When things get very busy it’s hard to stay focused. There is so much flying at you, and so many things stacking up. Sometimes you just do the easy things because they are easy. You send the email, you put together the proposal, you provide feedback on the document. It can be done in 15 minutes, so you do it. Leaving the bigger stuff for later. At least I do.

Then later becomes the evening, and the big stuff is still lagging. I pop open the laptop and try to dig into the big stuff, but that’s very hard to do at the end of the day. For me, at least. In the meantime a bunch more stuff showed up in the inbox. A couple more things need to get done. Some easy, some hard. So you run faster, get up earlier, rearrange the list, get something done. Wash, rinse, repeat. Sure, things get done. But I need to ask whether it’s the right stuff. Not always.


I know this is a solved problem. For others. They’ll tell me about their awesome Kanban workflow to control unplanned work. How they use a Pomodoro timer to make sure they give themselves enough time to get something done. Someone inevitably busts out some GTD goodness or possibly some Seven Habits wisdom. Sigh. Here’s the thing. I have a system. It works. When I use it.

The lack of a system isn’t my problem. It’s that I’m running too fast. I need to slow down. When I slow down things come into focus. Sure, more stuff may pile up. But not all that stuff will need to get done. The emails will still be there. The proposal will get written, when I have a slot open to actually do the work. And when I say slow down, that doesn’t mean work less. It means give myself time to mentally explore and wander. With nowhere to be. With nothing to achieve.

I do that through meditation, which I haven’t done consistently over the last few months. I prioritized my physical practices (running and yoga) for the past few months, at the expense of my mental practice. I figured if I just follow my breath when running I can address both my mental and physical practice at the same time. Efficiency, right? Nope. Running and yoga are great. But I get something different from meditation.

I’m most effective when I have time to think. To explore. To indulge my need to go down paths that may not seem obvious at first. I do that when meditating. I see the thought and sometimes I follow it down a rathole. I don’t know where it will go or what I’ll learn. I follow it anyway. Sometimes I just let the thought pass and return my awareness to the breath. But one thing is for sure – my life flows a lot easier when I’m meditating every day. Which is all that matters.

So forgive me if I don’t respond to your email within the hour. I’ll forgive myself for letting things pile up on my to do list. The emails and tasks will be there when I’m done meditating. It turns out I will be able to work through lists much more efficiently once I give myself space to slow down. Strangely enough, that allows me to speed up.


Photo credit: “Slow Down” originally uploaded by Tristan Schmurr

The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.

Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Network-based Threat Detection

Applied Threat Intelligence

Network Security Gateway Evolution

Recently Published Papers

Incite 4 U

  1. Don’t believe everything you read: The good news about Securosis’ business is that we don’t have to chase news. Sure, if there is something timely and we have room on our calendar, we’ll comment on current events. But if you look at our blog lately it’s clear we’re pretty busy. So we didn’t get around to commenting on this plane hacking stuff. But if we wait around long enough, one of our friends will say pretty much what I’m thinking. So thanks to Wendy who summed up the situation nicely. And that reminds me of something I have to tell my kids almost every day. Don’t believe everything you read on the Internet. You aren’t getting the full story. Media outlets, bloggers, and other folks with websites have agendas and biases. Consider what you read with a skeptical eye and confirm/validate to ensure you have the full story. Or fall in line with the rest of the lemmings who believe what they read, and react emotionally to what usually amounts to a pile of rubbish. – MR
  2. Super-Fish-er: Dennis Fisher over at ThreatPost wrote a great article highlighting ad injector networks and how attackers are hijacking SSL connections to collect ad revenue for bogus ‘clicks’ from bogus sites. It’s a sobering look at how your computer can be leveraged – with a couple simple alterations – to behave just like another person. So much of browsers’ behavior is hidden from users precisely to hide the avalanche of ads and tracking that it’s fairly easy for attackers to hide within that environment. We will see lots more hacking of ad networks while this remains so profitable. – AL
  3. The monster in the closet: I really like Scott Roberts’ discussion of Imposter Syndrome – basically the fear that you will be found out as a fraud. He looks at it from the perspective of DFIR. We all struggle with it. Our brains, in a misplaced attempt to protect us, make us feel unworthy. It turns out that feeling can shut you down, or motivate you to continue growing and learning. Scott’s recommendations include being aware of the feelings and searching out experts who can help you learn and grow. Every time I question my skills I remember that I do different things differently than most everyone else. I’m not trying to be anyone else so I can’t really be an imposter. And if someone doesn’t appreciate what I do or how I do it, that’s fine by me. You can’t make everyone happy all the time, and that includes your internal imposter. Acknowledge it, and then let it go. – MR
  4. Financial aid: In news that surprised no one, the University of California, Los Angeles (UCLA) announced 800k records were accessed by hackers – far bigger than the 2009 UC Berkeley breach. Some of you with mad crazy math skilz may be saying, “Hey, wait, even at 50k students a year, that’s 16 years of student data!” but the stolen records included application data, including all that financial aid related stuff students provide universities. It’s normally at this point where we ask, “What the frack are you doing keeping all those records?!” and recommend deletion or crypto-shredding to dispose of data, but in this case that does not matter as much – the attackers gained access in 2005. Yeah, ten years, so we’ll just say your odds of detecting a compromise without monitoring are pretty much zero. – AL
  5. Maturity is a thing… A while back (I’m a bit behind in my reading) Brian Krebs posted about security maturity. He presented a couple models to describe how a security program changes based on the maturity of the function. We use this concept a lot because it makes sense, especially to those stepping into a very unsophisticated who and need to advance it quickly. First you have to acknowledge where you are today – honestly. Deceiving yourself is not going to help. But even more importantly, you need to figure out where you want to be. What is your goal? And then you can figure out how much that will cost. Not every organization needs a world-class security program. Ultimately this is a convenient metaphor to manage expectations because it forces everyone to think about the end goal, and we all know how critical that is. – MR