A week ago most folks in the US were in food comas from the Thanksgiving feast. Of course this is a great time of year to be grateful for what you have. Whether it’s family, health, work, or anything else. This morning I got a great reminder that expressing gratitude is a habit, which requires daily work – especially for security people.

I was doing a speaking gig for a client in Atlanta, and I ran into an old friend who traveled in for the seminar. We were catching up and he mentioned how busy he was and that it was a bit overwhelming. I jumped right in because we at Securosis are pretty busy ourselves. But then I got a flash of awareness and decided I had to break the cycle. I specifically asked whether he remembered 10 years ago when no one cared about security?

I certainly do. A lot of you (like Rich, Adrian, and myself) did security before security was cool. You remember talking to blank stares when evangelizing the importance of security. You remember cleaning the same malware off the same person’s device, over and over again, because they just couldn’t understand why they can’t click ads on questionable sites. You also remember looking for a new job when the senior team needed a scapegoat after yet another breach, after they didn’t listen to what you said the first time.

It’s a different situation now. Many folks still don’t understand what they need to do, but they don’t really argue about the importance of security any more. Most of us have a bigger issue finding talent to fill open positions, rather than making the case for why any security people are needed. These are things to be grateful for.

It turns out that a little gratitude leads to a lot. So if you have any interest, don’t just think about being thankful around the holidays. Start the day by making a list of 2 or 3 things you are grateful for every day. It’s hard to get into the right mindset to get things done, when you wake up overwhelmed by the amount of stuff that needs to get done. So break that cycle too. Think about what’s working in your life. It doesn’t have to be a lot. Just a little thing. Take a small step toward feeling gratitude every day.

I do this consistently, every day. It puts me in the right frame of mind. I’m thankful for so many things, but none more than the habits I have established over the past few years, which have made a huge difference in my life.


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour. Your emails, alerts, and Twitter timeline will be there when you get back.

Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and… hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Building Security into DevOps

Building a Threat Intelligence Program

Network Security Gateway Evolution

Recently Published Papers

Incite 4 U

  1. Can security be fixed? Is it broken? I’ve gotta send a hat tip to my friend Don, who pointed out this article on TechCrunch explaining how Humility, Accountability And Creative Thinking Can Fix IT Security. Really? A lot of the security folks I know are pretty humble and creative. It’s not like they sit around and talk about how great they are while the city is burning. But aside from the clickbait title, there are some decent points in that post. I especially like the idea of killing silver bullet syndrome. There is no single answer for dealing with sophisticated adversaries. I also agree that security will need to evolve as the cloud and mobility continue to take root. Inflection anyone? The article also points out the need to share information, and that’s all about Threat Intelligence. But I still push back on the contention that security is broken. It’s not broken, because that supposes that it can be fixed. I posit that you don’t win security – you just survive to fight another day. – MR
  2. Student jobs: It appears the FBI is funding security vulnerability research; not for bug bounties, but to conduct surveillance. Recently they paid University students to hack Tor networks so they could inspect Tor traffic and de-anonymize Tor users. The FBI’s disclosed target could have been tracked financially, and Tor offers law enforcement other means to locate users, which implies (shockingly) their goal was something more than they disclosed. The problem is that they used the same techniques legitimate security researchers use to find flaws – efforts which the FBI is more known for prosecuting than for sponsoring. So we come back to the sad fact that some folks in law enforcement think the rules are importang, but don’t apply to them. – AL
  3. Volunteering to get started in security: Recently I highlighted a great article from Lesley Carhart about getting started in infosec. Given the skills gap, all the help we can offer interested parties who want to join us in security is welcome. So check out this interview with Ron Woerner on Michael Santarcangelo’s blog. Ron points out the Catch-22 that security jobs demand experience, but most entry-level folks have no way to get it. Ron suggests volunteering on open source projects or with local organizations, such as schools and religious organizations. Maybe even your doctor’s or dentist’s office. Ron also suggests reading. A lot. He’s right – there are so many talks and so much content out there free, that anyone can familiarize themselves with the practice. Of course nothing replaces the experience of screwing things up, so reading isn’t enough. But these are all good ways to get onto the path of security ‘bliss’. LOL. – MR
  4. Delusional: The claim that Snowden’s leaks contributed to the Paris bombings is so outrageous I thought at first I would not comment on it at all. But in our daily jobs, helping firms deploy encryption, I realize how few communications – email, voice, data, text messages. etc. – are actually encrypted even after we learned mass surveillance is a reality. I have used encryption on and off during my professional career for both personal and professional communications. Most of the time I have used encryption during the development phases of new encryption, key management, and PRNG modules to protect us from both eavesdropping and code tampering. But even most paranoids like myself don’t use it most of the time, because it is too hard to use except for the most sensitive communications. But after the Snowden revelations I am still surprised how little of our critical infrastructure is encrypted and private. But maybe I shouldn’t be. – AL
  5. Screwing up is part of the process: Fahmida posted a pretty entertaining article on 10 dumb security mistakes that sys admins make. It’s mostly simple stuff like using sudo and making changes as root. I mean, the list is the list, and dumb mistakes are made all day, every day. My point is that screwing up is an integral part of learning security. Those with a future in this practice mess things up all the time. They try stuff. They hack together solutions to problems no one has ever seen, and sometimes they work. But often they don’t. That’s part of the learning process, and as security folks we always need to be learning. So don’t stigmatize mistakes – embrace them. Just don’t make the same mistakes more than once. – MR