There were always reasons I wasn’t a runner. I was too big and carried too much weight. I was prone to knee pain. I never had good endurance. I remember the struggle when I had to run 3 miles as a pledge back in college. I finished, but I was probably 10 minutes behind everyone else. Running just wasn’t for me. So I focused on other methods of exercise. I lifted weights until my joints let me know that wasn’t a very good idea. Then I spent a couple years doing too many 12-ounce curls and eating too many burritos. For the past few years I have been doing yoga and some other body weight training.

But it was getting stale. I needed to shake things up a bit. So I figured I’d try running. I had no idea how it would go, given all my preconceived expectations that I couldn’t be a runner. I mentioned it to a friend and he suggested I start with a run/walk program espoused by Jeff Galloway. I got his 5K app and figured I’d work up to that distance over the summer. I started slowly during my beach vacation. Run 2 minutes, walk 1 minute. Then I ran 3 minutes, etc. Before I knew it, I had worked up to 3 miles.

At some point my feet started hurting. I knew it was time to jettison my 5-year-old running shoes and get a real pair. I actually went to the running store with the boy and got fitted for shoes. It made a world of difference. I was running 3 days a week and doing yoga another 3 days.

I was digging it. Though over the summer it wasn’t that hard. I’d get out early before it got too hot and just run. After conquering the 5K I figured I’d work up to a 10K, so I started another training program to build up to that distance. I made it to the 6-mile mark without a lot of fuss. Even better, I found myself in cool places for work and I’d run there. It’s pretty okay to start the day with a run along Boulder Creek or the Embarcadero. Life could be worse.

I was routinely blowing past the suggested distance in the 10K program. I banged out almost 7 miles on one run and wasn’t totally spent. That’s when it hit me. Holy crap, I’m a runner. So I decided to run a half marathon in March. I figured that was plenty of time to get ready and a couple buddies committed to run with me. I did 8 miles and then 10 miles. Just to see if I could, and I could.

Then I thought, what the hell am I waiting for? My sister-in-law is running a half in early November and she is just working up to 10 miles. I signed up to run a half this Thanksgiving. I even paid $15 for the race t-shirt (it’s a free race, so the shirt was extra). That’s in about a month and I’ll be ready. If there is one thing I have learned from this, it’s that who I was doesn’t dictate what I can accomplish. I can overcome my own perceptions and do lots of things I didn’t think I could, including running.


Photo credit: “Day 89 – After the Run” originally uploaded by slgckgc

The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.

Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Security and Privacy on the Encrypted Network

Secure Agile Development

Trends in Data Centric Security

Newly Published Papers

Incite 4 U

  1. Attitude > technical chops: It seems every day someone bitches to me about the difficulty in finding good people to staff the security function. Thom Langford thinks a lot of folks are looking in the wrong places, and that good potential security folks may already be in your organization – just not doing security. Thom added an executive assistant to the security team and it has worked out well for him because of her attitude and understanding of how to get things done within the organization. “Technology and hard skills are things that can be taught in relatively short periods of time; attitude is something that takes a lot longer to learn, decades even.” Actually, a lot of folks never learn the right attitude. But all the same, when you face a skills shortage you need to grow your own, and the right folks may already be right in front of you. – MR
  2. No shared secrets: I confess I get most of my iOS security knowledge from Rich, who reviews pretty much all things Apple from a security perspective, but I ran across a really good post on naked security which describes iOS 8.1 security fixes. Beyond addressing vulnerabilities for the POODLE, Apple closed a hole by no longer allowing Bluetooth devices to connect unencrypted, making it much harder to spoof communication with the device. Next they fixed a threat that let someone who got hold of your device gain access to an encrypted file without knowing your passcode. We don’t often see the whole of Apple’s strategy to use encryption pretty much everywhere, use encryption keys only accessible to you, and not to share data or trust with third parties… including Apple and law enforcement. Which is the right way to do things. – AL
  3. How to get the CISO seat: Uh, don’t. Okay, all kidding aside some folks do aspire to sit in the senior security seat of an organization. This Dark Reading article goes through some of the trends, like it’s easier to get a CISO job if you have already been one (duh). And CISSP isn’t a necessary certification (my friends JJ and Dave may not be happy to hear that). Also CISOs are more likely to have a technical background. Which is curious because it is not really a technical position any more. My suggestion is to learn about the business. Understand how security helps achieve corporate goals. Get some quick wins for projects you lead. And then wait. Within 18 months the current CISO will be gone, and then you can fill in while they try to recruit from the outside. During that window, get some more quick wins and then roll out a strategy for a more effective security program. Even if you don’t get that job you will be ready to put your hat in the ring for other CISO jobs. But always remember to have your resume up to date – it’s not like CISO offers much job security. – MR
  4. Pull along: We have said on this blog many times that the only way to improve user security is to first make any new technology easier, and then sneak better security in with it. MasterCard realizes this too, as shown by their announcement of embedded fingerprint scanners on credit cards. The “easier to use” part is using a fingerprint scan to replace a PIN. Well, that and the fact that you no longer need to run it through a card swipe device – instead you just hold the card somewhere near the terminal for authentication. If this looks similar to Apple Pay without an iDevice, you’re right – user experience will be very similar, with the same merchant terminals. Again, none of this technology is new, but for the first time the US market has a shared vision of how to push security forward by making it easier for users to pay, with multiple options for providers. And who knows – maybe eventually we won’t need to replace cards every three months after the latest credit card data breach… – AL
  5. Another day, another retail breach. Staples, come on down! Krebs does it again. He discloses the Staples breach, leveraging his sources in the banking industry. Those folks would know, even if the organization doesn’t. Was it the same kind of malware? Don’t know. The same set of attackers? Don’t know. Brian’s sources believe it was a bunch of stores in the northeast. I’m sure we’ll know soon enough. Though you have to wonder now if we should switch to tracking retailers who haven’t lost credit card data… How long will it be before whitelisting is baked into these embedded Windows POS terminals? – MR