As I mentioned a few weeks ago, XX1 had her Bat Mitzvah recently. It was great to be surrounded for a weekend by almost all the people we care about. And XX1 really stepped up and made us very proud. There are few things more gratifying than seeing your child excel – especially on a big stage in front of a lot of people. Part of the ceremony is a blessing from the parents. Some parents provide an actual blessing. Others tell entertaining stories about the child. I chose to give her some life perspective by distilling what I have learned over the past four decades down into a fairly simple concept. I understand she probably won’t get it for a while, but I’m okay with that. So here goes:

I have no doubt you will move with grace to adulthood. In preparation for that transformation, let me share with you what I’ve discovered over the past 45 years. In fact, I believe it’s the secret to life. The secret to life? Wow. I know, it seems kind of deep. So here goes. The secret to life is to LIVE RIGHT NOW. I know it seems kind of underwhelming, but hear me out. Once I explain it a bit, maybe LIVE RIGHT NOW will make sense.

You can choose to live in the future. Chasing dreams and aspirations and goals and life plans. You are so busy striving for what you don’t have, you never get around to appreciating what you do have. You’ll need to trust me on that. That doesn’t mean you can’t think to the future… but think to the future not in fear and worry, but in hope and grace. Realize you make the vision of your life a reality based on how you live right now.

You could choose to live in the past. We need to be respectful of history, and learn the lessons of those that came before us. But don’t be limited by the past. Learn from your own experiences, especially the challenging ones – then let them go. You have the power to create your own future. A future where you can achieve whatever you set your mind to and become absolutely anything you choose. Never forget that who you ARE doesn’t depend on who you WERE. You can and should be reinventing yourself as you move through life. Don’t let anything or anyone define you. Let your actions right now, in this moment, represent who you are and who you will become.

Steve Jobs said it much more elegantly in his awesome Stanford Commencement address, “Your time is limited, so don’t waste it living someone else’s life. Don’t let the noise of others’ opinions drown out your own inner voice. And most important, have the courage to follow your heart and intuition. They somehow already know what you truly want to become.”

Understanding this secret doesn’t make it easy. Being yourself, loving yourself, and surrounding yourself with people who appreciate and love YOU for who YOU ARE is very difficult. You’ll face many challenges, make countless tough decisions and you’ll screw things up. That’s all part of this game we call life. Just be true to yourself and everything will be OK. I promise.

Always remember your Mom and I will be there to support you – celebrating your accomplishments and helping you rebound from your setbacks. Most of all know that we love you, unconditionally and without bounds.

I wanted to finish the speech with a Seinfeld quote, but “NO SOUP FOR YOU!” didn’t seem to fit. Instead I chose a passage from Seinfeld’s book that my father sent to me many years ago when I lost sight of what was important.

“Life is truly a ride. We’re all strapped in and no one can stop it. As you make each passage from youth to adulthood to maturity, sometimes you put your arms up and scream, sometimes you just hang on to that bar in front of you. But the ride is the thing. I think the most you can hope for at the end of life is that your hair’s messed, you’re out of breath, and you didn’t throw up.”

Strap in girlfriend, it’s a wild ride.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

