As I sit in yet another hotel, banging out yet another Incite, overlooking yet another city that isn’t home, this is a good time to look back on 2014 because this is my last scheduled trip for this year. It has been an interesting year. At this point the highs this year feel higher, and the lows lower. There were periods when I felt sick from the whiplash of ups and downs. That’s how life is sometimes. Of course my mindfulness practice helps me handle the turbulence with grace, and likely without much external indication of the inner gyrations.

But in 5 years how will I look back on 2014? I have no idea. I have tried not to worry about things like the far future. At that point, XX1 will be leaving for college, the twins will be driving, and I’ll probably have the same amount of gray hair. Sure, I will plan. But I won’t worry. I have been around long enough to know that my plans aren’t worth firing the synapses to devise them. In fact I don’t even write ‘plans’ down any more.

It is now December, when most of us start to wind down the year, turning our attention to the next. We are no different at Securosis. For the next couple weeks we will push to close out projects that have to get done in 2014 and start working with folks on Q1 activities. Maybe we will even get to take some time off over the holidays. Of course vacation has a rather different meaning when you work for yourself and really enjoy what you do. But I will slow down a bit.

My plan is to push through my handful of due writing projects over the next 2 weeks or so. I will continue to work through my strategy engagements. Then I will really start thinking about what 2015 looks like. Though I admit the slightly slower pace has given me opportunity to be thankful for everything. Certainly those higher highs, but also the lower lows. It’s all part of the experience I can let make me crazy, or I can accept bumps as part of the process.

I guess all we can do each year is try to grow from every experience and learn from the stuff that doesn’t go well. For better and worse, I learned a lot this year. So I am happy as I write this although I know happiness is fleeting – so I’ll enjoy the feeling while I can. And then I will get back to living in the moment – there really isn’t anything else.


Photo credit: “wind-up dog” originally uploaded by istolethetv

The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.

Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Network Security Gateway Evolution

Monitoring the Hybrid Cloud: Evolving to the CloudSOC

Security and Privacy on the Encrypted Network

Newly Published Papers

Incite 4 U

  1. CISO in the clink… I love this headline: Can a CISO serve jail time? Duh, of course they can. If they deal meth out of the data center, they can certainly go to jail. Oh, can they be held accountable for breaches and negligence within their organization? Predictably, the answer is: it depends. If you are clearly negligent then all bets are off. But if you act in the best interests of the organization as you see them … it is hard to see how a CISO could be successfully prosecuted. That said, there is a chance, so you need to consult a lawyer before taking the job to understand where your liability begins and ends (based on your agreement), and then you can make an informed decision on whether to take the job. Or at least build some additional protection into your agreement. – MR
  2. Productivity Killer: Sometimes we need a reminder that security isn’t all about data breaches and DDoS. Sometimes something far far worse happens. Just ask Sony Pictures. Last week employees showed up to work to find their entire infrastructure compromised and offline. Yep, down to some black hat hax0rs graphic taking over everyone’s computer screens, just like in… er… the movies. I don’t find any humor in this. Despite what Sony is doing to the Spider-Man franchise, they are just a company with people trying to get their jobs done, make a little scratch, and build products people will pay for. This isn’t as Earth-shattering as the completely destructive Saudi Aramco hack, but it seems pretty close. Destructive hacks and data breaches are not the same things, even though breaches and APTs get all the attention and need to be covered in the threat model. – RM
  3. Friends make the CISO: Far too many CISOs end up in the seat without proper training in what their real job is: coercion and persuasion. Not in a bad way, but the fact is that if a CISO cannot convince their peers to think about security, they cannot succeed. So I enjoyed a piece on for describing the CISO’s best friends. The reality is that the CISO job isn’t a technical one – it is a people management job, and far too many folks go into it without understanding. That doesn’t end well. – MR
  4. Understated: I have been reading Adam Shostack’s stuff since I started in security. He is known for offering well-reasoned opinion, devoid of hype and hyperbole, based on decades of hands-on experience. But sometimes that understated style shorts a couple very important points, as in his recent post Threat Modeling at a Startup. Adam focused on the operational aspects, but did not address two important aspects – essentially why threat modeling is so important for startups. First because threat modeling has a pronounced impact at earlier stages of platform development, while the foundation of an application is being designed and built. Second, threat modeling is one of the most cost-effective ways to improve security. Both these facets are critical for startups, who need to get security right out of the blocks, and don’t have a lot of money to burn. – AL
  5. You know the breach is bad when… You need to do a media blitz about hiring a well-known forensic shop to clean up the mess. Yup, the Sony Pictures folks had their damage control people make a big deal about hiring FireEye’s Mandiant group to clean up the mess of their breach. As Rich described above, the breach was pretty bad, but having to make a big deal about hiring forensic folks doesn’t instill confidence that anyone in-house knows what they are doing. But I guess that’s self-evident from two very high-profile breaches one after another. And to the executive who gave the green light to The Interview, it’s all good. Fortunately the North Koreans aren’t vindictive or anything… –MR