I read a profile of Spanx’s Sara Blakely in Forbes Billionaires issue, and the tip that really resonated was that at dinner each night, her father would ask each child what they failed that day. Wait, what? He would be disappointed if the kids didn’t fail something because it meant they weren’t stretching far enough out of their comfort zone. Damn, I wish I thought of that.

There is an unnecessary stigma about failure and it’s counter-productive. This is programmed into our heads from a young age. “Winning isn’t everything, it’s the only thing.” Hyper-competitive helicopter parents screaming at their kids to win their 4-year-old T-ball game. I have to say the Boy competes in both lacrosse and tennis, but he doesn’t much care whether he wins or loses. He just moves on. He certainly didn’t get that trait from me – I was very competitive growing up and hated to lose at anything. But I admire it in him.

As a result of my unwillingness to screw up, I didn’t really try enough new things. I would compete when I knew I had a very good chance to win. Looking back, it would have served me much better to have tried stuff and made mistakes and realized that I could fall down, and it would be okay. Think about it – we fail every day at all sorts of things, both little and big. Entrepreneurs talk about failing fast and pivoting to the next idea quickly. They fall down but reload and move on.

I love the guys who breathe their own exhaust and think they are all who because they joined a company like Google or Facebook early enough to make some money, but not so early that they had much to do with the company’s success. These folks think it was them, while in reality they were lucky. To be fair, these lucky few do learn from being around success. Some can parlay that into success in their next venture. But most don’t. The folks who got blown out are more interesting. As one of them I can tell you that I learned a lot more from failing.

In the security world a breach occurs when something fails. Some of the small-minded clean up the mess and move on. They don’t spend enough time trying to figure out what went wrong. They hope the problem will go away. It won’t. It never does. They should do a post-mortem. They need to identify what didn’t work and fix it. An organization’s culture must allow for mistakes, though it’s realistic to expect employees not to make the same mistake twice.

I am pretty good about telling my kids that it’s okay to make mistakes. As long as they learn from them. So when they have a no good, horrible, very bad day, messing everything up, I always ask what they have learned. Usually they can tell me, but if not I’ll use it as a teaching moment to explain what they could do differently next time. Ultimately I try to make it clear to them that it’s okay to fail. Really, it’s okay. As long as they get back up and jump into the mix.


Photo credits: Oops! “This Was NOT What I Intended!” originally uploaded by Bridget Coila

Upcoming Cloud Security Training

Interested in Cloud Security? Are you in EMEA (or do you have a ton of frequent flyer miles)? Mike will be teaching the CCSK Training class in Reading UK on April 8-10. Sign up now.

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

Email-based Threat Intelligence

Understanding Identity Management for Cloud Services

Newly Published Papers

Incite 4 U

  1. Vulnerability scoring snoring: I have to admit I have never been a fan of generic vulnerability scoring because it doesn’t take into account the context required to understand the impact of the issue on your network. It’s nice to see Tyler Reguly of nCircle make the same point. He says it pretty bluntly: “The current state of vulnerability scoring is useless. With the frequency of vulnerability disclosure and the number of vulnerabilities patched in products, a bucket consisting of High, Medium, and Low tells me nothing.” Back in Vulnerability Management Evolution I talked a lot about how prioritizing what to do is the key value of these platforms. Tyler then goes on to talk about risk scoring, which adds a few key attributes like exploit availability and access to the system. Right – if you can’t exploit the vulnerability or get to the system, your urgency score needs to drop. Period. – MR
  2. SCADA chum: Even today we still run into far too many Operational Technology (OT, as opposed to IT) people who like to pretend they are still safe behind their firewalls. Or that their systems are too specialized for Internet attackers to do anything with, even if they do get in. New research by Trend Micro shatters those misconceptions. The research team put up 3 honeypot networks designed to emulate real utility company networks, and watched as they were hit with 39 attacks from 14 nations (guess who came first?). This is merely one more in a series of wake-up calls, and you can bet that these sorts of results are driving more of the cybersecurity activity in DC than the more-public IP theft. – RM
  3. Right idea, wrong direction: This attacks to critical infrastructure story is making the rounds as news. But this is the same story we heard for years about SCADA; vulnerable – we know. But why is it an issue now, and why is it any different than generic unprotected Windows endpoints on the Internet? Remember back when Windows PCs were owned in about 4 minutes, with some infected in as little as 8 seconds. These attacks are automated and constantly ongoing. My feeling is this is all driven by the media feeding frenzy trying to keep the ‘cyber’ threat in the news, mostly to position and politic to justify federal funding, which is why the intelligence community states that cyber is more dangerous than terrorism. It’s not that these threats aren’t real, but sequestration clearly has these folks running scared. This smells just as bad as the justifications we heard for the TSA. And we have seen how effective spending is on that mess. – AL
  4. Would you like some DDoS defense with your burger? The industry has been talking about the fusion of security capabilities into the network core since I had dark hair. Yes, that long ago. It hasn’t materialized for the most part, unless you consider a low-functionality IPS blade in a switch chassis the network core. Yeah, me neither. But with deals like Cisco licensing Arbor’s carrier class DDoS technology to integrate into their BASS (big ass) core router we may start to see more integration. The reality is that the earlier DDoS attacks can be taken out of play, the better. So being able to see the attack building and then taking it out before it impacts customers would be a huge value. And given how the DDoS business (both products and services) is starting to explode, Cisco is not behind the security market. Too bad this wasn’t their security group. D’oh! – MR
  5. Creative counter-intel: Never underestimate the power of bribery. You don’t need spy school to learn that it’s easier to convert someone into an intelligence asset if they have a crap life at home, and you dangle all the Facebook and XBox time they could want in front of their face. At least that’s Stewart Baker’s idea. Think about it – many Chinese government hackers are young, and likely just as disgruntled as any other government workers. While some are patriotic, at scale there are always a few bad eggs, some of whom wouldn’t worry about trouble for friends and family back home. It’s an interesting idea, but I suspect one that is already being played because it has been around forever. – RM
  6. Security override: I do several vendor briefings a week. In 90% of these, the vendor leverages WebEx or similar demonstration software to show their stuff (even their PowerPoints) in real time. And in order to use their demo software I need to disable every frackin’ security control on my machine! Enable Java. Enable JavaScript. Enable every Adobe product. Enable plug-ins. Enable pop-ups. Disable privacy protections. I use Little Snitch to monitor my outbound connections, but I need to let their plug-ins connect to thousands of unnamed servers and send data to totally unrelated services. Allow incoming connections. Whatever it take to deliver content! The irony is not lost on me that I need to disable security to get a security briefing. So it’s no surprise that Google chose to delist a valuable tool like AdBlock to prevent interference with ad content delivery. Once again, it is important not to let those pesky security controls get in the way of keeping the money press churning. – AL