What CISOs Need to Know about Cloud Computing

Defending Against Application Denial of Service

Newly Published Papers

Incite 4 U

  1. Sustainable security change: As we come up to the end of the year, countless folks will fall again into the trap of New Year’s resolutions. Something they are going to change for perhaps a few days in January, then it’s right back to the same old habits. Dave Elfering (whose blog is good – you should read it) talks a bit about Leading vs. Managing in the context of creating change. The process he references (from some work by John Kotter), involves the hard work of lining up support, creating a vision, communicating that vision, empowering action, generating short term wins, and consistency of enforcement to ensure the change sticks. This is hard stuff because everyone is constantly dealing with other shiny objects diverting their attention. Dave’s point is that managers can get things done. But it takes a leader to drive lasting change. I think he’s right. – MR
  2. Perverse security economics: No, not that kind of perverse, you deviants – I am referring to economic and market forces that work against security. We see examples all around us. Take, for instance, when your organization is hacked and you engage your incident response process. Does the business unit responsible for the mistake have to cover the costs of response with their budget? Nope, it almost always comes out of IT, and almost always out of the security budget. Those responsible don’t pay the cost, which makes it harder to induce change. And don’t tell me free pizza during a boring-ass awareness lectures is painful enough. Today’s example comes from TechHive, who reports on phone carriers directly impeding kill switches for stolen cell phones. Only Apple has been able to pull this off due to their special relationships with carriers. Why don’t the carriers want them? Because then they can’t charge you for theft insurance or their own kill switches. Yeah, a protection racket at its finest. – RM
  3. Ouija board project management: Security vendors are already discussing how to address the next generation of payment security before it has been decided what the next generation of payment infrastructure will look like. Over the past few weeks I have had half a dozen conversations with transactional monitoring, two-factor authentication, key management, identity, tokenization, and anti-fraud technology vendors about their plans for next-generation payment security offerings. One thing we know is that payment fraud is a huge problem, growing rapidly for both “card not present” (ecommerce) and in-person mag-stripe payments – thus prompting the zeal for payment security. But while Visa and Mastercard continue to push for EMV, mobile platform vendors like Google and payment technology vendors like Square continue to innovate faster than the card brands can react. Indirectly, end users get a vote. I would hate to bet against Visa, but if end users decide their mobile devices are the most convenient way to pay – and not to carry around yet another credit/gas/grocery card – the industry will probably shift in that direction, with diverse and major ramifications for payment security. – AL
  4. Cold day in … Dealing with security flaws in legacy web applications is a nightmare – especially when you face a platform vulnerability. One flaw in your web or application server platform product, and script kiddies throughout the world start scanning and pwning your site. Worst yet, on occasion (as in, more than we’d like) these exploits are in use before they are public. Then you face an attacker armed with a new exploit that is unstoppable using signature-based defense. Then again, most websites don’t have any protection in the first place. The latest example is courtesy our friends at Anonymous, who seem to have been hacking government servers with Cold Fusion flaws for the past year. We don’t know for certain that the attacks used 0-days, but it seems likely in some instances. According to Reuters, the bad guys are slipping in back doors and coming back later. The truth is that we have many security options to limit these kinds of attacks, especially on servers – even when a 0-day is involved. Server integrity products, compartmentalization, and basic log analysis, can all help. If you do them. I suppose all the resources were busy working on – RM
  5. Beyond Device Management: The need for mobile device (MDM) and mobile app (MAM) management is clear – data and user security is needed for protection in a world without clear differentiation between personal and corporate devices, and lacking consistent user accounts across cloud services. Good, MobileIron, and AirWatch have all seen robust adoption to address these problems and for related capabilities such as app provisioning. But there is a long way to go in mobile security for corporate use. For example, how do you authenticate a user to a device? Is that different than authenticating a user to an app or authenticating a mobile client to a service? Should it be? What about data security or deprovisioning accounts? Can these folks work securely in offline mode? In the last week Oracle and IBM jumped into the fray with Oracle’s acquisition of Bitzer and IBM’s purchase of Fiberlink Communications. These acquisitions are intended as toeholds in the MDM market to extend other features already in place for identity, data security, and transactional monitoring. The management features need to be in place first, but as this market matures all the other operational and compliance controls are needed too. I expect the three MDM incumbents to improve both the security controls enterprises need and the end-user experience with their apps; they need to offset Oracle and IBM’s other advantages. – AL
  6. How about practicing for breaches, period? As the cloud becomes more commonly used for production stuff, there will inevitably be breaches. What happens then? Do you know? You need to. As part of your contractual process, paper accountability should have been defined and the process to investigate a breach discussed, as well as the escalation process. Nah, I didn’t think that had actually happened. So what now? You need to design a response process that factors in the different visibility and accessibility of the cloud. How do you take a snapshot for forensics? Are you gathering logs from the (virtual) devices running in the cloud? Yup, more questions to answer. Once you have defined your process, Rob Lemos points out that you need to practice response in Dark Reading. It’s actually good advice, but the problem is that most enterprises don’t practice for breaches within their own data centers. Not to be Mr. Cynic here, but a lot of organizations need to walk before they run, and practicing for cloud breaches is definitely running. – MR