and impeding an active investigation. Those are real issues but shouldn’t be excuses. We can and must share information better. Leverage what’s being learned out there. Adam is right: “Let’s talk about our mistakes and get off the treadmill.” – MR