A few weeks back at BSidesATL, I sent out a Tweet that kind of summed up my view of things. It was prompted by an email from a fitness company with the subject line “Embrace Discomfort.” Of course they were talking about the pain of whatever fitness regimen you follow. Not me. To me, comfort is uncomfortable.

I guess I have always been this way. Taking risks isn’t risky from where I sit. In fact playing it safe feels dangerous. Of course I don’t take stupid risks and put myself in harm’s way. At least I don’t any more – now I have a family who depends on me. But people ask me how I have the courage to start new businesses and try things. I don’t know – I just do. I couldn’t really play it safe it I tried.

Not that playing it safe is bad. To the contrary, it’s a yin-yang thing. Society needs risk-takers and non-risk-takers. However you see yourself, make sure you understand and accept it, or it will not end well.

For instance some folks dream of being a swashbuckling entrepreneur, jumping into the great unknown with an idea and a credit card to float some expenses. If you are risk-averse that path will be brutal and disappointing. Even if the venture is successful it won’t feel that way because the roller coaster of building a business will be agonizing for someone who craves stability.

Similarly if you put an entrepreneur into a big stable company, they will get into trouble. A lot of trouble. Been there, done that. That’s why it is rare to see true entrepreneurs stay with the huge companies that acquire them, after the retention bonuses are paid and the stock is vested. It’s just soul-crushing for swashbucklers to work in place with subsidized cafeterias and large HR departments.

I joked that it was time to leave META Group back in the mid-90s, when we got big enough that there were people specifically tasked with making my job harder. They called it process and financial controls. I called it bureaucracy and stupid paperwork. It didn’t work for me so I started my own company. With neither a subsidized cafeteria nor an HR department. Just the way I like it.


Photo credit: “2012_05_050006 Road to Risk Takers Select Committees” originally uploaded by Gwydion M. Williams

Have you registered for Disaster Recovery Breakfast VII yet? What are you waiting for. Check out the invite and then RSVP to rsvp (at) securosis.com, so we know how much food to get…

The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.

Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Endpoint Defense Essential Practices

Applied Threat Intelligence

Network Security Gateway Evolution

Newly Published Papers

Incite 4 U

  1. We’re hacking your stuff too, eh! All my Canadian friends are exceedingly nice. I’m sure many of you know our contributors from up North, Dave Lewis and James Arlen, and there aren’t any nicer people. They are cranky security people like the rest of us, but they somehow never seem cranky. It’s a Canadian thing. So when you hear about the Canadians doing what pretty much every other government is doing and hacking the crap out of all sorts of things, you say, “Eh? The Canadians? Really?” Even better, the Canadians are collaborating with the NSA to use social engineering and targeted attacks to “garner foreign intelligence or inflict network damage.” The spinmeisters were spinning hard about the documents being old, blah blah blah. Maybe they need a little Rob Ford action in the cyber department to give us the real low-down. But you know what? I’m sure they were very polite guests and left everything exactly as they found it. – MR
  2. He had me at Manifesto: I love a good manifesto. Nothing gets the blood moving like a call to arms, to rally the troops to do something. My friend Marc Solomon of Cisco advocates for CISOs to write their own manifestoes to get the entire organization thinking about security. I’m not sure how you make security “a growth engine for the business”, but a lot of his other aspirations are good. Things like security must be usable, transparent, and informative. Yup. And security must be viewed as a “people problem,” which really means that if you didn’t have all these pesky employees you would have far fewer security problems. Really it’s a sales document. You (as CISO) are selling the security mindset to your organization, and that is a manifesto worth writing. – MR
  3. E-DDoS coming to a cloud near you: One of the newer attack vectors I highlighted in our denial of service research a couple years ago was an economic denial of service. An adversary can hammer a cloud-based system, driving costs up to the victim’s credit limit. No more credit, no more cloud services. I guess that’s the cloud analogue to “No shoes, no shirt, no dice.” [Dude)…] It seems someone in China doesn’t like that some website allows connectivity to censored websites, so they are blasting them with traffic, costing $30,000/day in cloud server costs. These folks evidently have a lot of credit with Amazon and haven’t been forced to shut down. Yet. Aside from the political reality an attack like this represents, it is a clear example of another more diabolical type of attack. A DDoS that knocks your stuff down may impact sales, but not costs. This kind of attack hits you below the belt: right in the wallet. – MR